diff --git a/Lrp/etc/init.d/shorewall b/Lrp/etc/init.d/shorewall deleted file mode 100755 index dc6cdd5aa..000000000 --- a/Lrp/etc/init.d/shorewall +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh -RCDLINKS="2,S41 3,S41 6,K41" -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) -# -# On most distributions, this file should be called /etc/init.d/shorewall. -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# -#### BEGIN INIT INFO -# Provides: shorewall -# Required-Start: $network -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Description: starts and stops the shorewall firewall -### END INIT INFO - -# chkconfig: 2345 25 90 -# description: Packet filtering firewall -# - -################################################################################ -# Give Usage Information # -################################################################################ -usage() { - echo "Usage: $0 start|stop|restart|status" - exit 1 -} - -################################################################################ -# E X E C U T I O N B E G I N S H E R E # -################################################################################ -command="$1" - -case "$command" in - - stop|start|restart|status) - - exec /sbin/shorewall $@ - ;; - *) - - usage - ;; - -esac diff --git a/Lrp/etc/shorewall/accounting b/Lrp/etc/shorewall/accounting deleted file mode 100755 index a0d352255..000000000 --- a/Lrp/etc/shorewall/accounting +++ /dev/null @@ -1,73 +0,0 @@ -# -# Shorewall version 2.0 - Accounting File -# -# /etc/shorewall/accounting -# -# Accounting rules exist simply to count packets and bytes in categories -# that you define in this file. You may display these rules and their -# packet and byte counters using the "shorewall show accounting" command. -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -# -# Columns are: -# -# ACTION - What to do when a match is found. -# -# COUNT - Simply count the match and continue -# with the next rule -# DONE - Count the match and don't attempt -# to match any other accounting rules -# in the chain specified in the CHAIN -# column. -# [:COUNT] -# - Where is the name of -# a chain. Shorewall will create -# the chain automatically if it -# doesn't already exist. Causes -# a jump to that chain. If :COUNT -# is including, a counting rule -# matching this record will be -# added to -# -# CHAIN - The name of a chain. If specified as "-" the -# 'accounting' chain is assumed. This is the chain -# where the accounting rule is added. The chain will -# be created if it doesn't already exist. -# -# SOURCE - Packet Source -# -# The name of an interface, an address (host or net) or -# an interface name followed by ":" -# and a host or net address. -# -# DESTINATION - Packet Destination -# -# Format the same as the SOURCE column. -# -# PROTOCOL A protocol name (from /etc/protocols), a protocol -# number. -# -# DEST PORT Destination Port number -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# SOURCE PORT Source Port number -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# In all of the above columns except ACTION and CHAIN, the values "-", -# "any" and "all" may be used as wildcards -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE -# PORT PORT -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/action.template b/Lrp/etc/shorewall/action.template deleted file mode 100644 index b54419b65..000000000 --- a/Lrp/etc/shorewall/action.template +++ /dev/null @@ -1,131 +0,0 @@ -# -# Shorewall 1.4 /etc/shorewall/action.template -# -# This file is a template for files with names of the form -# /etc/shorewall/action. where is an -# ACTION defined in /etc/shorewall/actions. -# -# To define a new action: -# -# 1. Add the to /etc/shorewall/actions -# 2. Copy this file to /etc/shorewall/action. -# 3. Add the desired rules to that file. -# -# Columns are: -# -# -# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a -# previously-defined -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as p2pwall. -# -- An defined in -# /etc/shorewall/actions. The -# must appear in that file BEFORE the -# one being defined in this file. -# -# The TARGET may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# ACCEPT:debugging). This causes the packet to be -# logged at the specified level. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# SOURCE Source hosts to which the rule applies. -# A comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# 192.168.2.2 Host 192.168.2.2 -# -# 155.186.235.0/24 Subnet 155.186.235.0/24 -# -# 192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2. -# ~00-A0-C9-15-39-78 Host with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# name. For example, eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., eth1:192.168.1.5). -# -# DEST Location of Server. Same as above with the exception that -# MAC addresses are not allowed. -# -# Unlike in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or -# "all". -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this column: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# If you place a rate limit in this column, you may not -# place a similar limit in the TARGET column. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/actions b/Lrp/etc/shorewall/actions deleted file mode 100644 index 9f6bca91f..000000000 --- a/Lrp/etc/shorewall/actions +++ /dev/null @@ -1,29 +0,0 @@ -# -# Shorewall 2.1 /etc/shorewall/actions -# -# This file allows you to define new ACTIONS for use in rules -# (/etc/shorewall/rules). You define the iptables rules to -# be performed in an ACTION in -# /etc/shorewall/action.. -# -# ACTION names should begin with an upper-case letter to -# distinguish them from Shorewall-generated chain names and -# they must need the requirements of a Netfilter chain. If -# you intend to log from the action then the name must be -# no longer than 11 character in length. Names must also -# meet the requirements for a Bourne Shell identifier (must -# begin with a letter and be composed of letters, digits and -# underscore characters). -# -# If you follow the action name with ":DROP", ":REJECT" or -# :ACCEPT then the action will be taken before a DROP, REJECT or -# ACCEPT policy respectively is enforced. If you specify ":DROP", -# ":REJECT" or ":ACCEPT" on more than one action then only the -# last such action will be taken. -# -# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by -# itself, the associated policy will have no common action. -# -#ACTION - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/etc/shorewall/blacklist b/Lrp/etc/shorewall/blacklist deleted file mode 100644 index 063724daa..000000000 --- a/Lrp/etc/shorewall/blacklist +++ /dev/null @@ -1,43 +0,0 @@ -# -# Shorewall 2.0 -- Blacklist File -# -# /etc/shorewall/blacklist -# -# This file contains a list of IP addresses, MAC addresses and/or subnetworks. -# -# Columns are: -# -# ADDRESS/SUBNET - Host address, subnetwork or MAC address -# -# MAC addresses must be prefixed with "~" and use "-" -# as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# PROTOCOL - Optional. If specified, must be a protocol number -# or a protocol name from /etc/protocols. -# -# PORTS - Optional. May only be specified if the protocol -# is TCP (6) or UDP (17). A comma-separated list -# of port numbers or service names from /etc/services. -# -# When a packet arrives on in interface that has the 'blacklist' option -# specified, its source IP address is checked against this file and disposed of -# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in -# /etc/shorewall/shorewall.conf -# -# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. -# -# Example: -# -# To block DNS queries from address 192.0.2.126: -# -# ADDRESS/SUBNET PROTOCOL PORT -# 192.0.2.126 udp 53 -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - diff --git a/Lrp/etc/shorewall/ecn b/Lrp/etc/shorewall/ecn deleted file mode 100644 index 644a63500..000000000 --- a/Lrp/etc/shorewall/ecn +++ /dev/null @@ -1,18 +0,0 @@ -# -# Shorewall 2.0 - /etc/shorewall/ecn -# -# Use this file to list the destinations for which you want to -# disable ECN. -# -# This feature requires kernel 2.4.20 or later. If you run 2.4.20, -# you also need the patch found at http://www.shorewall.net/ecn/patch. -# That patch is included in kernels 2.4.21 and later. -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -############################################################################## -#INTERFACE HOST(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/hosts b/Lrp/etc/shorewall/hosts deleted file mode 100644 index 49e322adb..000000000 --- a/Lrp/etc/shorewall/hosts +++ /dev/null @@ -1,128 +0,0 @@ -# -# Shorewall 2.0 - /etc/shorewall/hosts -# -# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN -# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. -# -# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. -#------------------------------------------------------------------------------ -# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN -# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT -# ZONE AND INTERFACE IN THIS FILE. -#------------------------------------------------------------------------------ -# This file is used to define zones in terms of subnets and/or -# individual IP addresses. Most simple setups don't need to -# (should not) place anything in this file. -# -# The order of entries in this file is not significant in -# determining zone composition. Rather, the order that the zones -# are defined in /etc/shorewall/zones determines the order in -# which the records in this file are interpreted. -# -# ZONE - The name of a zone defined in /etc/shorewall/zones -# -# HOST(S) - The name of an interface defined in the -# /etc/shorewall/interfaces file followed by a colon (":") and -# a comma-separated list whose elements are either: -# -# a) The IP address of a host -# b) A subnetwork in the form -# / -# c) A physical port name; only allowed when the -# interface names a bridge created by the -# brctl addbr command. This port must not -# be defined in /etc/shorewall/interfaces and may -# optionally followed by a colon (":") and a -# host or network IP. -# See http://www.shorewall.net/Bridge.html for details. -# -# Examples: -# -# eth1:192.168.1.3 -# eth2:192.168.2.0/24 -# eth3:192.168.2.0/24,192.168.3.1 -# br0:eth4 -# br0:eth0:192.168.1.16/28 -# -# OPTIONS - A comma-separated list of options. Currently-defined -# options are: -# -# maclist - Connection requests from these hosts -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# routeback - Shorewall should set up the infrastructure -# to pass packets from this/these -# address(es) back to themselves. This is -# necessary if hosts in this group use the -# services of a transparent proxy that is -# a member of the group or if DNAT is used -# to send requests originating from this -# group to a server in the group. -# -# norfc1918 - This option only makes sense for ports -# on a bridge. -# -# The port should not accept -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# nobogons - This option only makes sense for ports -# on a bridge. -# -# This port should not accept -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see -# 'norfc1918' above). -# -# blacklist - This option only makes sense for ports -# on a bridge. -# -# Check packets arriving on this port -# against the /etc/shorewall/blacklist -# file. -# -# tcpflags - Packets arriving from these hosts are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# nosmurfs - This option only makes sense for ports -# on a bridge. -# -# Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from these hosts, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -#ZONE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/icmp.def b/Lrp/etc/shorewall/icmp.def deleted file mode 100644 index b6b39510b..000000000 --- a/Lrp/etc/shorewall/icmp.def +++ /dev/null @@ -1,6 +0,0 @@ -############################################################################## -# Shorewall 1.3 /etc/shorewall/icmp.def -# -# This file is obsolete and is included for compatibility with existing -# icmpdef extension scripts that source it. -# diff --git a/Lrp/etc/shorewall/init b/Lrp/etc/shorewall/init deleted file mode 100644 index cdd21c79b..000000000 --- a/Lrp/etc/shorewall/init +++ /dev/null @@ -1,6 +0,0 @@ -############################################################################ -# Shorewall 2.0 -- /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. -# diff --git a/Lrp/etc/shorewall/interfaces b/Lrp/etc/shorewall/interfaces deleted file mode 100644 index 8397e28a6..000000000 --- a/Lrp/etc/shorewall/interfaces +++ /dev/null @@ -1,195 +0,0 @@ -# -# Shorewall 2.0 -- Interfaces File -# -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the short name -# of a zone defined in /etc/shorewall/zones. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you -# select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# nobogons - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see above). -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# . . blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this interface -# are processed as if NEWNOTSYN=Yes had been -# specified in /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow filtering -# traffic arriving on this interface back -# out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,routefilter,norfc1918 -loc eth1 detect -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/maclist b/Lrp/etc/shorewall/maclist deleted file mode 100644 index 3374fd83c..000000000 --- a/Lrp/etc/shorewall/maclist +++ /dev/null @@ -1,21 +0,0 @@ -# -# Shorewall 2.0 - MAC list file -# -# /etc/shorewall/maclist -# -# Columns are: -# -# INTERFACE Network interface to a host. If the interface -# names a bridge, it may be optionally followed by -# a colon (":") and a physical port name (e.g., -# br0:eth4). -# -# MAC MAC address of the host -- you do not need to use -# the Shorewall format for MAC addresses here -# -# IP ADDRESSES Optional -- if specified, both the MAC and IP address -# must match. This column can contain a comma-separated -# list of host and/or subnet addresses. -############################################################################## -#INTERFACE MAC IP ADDRESSES (Optional) -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/masq b/Lrp/etc/shorewall/masq deleted file mode 100644 index e00044725..000000000 --- a/Lrp/etc/shorewall/masq +++ /dev/null @@ -1,141 +0,0 @@ -# -# Shorewall 2.0 - Masquerade file -# -# /etc/shorewall/masq -# -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). -# -# Columns are: -# -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. -# -# -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. -# -# Example: eth1!192.168.1.4,192.168.32.0/27 -# -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 -# -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# If you have set ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf then DO NOT -# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP -# ADDRESS IN THIS COLUMN -- If you do so, you -# will loose your default route when Shorewall -# starts. -# -# You may also specify a range of up to 256 -# IP addresses if you want the SNAT address to -# be assigned from that range in a round-robin -# range by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 -# -# Finally, you may also specify a comma-separated -# list of ranges and/or addresses in this column. -# -# This column may not contain DNS Names. -# -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. -# -# PROTO -- (Optional) If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. -# -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). -# -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be -# listed. -# -# -# Example 1: -# -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. -# -# Your entry in the file can be either: -# -# eth0 eth1 -# -# or -# -# eth0 192.168.0.0/24 -# -# Example 2: -# -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: -# -# eth0 192.168.1.0/24 -# -# Example 3: -# -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: -# -# ipsec0:10.1.1.0/24 196.168.1.0/24 -# -# Example 4: -# -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. -# -# eth0:0 192.168.1.0/24 206.124.146.176 -# -# Example 5: -# -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. -# -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 -# -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! -# -############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) -eth0 eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/modules b/Lrp/etc/shorewall/modules deleted file mode 100644 index 6621f36b3..000000000 --- a/Lrp/etc/shorewall/modules +++ /dev/null @@ -1,21 +0,0 @@ -############################################################################## -# Shorewall 2.0 /etc/shorewall/modules -# -# This file loads the modules needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 before -# you load M2. -# - - loadmodule ip_tables - loadmodule iptable_filter - loadmodule ip_conntrack - loadmodule ip_conntrack_ftp - loadmodule ip_conntrack_tftp - loadmodule ip_conntrack_irc - loadmodule iptable_nat - loadmodule ip_nat_ftp - loadmodule ip_nat_tftp - loadmodule ip_nat_irc - diff --git a/Lrp/etc/shorewall/nat b/Lrp/etc/shorewall/nat deleted file mode 100644 index dbd44c4f0..000000000 --- a/Lrp/etc/shorewall/nat +++ /dev/null @@ -1,37 +0,0 @@ -############################################################################## -# -# Shorewall 2.0 -- Network Address Translation Table -# -# /etc/shorewall/nat -# -# This file is used to define one-to-one Network Address Translation -# (NAT). -# -# WARNING: If all you want to do is simple port forwarding, do NOT use this -# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most -# cases, Proxy ARP is a better solution that one-to-one NAT. -# -# Columns must be separated by white space and are: -# -# EXTERNAL External IP Address - this should NOT be the primary -# IP address of the interface named in the next -# column and must not be a DNS Name. -# INTERFACE Interface that you want to EXTERNAL address to appear -# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may -# follow the interface name with ":" and a digit to -# indicate that you want Shorewall to add the alias -# with this name (e.g., "eth0:0"). That allows you to -# see the alias with ifconfig. THAT IS THE ONLY THING -# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT -# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. -# INTERNAL Internal Address (must not be a DNS Name). -# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. -# If No or no (or left empty) then NAT will be effective -# only through the interface named in the INTERFACE -# column -# LOCAL If Yes or yes, NAT will be effective from the firewall -# system -############################################################################## -#EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/params b/Lrp/etc/shorewall/params deleted file mode 100644 index 5873bf90a..000000000 --- a/Lrp/etc/shorewall/params +++ /dev/null @@ -1,25 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/params -# -# Assign any variables that you need here. -# -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs -# -# Example: -# -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 -# -# Example (/etc/shorewall/interfaces record): -# -# net $NET_IF $NET_BCAST $NET_OPTIONS -# -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter,norfc1918 -# -############################################################################## -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/etc/shorewall/policy b/Lrp/etc/shorewall/policy deleted file mode 100644 index 9a62ef3ab..000000000 --- a/Lrp/etc/shorewall/policy +++ /dev/null @@ -1,89 +0,0 @@ -# -# Shorewall 2.0 -- Policy File -# -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, send -# "port unreachable" ICMP. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or destination -# zone in those rules is a superset of -# the SOURCE or DEST in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set up -# any infrastructure to handle such -# packets and you may not have any rules -# with this SOURCE and DEST in the -# /etc/shorewall/rules file. If such a -# packet _is_ received, the result is -# undefined. NONE may not be used if the -# SOURCE or DEST columns contain the -# firewall zone ($FW) or "all". -# -# If this column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in -# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) -# then that action will be invoked before the policy named in -# this column is inforced. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# As shipped, the default policies are: -# -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. -############################################################################### -#SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL -loc net ACCEPT -net all DROP ULOG -# If you want open access to the Internet from your Firewall -# remove the comment from the following line. -#fw net ACCEPT - -# -# THE FOLLOWING POLICY MUST BE LAST -# -all all REJECT ULOG -#LAST LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/proxyarp b/Lrp/etc/shorewall/proxyarp deleted file mode 100644 index b21a4f432..000000000 --- a/Lrp/etc/shorewall/proxyarp +++ /dev/null @@ -1,44 +0,0 @@ -############################################################################## -# -# Shorewall 2.0 -- Proxy ARP -# -# /etc/shorewall/proxyarp -# -# This file is used to define Proxy ARP. -# -# Columns must be separated by white space and are: -# -# ADDRESS IP Address -# -# INTERFACE Local interface where system is connected. If the -# local interface is obvious from the subnetting, -# you may enter "-" in this column. -# -# EXTERNAL External Interface to be used to access this system -# -# HAVEROUTE If there is already a route from the firewall to -# the host whose address is given, enter "Yes" or "yes" -# in this column. Otherwise, entry "no", "No" or leave -# the column empty and Shorewall will add the route for -# you. If Shorewall adds the route,the route will be -# persistent if the PERSISTENT column contains Yes; -# otherwise, "shorewall stop" or "shorewall clear" will -# delete the route. -# -# PERSISTENT If HAVEROUTE is No or "no", then the value of this -# column determines if the route added by Shorewall -# persists after a "shorewall stop" or a "shorewall -# clear". If this column contains "Yes" or "yes" then -# the route persists; If the column is empty or contains -# "No"or "no" then the route is deleted at "shorewall -# stop" or "shorewall clear". -# -# Example: Host with IP 155.186.235.6 is connected to -# interface eth1 and we want hosts attached via eth0 -# to be able to access it using that address. -# -# #ADDRESS INTERFACE EXTERNAL -# 155.186.235.6 eth1 eth0 -############################################################################## -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/routestopped b/Lrp/etc/shorewall/routestopped deleted file mode 100644 index 8d5a0b41c..000000000 --- a/Lrp/etc/shorewall/routestopped +++ /dev/null @@ -1,31 +0,0 @@ -############################################################################## -# -# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped -# -# /etc/shorewall/routestopped -# -# This file is used to define the hosts that are accessible when the -# firewall is stopped -# -# Columns must be separated by white space and are: -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of -# options. The currently-supported options are: -# -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. -# -# Example: -# -# INTERFACE HOST(S) OPTIONS -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 -# br0 - routeback -############################################################################## -#INTERFACE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules deleted file mode 100644 index ec70e947f..000000000 --- a/Lrp/etc/shorewall/rules +++ /dev/null @@ -1,335 +0,0 @@ -# -# Shorewall version 2.0 - Rules File -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#-------------------------------------------------------------------------------# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, or "all" If the ACTION is DNAT or -# REDIRECT, sub-zones of the specified zone may be -# excluded from the rule by following the zone name with -# "!' and a comma-separated list of sub-zone names. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. -# -# Except when "all" is specified, clients may be further -# restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself or "all" -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. -# -# Except when "all" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Unlike in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or -# "all". -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then place -# "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or -# REDIRECT[-]) If included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# The address (list) may optionally be followed by -# a colon (":") and a second IP address. This causes -# Shorewall to use the second IP address as the source -# address in forwarded packets. See the Shorewall -# documentation for restrictions concerning this feature. -# If no source IP address is given, the original source -# address is not altered. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT<3/sec:10> net loc:192.168.1.3 tcp http -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 fw \ -# tcp 22 -#################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -# PORT PORT(S) DEST LIMIT -# Accept DNS connections from the firewall to the network -# -ACCEPT fw net tcp 53 -ACCEPT fw net udp 53 -# Accept SSH connections from the local network for administration -# -ACCEPT loc fw tcp 22 -# Allow Ping To And From Firewall -# -ACCEPT loc fw icmp 8 -ACCEPT net fw icmp 8 -ACCEPT fw loc icmp 8 -ACCEPT fw net icmp 8 -# -# Bering specific rules: -# allow loc to fw udp/53 for local/caching DNS servers to work -# allow loc to fw tcp/80 for weblet to work -# allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work -ACCEPT loc fw udp 53 -ACCEPT loc fw tcp 80 -ACCEPT loc fw udp 67,68 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf deleted file mode 100644 index c11134f14..000000000 --- a/Lrp/etc/shorewall/shorewall.conf +++ /dev/null @@ -1,695 +0,0 @@ -############################################################################## -# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to -# match your setup -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# This file should be placed in /etc/shorewall -# -# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) -############################################################################## -# L O G G I N G -############################################################################## -# -# General note about log levels. Log levels are a method of describing -# to syslog (8) the importance of a message and a number of parameters -# in this file have log levels as their value. -# -# Valid levels are: -# -# 7 debug -# 6 info -# 5 notice -# 4 warning -# 3 err -# 2 crit -# 1 alert -# 0 emerg -# -# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall -# log messages are generated by NetFilter and are logged using facility -# 'kern' and the level that you specifify. If you are unsure of the level -# to choose, 6 (info) is a safe bet. You may specify levels by name or by -# number. -# -# If you have built your kernel with ULOG target support, you may also -# specify a log level of ULOG (must be all caps). Rather than log its -# messages to syslogd, Shorewall will direct netfilter to log the messages -# via the ULOG target which will send them to a process called 'ulogd'. -# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be -# configured to log all Shorewall message to their own log file -################################################################################ -# -# LOG FILE LOCATION -# -# This variable tells the /sbin/shorewall program where to look for Shorewall -# log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. -# -# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see -# -# http://www.shorewall.net/shorewall_logging.html - -LOGFILE=/var/log/shorewall.log - -# -# LOG FORMAT -# -# Shell 'printf' Formatting template for the --log-prefix value in log messages -# generated by Shorewall to identify Shorewall log messages. The supplied -# template is expected to accept either two or three arguments; the first is -# the chain name, the second (optional) is the logging rule number within that -# chain and the third is the ACTION specifying the disposition of the packet -# being logged. You must use the %d formatting type for the rule number; if your -# template does not contain %d then the rule number will not be included. -# -# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: -# -# LOGFORMAT="fp=%s:%d a=%s " -# -# If not specified or specified as empty (LOGFORMAT="") then the value -# "Shorewall:%s:%s:" is assumed. -# -# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up -# to but not including the first '%') to find log messages in the 'show log', -# 'status' and 'hits' commands. This part should not be omitted (the -# LOGFORMAT should not begin with "%") and the leading part should be -# sufficiently unique for /sbin/shorewall to identify Shorewall messages. - -LOGFORMAT="Shorewall:%s:%s:" - -# -# LOG RATE LIMITING -# -# The next two variables can be used to control the amount of log output -# generated. LOGRATE is expressed as a number followed by an optional -# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum -# rate at which a particular message will occur. LOGBURST determines the -# maximum initial burst size that will be logged. If set empty, the default -# value of 5 will be used. -# -# If BOTH variables are set empty then logging will not be rate-limited. -# -# Example: -# -# LOGRATE=10/minute -# LOGBURST=5 -# -# For each logging rule, the first time the rule is reached, the packet -# will be logged; in fact, since the burst is 5, the first five packets -# will be logged. After this, it will be 6 seconds (1 minute divided by -# the rate of 10) before a message will be logged from the rule, regardless -# of how many packets reach it. Also, every 6 seconds which passes without -# matching a packet, one of the bursts will be regained; if no packets hit -# the rule for 30 seconds, the burst will be fully recharged; back where -# we started. -# - -LOGRATE= -LOGBURST= - -# -# BLACKLIST LOG LEVEL -# -# Set this variable to the syslogd level that you want blacklist packets logged -# (beware of DOS attacks resulting from such logging). If not set, no logging -# of blacklist packets occurs. -# -# See the comment at the top of this section for a description of log levels -# -BLACKLIST_LOGLEVEL= - -# -# LOGGING 'New not SYN' rejects -# -# This variable only has an effect when NEWNOTSYN=No (see below). -# -# When a TCP packet that does not have the SYN flag set and the ACK and RST -# flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, -# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. -# -# See the comment at the top of this section for a description of log levels -# -# Example: LOGNEWNOTSYN=debug - - -LOGNEWNOTSYN=ULOG - -# -# MAC List Log Level -# -# Specifies the logging level for connection requests that fail MAC -# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -MACLIST_LOG_LEVEL=ULOG - -# -# TCP FLAGS Log Level -# -# Specifies the logging level for packets that fail TCP Flags -# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -TCP_FLAGS_LOG_LEVEL=ULOG - -# -# RFC1918 Log Level -# -# Specifies the logging level for packets that fail RFC 1918 -# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then -# RFC1918_LOG_LEVEL=info is assumed. -# -# See the comment at the top of this section for a description of log levels -# - -RFC1918_LOG_LEVEL=ULOG - -# -# SMURF Log Level -# -# Specifies the logging level for smurf packets dropped by the -#'nosmurfs' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" -# ) then dropped smurfs are not logged. - -# -# See the comment at the top of this section for a description of log levels -# - -SMURF_LOG_LEVEL=ULOG - -# -# BOGON Log Level -# -# Specifies the logging level for bogon packets dropped by the -#'nobogons' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value -# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' -# in /usr/share/shorewall/bogons are logged at the 'info' level. -# -# See the comment at the top of this section for a description of log levels -# - -BOGON_LOG_LEVEL=ULOG -################################################################################ -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -################################################################################ -# -# PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. -# -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -# -# SHELL -# -# The firewall script is normally interpreted by /bin/sh. If you wish to change -# the shell used to interpret that script, specify the shell here. - -SHOREWALL_SHELL=/bin/sh - -# SUBSYSTEM LOCK FILE -# -# Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't -# use lock files, set this to "". -# - -SUBSYSLOCK=/var/run/shorewall - -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/state/shorewall - -# -# KERNEL MODULE DIRECTORY -# -# If your netfilter kernel modules are in a directory other than -# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that -# directory in this variable. Example: MODULESDIR=/etc/modules. - -MODULESDIR= - -# -# CONFIGURATION SEARCH PATH -# -# This option holds a list of directory names separated by colons -# (":"). Shorewall will search each directory in turn when looking for a -# configuration file. When processing a 'try' command or a command -# containing the "-c" option, Shorewall will automatically add the -# directory specified in the command to the front of this list. -# -# If not specified or specified as null ("CONFIG_PATH=""), -# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall - -# -# RESTORE SCRIPT -# -# This option determines the script to be run in the following cases: -# -# shorewall -f start -# shorewall restore -# shorewall save -# shorewall forget -# Failure of shorewall start or shorewall restart -# -# The value of the option must be the name of an executable file in the -# directory /var/lib/shorewall. If this option is not set or if it is -# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is -# assumed. - -RESTOREFILE= -################################################################################ -# F I R E W A L L O P T I O N S -################################################################################ - -# NAME OF THE FIREWALL ZONE -# -# Name of the firewall zone -- if not set or if set to an empty string, "fw" -# is assumed. -# -FW=fw - -# -# ENABLE IP FORWARDING -# -# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you -# say "Off" or "off", packet forwarding will be disabled. You would only want -# to disable packet forwarding if you are installing Shorewall on a -# standalone system or if you want all traffic through the Shorewall system -# to be handled by proxies. -# -# If you set this variable to "Keep" or "keep", Shorewall will neither -# enable nor disable packet forwarding. -# -IP_FORWARDING=On - -# -# AUTOMATICALLY ADD NAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each NAT external address that you give in /etc/shorewall/nat. If you say -# "No" or "no", you must add these aliases youself. -# -ADD_IP_ALIASES=Yes - -# -# AUTOMATICALLY ADD SNAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless -# you are sure that you need it -- most people don't!!! -# -ADD_SNAT_ALIASES=No - -# -# ENABLE TRAFFIC SHAPING -# -# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If -# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic -# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and -# you must enable packet mangling above. -# -TC_ENABLED=No - -# -# Clear Traffic Shapping/Control -# -# If this option is set to 'No' then Shorewall won't clear the current -# traffic control rules during [re]start. This setting is intended -# for use by people that prefer to configure traffic shaping when -# the network interfaces come up rather than when the firewall -# is started. If that is what you want to do, set TC_ENABLED=Yes and -# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That -# way, your traffic shaping rules can still use the 'fwmark' -# classifier based on packet marking defined in /etc/shorewall/tcrules. -# -# If omitted, CLEAR_TC=Yes is assumed. - -CLEAR_TC=Yes - -# -# Mark Packets in the forward chain -# -# When processing the tcrules file, Shorewall normally marks packets in the -# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., -# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. -# -# Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. -# -# Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. - -MARK_IN_FORWARD_CHAIN=No - -# -# MSS CLAMPING -# -# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" -# option. This option is most commonly required when your internet -# interface is some variant of PPP (PPTP or PPPoE). Your kernel must -# have CONFIG_IP_NF_TARGET_TCPMSS set. -# -# [From the kernel help: -# -# This option adds a `TCPMSS' target, which allows you to alter the -# MSS value of TCP SYN packets, to control the maximum size for that -# connection (usually limiting it to your outgoing interface's MTU -# minus 40). -# -# This is used to overcome criminally braindead ISPs or servers which -# block ICMP Fragmentation Needed packets. The symptoms of this -# problem are that everything works fine from your Linux -# firewall/router, but machines behind it can never exchange large -# packets: -# 1) Web browsers connect, then hang with no data received. -# 2) Small mail works fine, but large emails hang. -# 3) ssh works fine, but scp hangs after initial handshaking. -# ] -# -# If left blank, or set to "No" or "no", the option is not enabled. -# -CLAMPMSS=No - -# -# ROUTE FILTERING -# -# Set this variable to "Yes" or "yes" if you want kernel route filtering on all -# interfaces started while Shorewall is started (anti-spoofing measure). -# -# If this variable is not set or is set to the empty value, "No" is assumed. -# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering -# on individual interfaces using the 'routefilter' option in the -# /etc/shorewall/interfaces file. - -ROUTE_FILTER=No - -# DNAT IP ADDRESS DETECTION -# -# Normally when Shorewall encounters the following rule: -# -# DNAT net loc:192.168.1.3 tcp 80 -# -# it will forward TCP port 80 connections from the net to 192.168.1.3 -# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is -# convenient for two reasons: -# -# a) If the the network interface has a dynamic IP address, the -# firewall configuration will work even when the address -# changes. -# -# b) It saves having to configure the IP address in the rule -# while still allowing the firewall to be started before the -# internet interface is brought up. -# -# This default behavior can also have a negative effect. If the -# internet interface has more than one IP address then the above -# rule will forward connection requests on all of these addresses; -# that may not be what is desired. -# -# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply -# only if the original destination address is the primary IP address of -# one of the interfaces associated with the source zone. Note that this -# requires all interfaces to the source zone to be up when the firewall -# is [re]started. - -DETECT_DNAT_IPADDRS=No - -# -# MUTEX TIMEOUT -# -# The value of this variable determines the number of seconds that programs -# will wait for exclusive access to the Shorewall lock file. After the number -# of seconds corresponding to the value of this variable, programs will assume -# that the last program to hold the lock died without releasing the lock. -# -# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. -# -# An appropriate value for this parameter would be twice the length of time -# that it takes your firewall system to process a "shorewall restart" command. - -MUTEX_TIMEOUT=60 - -# -# NEWNOTSYN -# -# TCP connections are established using the familiar three-way "handshake": -# -# CLIENT SERVER -# -# SYN--------------------> -# <------------------SYN,ACK -# ACK--------------------> -# -# The first packet in that exchange (packet with the SYN flag on and the ACK -# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. -# A packet is said to be NEW if it is not part of or related to an already -# established connection. -# -# The NEWNOTSYN option determines the handling of non-SYN packets (those with -# SYN off or with ACK or RST on) that are not associated with an already -# established connection. -# -# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not -# part of an already established connection will be dropped by the -# firewall. The setting of LOGNEWNOTSYN above determines if these packets are -# logged before they are dropped. -# -# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule/policy processing. -# -# Users with a High-availability setup with two firewall's and one acting -# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may -# also need to select NEWNOTSYN=Yes. -# -# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis -# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a -# network or host basis using the same option in /etc/shorewall/hosts. - -# -# I find that NEWNOTSYN=No tends to result in lots of "stuck" -# connections because any network timeout during TCP session tear down -# results in retries being dropped (Netfilter has removed the -# connection from the conntrack table but the end-points haven't -# completed shutting down the connection). I therefore have chosen -# NEWNOTSYN=Yes as the default value. - -NEWNOTSYN=Yes - -# -# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT -# -# Normally, when a "shorewall stop" command is issued or an error occurs during -# the execution of another shorewall command, Shorewall puts the firewall into -# a state where only traffic to/from the hosts listed in -# /etc/shorewall/routestopped is accepted. -# -# When performing remote administration on a Shorewall firewall, it is -# therefore recommended that the IP address of the computer being used for -# administration be added to the firewall's /etc/shorewall/routestopped file. -# -# Some administrators have a hard time remembering to do this with the result -# that they get to drive across town in the middle of the night to restart -# a remote firewall (or worse, they have to get someone out of bed to drive -# across town to restart a very remote firewall). -# -# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, -# when the firewall enters the 'stopped' state: -# -# All traffic that is part of or related to established connections is still -# allowed and all OUTPUT traffic is allowed. This is in addition to traffic -# to and from hosts listed in /etc/shorewall/routestopped. -# -# If this variable is not set or it is set to the null value then -# ADMINISABSENTMINDED=No is assumed. -# -ADMINISABSENTMINDED=Yes - -# -# BLACKLIST Behavior -# -# Shorewall offers two types of blacklisting: -# -# - static blacklisting through the /etc/shorewall/blacklist file together -# with the 'blacklist' interface option. -# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. -# -# The following variable determines whether the blacklist is checked for each -# packet or for each new connection. -# -# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection -# requests -# -# BLACKLISTNEWONLY=No Consult blacklists for all packets. -# -# If the BLACKLISTNEWONLY option is not set or is set to the empty value then -# BLACKLISTNEWONLY=No is assumed. -# -BLACKLISTNEWONLY=Yes - -# MODULE NAME SUFFIX -# -# When loading a module named in /etc/shorewall/modules, Shorewall normally -# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names -# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a -# different naming convention then you can specify the suffix (extension) for -# module names in this variable. -# -# To see what suffix is used by your distribution: -# -# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter -# -# All of the file names listed should have the same suffix (extension). Set -# MODULE_SUFFIX to that suffix. -# -# Examples: -# -# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" -# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" -# - -MODULE_SUFFIX= - -# -# DISABLE IPV6 -# -# Distributions (notably SuSE) are beginning to ship with IPV6 -# enabled. If you are not using IPV6, you are at risk of being -# exploited by users who do. Setting DISABLE_IPV6=Yes will cause -# Shorewall to disable IPV6 traffic to/from and through your -# firewall system. This requires that you have ip6tables installed. -# Should be set to "No" for LEAF/LRP - -DISABLE_IPV6=No - -# -# BRIDGING -# -# If you wish to control traffic through a bridge (see http://bridge.sf.net), -# then set BRIDGING=Yes. Your kernel must have the physdev match option -# enabled; that option is available at the above URL for 2.4 kernels and -# is included as a standard part of the 2.6 series kernels. If not -# specified or specified as empty (BRIDGING="") then "No" is assumed. -# - -BRIDGING=No - -# -# DYNAMIC ZONES -# -# If you need to be able to add and delete hosts from zones dynamically then -# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. - -DYNAMIC_ZONES=No - -# -# USE PKTTYPE MATCH -# -# Some users have reported problems with the PKTTYPE match extension not being -# able to match certain broadcast packets. -# -# Other users have complained of the following message when -# starting Shorewall: -# -# modprobe: cant locate module ipt_pkttype -# -# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect -# broadcasts rather than pkttype. If not given or if given as empty -# (PKTTYPE="") then PKTTYPE=Yes is assumed. - -PKTTYPE=Yes - -# -# DROP INVALID PACKETS -# -# Netfilter classifies packets relative to its connection tracking table into -# four states: -# -# NEW - thes packet initiates a new connection -# ESTABLISHED - thes packet is part of an established connection -# RELATED - thes packet is related to an established connection; it may -# establish a new connection -# INVALID - the packet does not related to the table in any sensible way. -# -# Recent 2.6 kernels include code that evaluates TCP packets based on TCP -# Window analysis. This can cause packets that were previously classified as -# NEW or ESTABLISHED to be classified as INVALID. -# -# The new kernel code can be disabled by including this command in your -# /etc/shorewall/init file: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal -# -# Additional kernel logging about INVALID TCP packets may be obtained by -# adding this command to /etc/shorewall/init: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid -# -# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID -# option allows INVALID packets to be passed through the normal rules chains by -# setting DROPINVALID=No. -# -# If not specified or if specified as empty (e.g., DROPINVALID="") then -# DROPINVALID=Yes is assumed. - -DROPINVALID=No -################################################################################ -# P A C K E T D I S P O S I T I O N -################################################################################ -# -# BLACKLIST DISPOSITION -# -# Set this variable to the action that you want to perform on packets from -# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, -# DROP is assumed. -# - -BLACKLIST_DISPOSITION=DROP - -# -# MAC List Disposition -# -# This variable determines the disposition of connection requests arriving -# on interfaces that have the 'maclist' option and that are from a device -# that is not listed for that interface in /etc/shorewall/maclist. Valid -# values are ACCEPT, DROP and REJECT. If not specified or specified as -# empty (MACLIST_DISPOSITION="") then REJECT is assumed - -MACLIST_DISPOSITION=REJECT - -# -# TCP FLAGS Disposition -# -# This variable determins the disposition of packets having an invalid -# combination of TCP flags that are received on interfaces having the -# 'tcpflags' option specified in /etc/shorewall/interfaces or in -# /etc/shorewall/hosts. If not specified or specified as empty -# (TCP_FLAGS_DISPOSITION="") then DROP is assumed. - -TCP_FLAGS_DISPOSITION=DROP - -#LAST LINE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/start b/Lrp/etc/shorewall/start deleted file mode 100644 index 8f48d2565..000000000 --- a/Lrp/etc/shorewall/start +++ /dev/null @@ -1,10 +0,0 @@ -############################################################################ -# Shorewall 2.0 -- /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. -# -for file in /etc/shorewall/start.d/* ; do - run_user_exit $file -done - \ No newline at end of file diff --git a/Lrp/etc/shorewall/stop b/Lrp/etc/shorewall/stop deleted file mode 100644 index f5be35a72..000000000 --- a/Lrp/etc/shorewall/stop +++ /dev/null @@ -1,10 +0,0 @@ -############################################################################ -# Shorewall 2.0 -- /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. -# -for file in /etc/shorewall/stop.d/* ; do - run_user_exit $file -done - \ No newline at end of file diff --git a/Lrp/etc/shorewall/stopped b/Lrp/etc/shorewall/stopped deleted file mode 100644 index 16feb827b..000000000 --- a/Lrp/etc/shorewall/stopped +++ /dev/null @@ -1,6 +0,0 @@ -############################################################################ -# Shorewall 2.0 -- /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. -# diff --git a/Lrp/etc/shorewall/tcrules b/Lrp/etc/shorewall/tcrules deleted file mode 100644 index d2ff68ba5..000000000 --- a/Lrp/etc/shorewall/tcrules +++ /dev/null @@ -1,83 +0,0 @@ -# -# Shorewall version 2.0 - Traffic Control Rules File -# -# /etc/shorewall/tcrules -# -# Entries in this file cause packets to be marked as a means of -# classifying them for traffic control or policy routing. -# -# I M P O R T A N T ! ! ! ! -# -# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET -# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf -# -# Unlike rules in the /etc/shorewall/rules file, evaluation -# of rules in this file will continue after a match. So the -# final mark for each packet will be the one assigned by the -# LAST tcrule that matches. -# -# Columns are: -# -# -# MARK The mark value which is an -# integer in the range 1-255 -# -# May optionally be followed by ":P" or ":F" -# where ":P" indicates that marking should occur in -# the PREROUTING chain and ":F" indicates that marking -# should occur in the FORWARD chain. If neither -# ":P" nor ":F" follow the mark value then the chain is -# determined by the setting of MARK_IN_FORWARD_CHAIN in -# /etc/shorewall/shorewall.conf. -# -# SOURCE Source of the packet. A comma-separated list of -# interface names, IP addresses, MAC addresses -# and/or subnets. Use $FW if the packet originates on -# the firewall in which case the MARK column may NOT -# specify either ":P" or ":F" (marking always occurs -# in the OUTPUT chain). -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# or "all". -# -# PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following field is supplied. -# In that case, it is suggested that this field contain -# "-" -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# USER This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective user and/or group. -# -# It may contain : -# -# []:[] -# -# The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users -# -############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER -# PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/tos b/Lrp/etc/shorewall/tos deleted file mode 100644 index 9f9d2bd91..000000000 --- a/Lrp/etc/shorewall/tos +++ /dev/null @@ -1,52 +0,0 @@ -# -# Shorewall 2.0 -- /etc/shorewall/tos -# -# This file defines rules for setting Type Of Service (TOS) -# -# Columns are: -# -# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address, a MAC address, a subnet -# specification or the name of an interface. -# -# Example: loc:192.168.2.3 -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address or a subnet specification -# -# Example: loc:192.168.2.3 -# -# PROTOCOL Protocol. -# -# SOURCE PORTS Source port or port range. If all ports, use "-". -# -# DEST PORTS Destination port or port range. If all ports, use "-" -# -# TOS Type of service. Must be one of the following: -# -# Minimize-Delay (16) -# Maximize-Throughput (8) -# Maximize-Reliability (4) -# Minimize-Cost (2) -# Normal-Service (0) -# -############################################################################## -#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS -all all tcp - 22 16 -all all tcp 22 - 16 -all all tcp - 21 16 -all all tcp 21 - 16 -all all tcp 20 - 8 -all all tcp - 20 8 -#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/tunnels b/Lrp/etc/shorewall/tunnels deleted file mode 100644 index 2c032cb21..000000000 --- a/Lrp/etc/shorewall/tunnels +++ /dev/null @@ -1,110 +0,0 @@ -# -# Shorewall 2.0 - /etc/shorewall/tunnels -# -# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. -# -# IPIP, GRE and OPENVPN tunnels must be configured on the -# firewall/gateway itself. IPSEC endpoints may be defined -# on the firewall/gateway or on an internal system. -# -# The columns are: -# -# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" -# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or -# "generic" -# -# If the type is "ipsec" or "ipsecnat", it may be followed -# by ":noah" to indicate that the Authentication Header -# protocol (51) is not used by the tunnel. -# -# If type is "openvpn", it may optionally be followed -# by ":" and the port number used by the tunnel. if no -# ":" and port number are included, then the default port -# of 5000 will be used -# -# If type is "generic", it must be followed by ":" and -# a protocol name (from /etc/protocols) or a protocol -# number. If the protocol is "tcp" or "udp" (6 or 17), -# then it may optionally be followed by ":" and a -# port number. -# -# ZONE -- The zone of the physical interface through which -# tunnel traffic passes. This is normally your internet -# zone. -# -# GATEWAY -- The IP address of the remote tunnel gateway. If the -# remote getway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. -# -# GATEWAY -# ZONES -- Optional. If the gateway system specified in the third -# column is a standalone host then this column should -# contain a comma-separated list of the names of the -# zones that the host might be in. This column only -# applies to IPSEC and generic tunnels. -# -# Example 1: -# -# IPSec tunnel. The remote gateway is 4.33.99.124 and -# the remote subnet is 192.168.9.0/24. The tunnel does -# not use the AH protocol -# -# ipsec:noah net 4.33.99.124 -# -# Example 2: -# -# Road Warrior (LapTop that may connect from anywhere) -# where the "gw" zone is used to represent the remote -# LapTop. -# -# ipsec net 0.0.0.0/0 gw -# -# Example 3: -# -# Host 4.33.99.124 is a standalone system connected -# via an ipsec tunnel to the firewall system. The host -# is in zone gw. -# -# ipsec net 4.33.99.124 gw -# -# Example 4: -# -# Road Warriors that may belong to zones vpn1, vpn2 or -# vpn3. The FreeS/Wan _updown script will add the -# host to the appropriate zone using the "shorewall add" -# command on connect and will remove the host from the -# zone at disconnect time. -# -# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 -# -# Example 5: -# -# You run the Linux PPTP client on your firewall and -# connect to server 192.0.2.221. -# -# pptpclient net 192.0.2.221 -# -# Example 6: -# -# You run a PPTP server on your firewall. -# -# pptpserver net -# -# Example 7: -# -# OPENVPN tunnel. The remote gateway is 4.33.99.124 and -# openvpn uses port 7777. -# -# openvpn:7777 net 4.33.99.124 -# -# Example 8: -# -# You have a tunnel that is not one of the supported types. -# Your tunnel uses UDP port 4444. The other end of the -# tunnel is 4.3.99.124. -# -# generic:udp:4444 net 4.3.99.124 -# -# TYPE ZONE GATEWAY GATEWAY -# ZONE -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/etc/shorewall/zones b/Lrp/etc/shorewall/zones deleted file mode 100644 index 7b50b4fd3..000000000 --- a/Lrp/etc/shorewall/zones +++ /dev/null @@ -1,19 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/zones -# -# This file determines your network zones. Columns are: -# -# ZONE Short name of the zone (5 Characters or less in length). -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone -# -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR -# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. -# -# See http://www.shorewall.net/Documentation.htm#Nested -# -#ZONE DISPLAY COMMENTS -net Net Internet -loc Local Local networks -#dmz DMZ Demilitarized zone -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/sbin/shorewall b/Lrp/sbin/shorewall deleted file mode 100755 index 01abe9a8c..000000000 --- a/Lrp/sbin/shorewall +++ /dev/null @@ -1,1196 +0,0 @@ -#!/bin/sh -# -# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) -# -# This file should be placed in /sbin/shorewall. -# -# Shorewall documentation is available at http://shorewall.sourceforge.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# The firewall uses configuration files in /etc/shorewall/ - skeleton -# files is included with the firewall. -# -# Commands are: -# -# shorewall add [:] zone Adds a host or subnet to a zone -# shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status -# plus the last 20 "interesting" -# packets -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and -# byte counts -# shorewall clear Open the floodgates by -# removing all iptables rules -# and setting the three permanent -# chain policies to ACCEPT -# shorewall refresh Rebuild the common chain to -# compensate for a change of -# broadcast address on any "detect" -# interface. -# shorewall show [ ... ] Display the rules in each listed -# shorewall show log Print the last 20 log messages -# shorewall show connections Show the kernel's connection -# tracking table -# shorewall show nat Display the rules in the nat table -# shorewall show {mangle|tos} Display the rules in the mangle table -# shorewall show tc Display traffic control info -# shorewall show classifiers Display classifiers -# shorewall version Display the installed version id -# shorewall check Verify the more heavily-used -# configuration files. -# shorewall try [ ] Try a new configuration and if -# it doesn't work, revert to the -# standard one. If a timeout is supplied -# the command reverts back to the -# standard configuration after that many -# seconds have elapsed after successfully -# starting the new configuration. -# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall drop
... Temporarily drop all packets from the -# listed address(es) -# shorewall reject
... Temporarily reject all packets from the -# listed address(es) -# shorewall allow
... Reenable address(es) previously -# disabled with "drop" or "reject" -# shorewall save [ ] Save the list of "rejected" and -# "dropped" addresses so that it will -# be automatically reinstated the -# next time that Shorewall starts. -# Save the current state so that 'shorewall -# restore' can be used. -# -# shorewall forget [ ] Discard the data saved by 'shorewall save' -# -# shorewall restore [ ] Restore the state of the firewall from -# previously saved information. -# -# shorewall ipaddr [
/ |
] -# -# Displays information about the network -# defined by the argument[s] -# -# shorewall iprange
-
Decomposes a range of IP addresses into -# a list of network/host addresses. -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " $@" >&2 - exit 2 -} - -# Display a chain if it exists -# - -showfirstchain() # $1 = name of chain -{ - awk \ - 'BEGIN {prnt=0; rslt=1; }; \ - /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ - /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; };\ - END { exit rslt; }' $TMPFILE -} - -showchain() # $1 = name of chain -{ - if [ "$firstchain" = "Yes" ]; then - if showfirstchain $1; then - firstchain= - fi - else - awk \ - 'BEGIN {prnt=0;};\ - /^$|^ pkts/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ - /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' $TMPFILE - fi -} - -# -# Validate the value of RESTOREFILE -# -validate_restorefile() # $* = label -{ - case $RESTOREFILE in - */*) - echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2 - exit 2 - ;; - esac -} - -# -# Set the configuration variables from shorewall.conf -# -get_config() { - - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if [ ! -f $LOGFILE ]; then - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - # - # See if we have a real version of "tail" -- use separate redirection so - # that ash (aka /bin/sh on LRP) doesn't crap - # - if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then - realtail="Yes" - else - realtail="" - fi - - [ -n "$FW" ] || FW=fw - - [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - - [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -e "$SHOREWALL_SHELL" ]; then - echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 - exit 2 - fi - fi - - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - export RESTOREFILE - -} - -# -# Display IPTABLES rules -- we used to store them in a variable but ash -# dies when trying to display large sets of rules -# -display_chains() -{ - trap "rm -f $tmpfile; exit 1" 1 2 3 4 5 6 9 - - if [ "$haveawk" = "Yes" ]; then - # - # Send the output to a temporary file since ash craps if we try to store - # the output in a variable. - # - TMPFILE=$(mktempfile) - [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - - iptables -L $IPT_OPTIONS >> $TMPFILE - - clear - echo "$banner $(date)" - echo - echo "Standard Chains" - echo - firstchain="Yes" - showchain INPUT - showchain OUTPUT - showchain FORWARD - - timed_read - - clear - echo "$banner $(date)" - echo - firstchain=Yes - echo "Input Chains" - echo - - chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2) - - for chain in $chains; do - showchain $chain - done - - timed_read - - for zone in $zones; do - - if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear - echo "$banner $(date)" - echo - firstchain=Yes - eval display=\$${zone}_display - echo "$display Chains" - echo - for zone1 in $FW $zones; do - showchain ${zone}2$zone1 - showchain @${zone}2$zone1 - [ "$zone" != "$zone1" ] && \ - showchain ${zone1}2${zone} && \ - showchain @${zone1}2${zone} - done - - timed_read - fi - done - - clear - echo "$banner $(date)" - echo - firstchain=Yes - echo "Policy Chains" - echo - showchain common - showchain badpkt - showchain icmpdef - showchain rfc1918 - showchain blacklst - showchain reject - showchain newnotsyn - for zone in $zones all; do - showchain ${zone}2all - showchain @${zone}2all - [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } - done - - timed_read - - clear - echo "$banner $(date)" - echo - firstchain=Yes - echo "Dynamic Chain" - echo - showchain dynamic - timed_read - - qt rm -f $TMPFILE - else - iptables -L -n -v - timed_read - fi - trap - 1 2 3 4 5 6 9 - -} - -# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow -# to terminate the delay -# -timed_read () -{ - read -t $timeout foo 2> /dev/null - - test $? -eq 2 && sleep $timeout -} - -# -# Display the last $1 packets logged -# -packet_log() # $1 = number of messages -{ - local options - - [ -n "$realtail" ] && options="-n$1" - - grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - sed s/" $host kernel: ipt_unclean: "/" "/ | \ - sed 's/MAC=.* SRC=/SRC=/' | \ - tail $options -} - -# -# Show traffic control information -# -show_tc() { - - show_one_tc() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s -d qdisc show dev $device - tc -s -d class show dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_tc ${interface%:} - ;; - *) - ;; - esac - done - -} - -# -# Show classifier information -# -show_classifiers() { - - show_one_classifier() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s filter ls dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_classifier ${interface%:} - ;; - *) - ;; - esac - done - -} -# -# Monitor the Firewall -# -monitor_firewall() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - get_config - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$(iptables -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - let "timeout=- $1" - pause="Yes" - else - pause="No" - timeout=$1 - fi - - - if qt which awk; then - TMP_DIR=$(mktempdir) - [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; } - haveawk=Yes - determine_zones - rm -rf $TMP_DIR - else - haveawk= - fi - - while true; do - display_chains - - clear - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$(iptables -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 20 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 20 - timed_read - fi - - clear - echo "$banner $(date)" - echo - echo "NAT Status" - echo - iptables -t nat -L $IPT_OPTIONS - timed_read - - clear - echo "$banner $(date)" - echo - echo - echo "TOS/MARK Status" - echo - iptables -t mangle -L $IPT_OPTIONS - timed_read - - clear - echo "$banner $(date)" - echo - echo - echo "Tracked Connections" - echo - cat /proc/net/ip_conntrack - timed_read - - clear - echo "$banner $(date)" - echo - echo - echo "Traffic Shaping/Control" - echo - show_tc - timed_read - - clear - echo "$banner $(date)" - echo - echo - echo "Packet Classifiers" - echo - show_classifiers - timed_read - done -} - -# -# Watch the Firewall Log -# -logwatch() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - get_config - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$(iptables -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - timeout=$((- $1)) - pause="Yes" - else - pause="No" - timeout=$1 - fi - - qt which awk && haveawk=Yes || haveawk= - - while true; do - clear - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$(iptables -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 40 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 40 - timed_read - fi - done -} - -# -# Help information -# -help() -{ - [ -x $HELP ] && { export version; exec $HELP $*; } - echo "Help subsystem is not installed at $HELP" -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] [ -f ] " - echo "where is one of:" - echo " add [:] " - echo " allow
..." - echo " check" - echo " clear" - echo " delete [:] " - echo " drop
..." - echo " forget [ ]" - echo " help [ | host | address ]" - echo " hits" - echo " ipcalc [
/ |
]" - echo " iprange
-
" - echo " logwatch []" - echo " monitor []" - echo " refresh" - echo " reject
..." - echo " reset" - echo " restart" - echo " restore [ ]" - echo " save [ ]" - echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos]" - echo " start" - echo " stop" - echo " status" - echo " try [ ]" - echo " version" - exit $1 -} - -# -# Display the time that the counters were last reset -# -show_reset() { - [ -f $STATEDIR/restarted ] && \ - echo "Counters reset $(cat $STATEDIR/restarted)" && \ - echo -} - -show_proc() { - [ -f $1 ] && echo " $1 = $(cat $1)" -} - -# -# Execution begins here -# -debugging= - -if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then - debugging=debug - shift -fi - -nolock= - -if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then - nolock=nolock - shift -fi - -SHOREWALL_DIR= -QUIET= -IPT_OPTIONS="-nv" -FAST= - -done=0 - -while [ $done -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - c) - [ $# -eq 1 ] && usage 1 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - option= - shift - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - q*) - QUIET=Yes - option=${option#q} - ;; - f*) - FAST=Yes - option=${option#f} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - done=1 - ;; - esac -done - -if [ $# -eq 0 ]; then - usage 1 -fi - -[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR -[ -n "$QUIET" ] && export QUIET - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -MUTEX_TIMEOUT= - -SHARED_DIR=/usr/share/shorewall -FIREWALL=$SHARED_DIR/firewall -FUNCTIONS=$SHARED_DIR/functions -VERSION_FILE=$SHARED_DIR/version -HELP=$SHARED_DIR/help - -if [ -f $FUNCTIONS ]; then - . $FUNCTIONS -else - echo "$FUNCTIONS does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -config=$(find_file shorewall.conf) - -if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi -else - echo "$config does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -export CONFIG_PATH - -[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - -if [ ! -f $FIREWALL ]; then - echo "ERROR: Shorewall is not properly installed" - if [ -L $FIREWALL ]; then - echo " $FIREWALL is a symbolic link to a" - echo " non-existant file" - else - echo " The file $FIREWALL does not exist" - fi - - exit 2 -fi - -if [ -f $VERSION_FILE ]; then - version=$(cat $VERSION_FILE) -else - echo "ERROR: Shorewall is not properly installed" - echo " The file $VERSION_FILE does not exist" - exit 1 -fi - -banner="Shorewall-$version Status at $HOSTNAME -" - -case $(echo -e) in - -e*) - RING_BELL="echo \a" - ;; - *) - RING_BELL="echo -e \a" - ;; -esac - -case $(echo -n "Testing") in - -n*) - ECHO_N= - ;; - *) - ECHO_N=-n - ;; -esac - -case "$1" in - start) - [ $# -ne 1 ] && usage 1 - get_config - if [ -n "$FAST" ]; then - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH - date > $STATEDIR/restarted - echo Shorewall restored from $RESTOREPATH - else - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start - fi - else - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start - fi - ;; - stop|restart|reset|clear|refresh|check) - [ $# -ne 1 ] && usage 1 - get_config - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 - ;; - add|delete) - [ $# -ne 3 ] && usage 1 - get_config - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3 - ;; - show|list) - [ -n "$debugging" ] && set -x - case "$2" in - connections) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Connections at $HOSTNAME - $(date)" - echo - cat /proc/net/ip_conntrack - ;; - nat) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version NAT at $HOSTNAME - $(date)" - echo - show_reset - iptables -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version TOS at $HOSTNAME - $(date)" - echo - show_reset - iptables -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 2 ] && usage 1 - get_config - echo "Shorewall-$version Log at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - *) - shift - - echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - iptables -L $chain $IPT_OPTIONS - done - else - iptables -L $IPT_OPTIONS - fi - ;; - esac - ;; - monitor) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - monitor_firewall $2 - elif [ $# -eq 1 ]; then - monitor_firewall 30 - else - usage 1 - fi - ;; - status) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - get_config - clear - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - iptables -L $IPT_OPTIONS - echo - packet_log 20 - echo - echo "NAT Table" - echo - iptables -t nat -L $IPT_OPTIONS - echo - echo "Mangle Table" - echo - iptables -t mangle -L $IPT_OPTIONS - echo - cat /proc/net/ip_conntrack - echo - echo "IP Configuration" - echo - ip addr ls - - if qt which brctl; then - echo - echo "Bridges" - echo - brctl show - fi - - echo - echo "/proc" - echo - - show_proc /proc/sys/net/ipv4/ip_forward - - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter rp_filter; do - show_proc $directory/$file - done - done - - echo - echo "Routing Rules" - echo - ip rule ls - ip rule ls | while read rule; do - table=${rule##* } - echo - echo "Table $table:" - echo - ip route ls table $table - done - ;; - hits) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - get_config - clear - echo "Shorewall-$version Hits at $HOSTNAME - $(date)" - echo - - timeout=30 - - if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then - echo " HITS IP DATE" - echo " ---- --------------- ------" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS IP PORT" - echo " ---- --------------- -----" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ - t - s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS DATE" - echo " ---- ------" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS PORT SERVICE(S)" - echo " ---- ----- ----------" - grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ - while read count port ; do - # List all services defined for the given port - srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u) - srv=$(echo $srv | sed 's/ /,/g') - - if [ -n "$srv" ] ; then - printf '%7d %5d %s\n' $count $port $srv - else - printf '%7d %5d\n' $count $port - fi - done - fi - ;; - version) - echo $version - ;; - try) - [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" - [ $# -lt 2 -o $# -gt 3 ] && usage 1 - if ! $0 $debugging -c $2 restart; then - if ! iptables -L shorewall > /dev/null 2> /dev/null; then - $0 start - fi - elif ! iptables -L shorewall > /dev/null 2> /dev/null; then - $0 start - elif [ $# -eq 3 ]; then - sleep $3 - $0 restart - fi - ;; - logwatch) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - logwatch $2 - elif [ $# -eq 1 ]; then - logwatch 30 - else - usage 1 - fi - ;; - drop) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - qt iptables -D dynamic -s $1 -j reject - qt iptables -D dynamic -s $1 -j DROP - iptables -A dynamic -s $1 -j DROP || break 1 - echo "$1 Dropped" - done - mutex_off - ;; - reject) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - qt iptables -D dynamic -s $1 -j reject - qt iptables -D dynamic -s $1 -j DROP - iptables -A dynamic -s $1 -j reject || break 1 - echo "$1 Rejected" - done - mutex_off - ;; - allow) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - done - mutex_off - ;; - save) - [ -n "$debugging" ] && set -x - - get_config - - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - mutex_on - - if qt iptables -L shorewall -n; then - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall - - if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" - else - case $RESTOREFILE in - save|restore-base) - echo " ERROR: Reserved file name: $RESTOREFILE" - ;; - *) - if iptables -L dynamic -n > /var/lib/shorewall/save; then - echo " Dynamic Rules Saved" - if [ -f /var/lib/shorewall/restore-base ]; then - cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ - if iptables-save >> /var/lib/shorewall/restore-$$ ; then - echo __EOF__ >> /var/lib/shorewall/restore-$$ - [ -f /var/lib/shorewall/restore-tail ] && \ - cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" - else - rm -f /var/lib/shorewall/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" - fi - else - echo " ERROR: /var/lib/shorewall/restore-base does not exist" - fi - else - echo "Error Saving the Dynamic Rules" - fi - ;; - esac - fi - else - echo "Shorewall isn't started" - fi - mutex_off - ;; - forget) - get_config - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - rm -f $RESTOREPATH - echo " $RESTOREPATH removed" - elif [ -f $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" - fi - ;; - ipcalc) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - address=${2%/*} - vlsm=${2#*/} - elif [ $# -eq 3 ]; then - address=$2 - vlsm=$(ip_vlsm $3) - else - usage 1 - fi - - [ -z "$vlsm" ] && exit 2 - [ "x$address" = "x$vlsm" ] && usage 2 - [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 - - address=$address/$vlsm - - echo " CIDR=$address" - temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" - temp=$(ip_network $address); echo " NETWORK=$temp" - temp=$(broadcastaddress $address); echo " BROADCAST=$temp" - ;; - - iprange) - [ -n "$debugging" ] && set -x - case $2 in - *.*.*.*-*.*.*.*) - ip_range $2 - ;; - *) - usage 1 - ;; - esac - ;; - restore) - get_config - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" - else - echo "File /var/lib/shorewall/$RESTOREFILE: file not found" - exit 2 - fi - ;; - call) - [ -n "$debugging" ] && set -x - # - # Undocumented way to call functions in /usr/share/shorewall/functions directly - # - shift; - $@ - ;; - help) - shift - [ $# -ne 1 ] && usage 1 - help $@ - ;; - *) - usage 1 - ;; - -esac diff --git a/Lrp/usr/share/shorewall/action.AllowAuth b/Lrp/usr/share/shorewall/action.AllowAuth deleted file mode 100644 index 78bdc1266..000000000 --- a/Lrp/usr/share/shorewall/action.AllowAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowAuth -# -# This action accepts Auth (identd) traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowDNS b/Lrp/usr/share/shorewall/action.AllowDNS deleted file mode 100644 index 2ac6a72ce..000000000 --- a/Lrp/usr/share/shorewall/action.AllowDNS +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowDNS -# -# This action accepts DNS traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 53 -ACCEPT - - tcp 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowFTP b/Lrp/usr/share/shorewall/action.AllowFTP deleted file mode 100644 index cab5fa4e1..000000000 --- a/Lrp/usr/share/shorewall/action.AllowFTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowFTP -# -# This action accepts FTP traffic. See -# http://www.shorewall.net/FTP.html for additional considerations. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 21 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowIMAP b/Lrp/usr/share/shorewall/action.AllowIMAP deleted file mode 100644 index 333bdf779..000000000 --- a/Lrp/usr/share/shorewall/action.AllowIMAP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowIMAP -# -# This action accepts IMAP traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 143 #Unsecure IMAP -ACCEPT - - tcp 993 #Secure IMAP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowNNTP b/Lrp/usr/share/shorewall/action.AllowNNTP deleted file mode 100644 index 3bf9f4926..000000000 --- a/Lrp/usr/share/shorewall/action.AllowNNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP -# -# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 119 -ACCEPT - - tcp 563 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowNTP b/Lrp/usr/share/shorewall/action.AllowNTP deleted file mode 100644 index 6ef93652c..000000000 --- a/Lrp/usr/share/shorewall/action.AllowNTP +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowNTP -# -# This action accepts NTP traffic (ntpd). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT - - udp 123 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowPCA b/Lrp/usr/share/shorewall/action.AllowPCA deleted file mode 100644 index 2afc22987..000000000 --- a/Lrp/usr/share/shorewall/action.AllowPCA +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowPCA -# -# This action accepts PCAnywere (tm) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 5632 -ACCEPT - - tcp 5631 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowPOP3 b/Lrp/usr/share/shorewall/action.AllowPOP3 deleted file mode 100644 index b7756fee5..000000000 --- a/Lrp/usr/share/shorewall/action.AllowPOP3 +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowPOP3 -# -# This action accepts POP3 traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT - - tcp 110 #Unsecure POP3 -ACCEPT - - tcp 995 #Secure POP3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowPing b/Lrp/usr/share/shorewall/action.AllowPing deleted file mode 100644 index f18492201..000000000 --- a/Lrp/usr/share/shorewall/action.AllowPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowPing -# -# This action accepts 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowRdate b/Lrp/usr/share/shorewall/action.AllowRdate deleted file mode 100644 index 34cb7f75c..000000000 --- a/Lrp/usr/share/shorewall/action.AllowRdate +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowRdate -# -# This action accepts remote time retrieval (rdate). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowSMB b/Lrp/usr/share/shorewall/action.AllowSMB deleted file mode 100644 index 8914eae98..000000000 --- a/Lrp/usr/share/shorewall/action.AllowSMB +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowSMB -# -# Allow Microsoft SMB traffic. You need to invoke this action in -# both directions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 135,445 -ACCEPT - - udp 137:139 -ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowSMTP b/Lrp/usr/share/shorewall/action.AllowSMTP deleted file mode 100644 index 5a802a2d1..000000000 --- a/Lrp/usr/share/shorewall/action.AllowSMTP +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowSMTP -# -# This action accepts SMTP (email) traffic. -# -# Note: This action allows traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the AllowPOP3 or AllowIMAP actions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 25 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowSNMP b/Lrp/usr/share/shorewall/action.AllowSNMP deleted file mode 100644 index 11d78d126..000000000 --- a/Lrp/usr/share/shorewall/action.AllowSNMP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowSNMP -# -# This action accepts SNMP traffic (including traps): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 161:162 -ACCEPT - - tcp 161 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowSSH b/Lrp/usr/share/shorewall/action.AllowSSH deleted file mode 100644 index 78e25bba9..000000000 --- a/Lrp/usr/share/shorewall/action.AllowSSH +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowSSH -# -# This action accepts secure shell (SSH) traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 22 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowTelnet b/Lrp/usr/share/shorewall/action.AllowTelnet deleted file mode 100644 index 5eebbb095..000000000 --- a/Lrp/usr/share/shorewall/action.AllowTelnet +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowTelnet -# -# This action accepts Telnet traffic. For traffic over the -# internet, telnet is inappropriate; use SSH instead -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 23 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowTrcrt b/Lrp/usr/share/shorewall/action.AllowTrcrt deleted file mode 100644 index 1b6180003..000000000 --- a/Lrp/usr/share/shorewall/action.AllowTrcrt +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt -# -# This action accepts Traceroute (for up to 30 hops): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 33434:33524 #UDP Traceroute -ACCEPT - - icmp 8 #ICMP Traceroute -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowVNC b/Lrp/usr/share/shorewall/action.AllowVNC deleted file mode 100644 index 423c30c77..000000000 --- a/Lrp/usr/share/shorewall/action.AllowVNC +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowVNC -# -# This action accepts VNC traffic for VNC display's 0 - 9. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5900:5909 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowVNCL b/Lrp/usr/share/shorewall/action.AllowVNCL deleted file mode 100644 index 83ff3fe81..000000000 --- a/Lrp/usr/share/shorewall/action.AllowVNCL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowVNC -# -# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5500 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.AllowWeb b/Lrp/usr/share/shorewall/action.AllowWeb deleted file mode 100644 index f88028b12..000000000 --- a/Lrp/usr/share/shorewall/action.AllowWeb +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.AllowWeb -# -# This action accepts WWW traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 80 -ACCEPT - - TCP 443 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.Drop b/Lrp/usr/share/shorewall/action.Drop deleted file mode 100644 index 721a46126..000000000 --- a/Lrp/usr/share/shorewall/action.Drop +++ /dev/null @@ -1,16 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.Drop -# -# The default DROP common rules -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -RejectAuth -dropBcast -dropInvalid -DropSMB -DropUPnP -dropNotSyn -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.DropDNSrep b/Lrp/usr/share/shorewall/action.DropDNSrep deleted file mode 100644 index 949e3e655..000000000 --- a/Lrp/usr/share/shorewall/action.DropDNSrep +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.DropDNSrep -# -# This action silently drops DNS UDP replies -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp - 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.DropPing b/Lrp/usr/share/shorewall/action.DropPing deleted file mode 100644 index 5aba7c207..000000000 --- a/Lrp/usr/share/shorewall/action.DropPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.DropPing -# -# This action silently drops 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.DropSMB b/Lrp/usr/share/shorewall/action.DropSMB deleted file mode 100644 index 03a9ee15b..000000000 --- a/Lrp/usr/share/shorewall/action.DropSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.DropSMB -# -# This action silently drops Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 135 -DROP - - udp 137:139 -DROP - - udp 445 -DROP - - tcp 135 -DROP - - tcp 139 -DROP - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.DropUPnP b/Lrp/usr/share/shorewall/action.DropUPnP deleted file mode 100644 index 8ef56119c..000000000 --- a/Lrp/usr/share/shorewall/action.DropUPnP +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.DropUPnP -# -# This action silently drops UPnP probes on UDP port 1900 -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 1900 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.Reject b/Lrp/usr/share/shorewall/action.Reject deleted file mode 100644 index 8cfd666ec..000000000 --- a/Lrp/usr/share/shorewall/action.Reject +++ /dev/null @@ -1,16 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.Reject -# -# The default REJECT action common rules -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -RejectAuth -dropBcast -dropInvalid -RejectSMB -DropUPnP -dropNotSyn -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.RejectAuth b/Lrp/usr/share/shorewall/action.RejectAuth deleted file mode 100644 index e3675d5bb..000000000 --- a/Lrp/usr/share/shorewall/action.RejectAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.RejectAuth -# -# This action silently rejects Auth (tcp 113) traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.RejectSMB b/Lrp/usr/share/shorewall/action.RejectSMB deleted file mode 100644 index db820e5dc..000000000 --- a/Lrp/usr/share/shorewall/action.RejectSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.RejectSMB -# -# This action silently rejects Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - udp 135 -REJECT - - udp 137:139 -REJECT - - udp 445 -REJECT - - tcp 135 -REJECT - - tcp 139 -REJECT - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/action.template b/Lrp/usr/share/shorewall/action.template deleted file mode 100644 index b20af0e09..000000000 --- a/Lrp/usr/share/shorewall/action.template +++ /dev/null @@ -1,160 +0,0 @@ -# -# Shorewall 2.0 /etc/shorewall/action.template -# -# This file is a template for files with names of the form -# /etc/shorewall/action. where is an -# ACTION defined in /etc/shorewall/actions. -# -# To define a new action: -# -# 1. Add the to /etc/shorewall/actions -# 2. Copy this file to /etc/shorewall/action. -# 3. Add the desired rules to that file. -# -# Columns are: -# -# -# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a -# previously-defined -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as p2pwall. -# CONTINUE -- Discontinue processing this action -# and return to the point where the -# action was invoked. -# -- An defined in -# /etc/shorewall/actions. The -# must appear in that file BEFORE the -# one being defined in this file. -# -# The TARGET may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# ACCEPT:debugging). This causes the packet to be -# logged at the specified level. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. -# A comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# 192.168.2.2 Host 192.168.2.2 -# -# 155.186.235.0/24 Subnet 155.186.235.0/24 -# -# 192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2. -# ~00-A0-C9-15-39-78 Host with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# name. For example, eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., eth1:192.168.1.5). -# -# DEST Location of Server. Same as above with the exception that -# MAC addresses are not allowed. -# -# Unlike in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or -# "all". -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this column: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/actions.std b/Lrp/usr/share/shorewall/actions.std deleted file mode 100644 index 89f9ad504..000000000 --- a/Lrp/usr/share/shorewall/actions.std +++ /dev/null @@ -1,53 +0,0 @@ -# -# Shorewall 2.0 /usr/share/shorewall/actions.std -# -# -# Builtin Actions are: -# -# dropBcast #Silently Drop Broadcast/multicast -# dropNonSyn #Silently Drop Non-syn TCP packets -# rejNonSyn #Silently Reject Non-syn TCP packets -# logNonSyn #Log Non-syn TCP packets with disposition LOG -# dLogNonSyn #Log Non-syn TCP packets with disposition DROP -# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT -# dropInvalid #Silently Drop packets that are in the INVALID -# #conntrack state. -# allowInvalid #Accept packets that are in the INVALID conntrack -# #state -# -# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in -# shorewall.conf. If that option isn't specified then 'info' is used. -# -#ACTION - -DropSMB #Silently Drops Microsoft SMB Traffic -RejectSMB #Silently Reject Microsoft SMB Traffic -DropUPnP #Silently Drop UPnP Probes -RejectAuth #Silently Reject Auth -DropPing #Silently Drop Ping -DropDNSrep #Silently Drop DNS Replies - -AllowPing #Accept Ping -AllowFTP #Accept FTP -AllowDNS #Accept DNS -AllowSSH #Accept SSH -AllowWeb #Allow Web Browsing -AllowSMB #Allow MS Networking -AllowAuth #Allow Auth (identd) -AllowSMTP #Allow SMTP (Email) -AllowPOP3 #Allow reading mail via POP3 -AllowIMAP #Allow reading mail via IMAP -AllowTelnet #Allow Telnet Access (not recommended for use over the - #Internet) -AllowVNC #Allow VNC viewer->server, Displays 0-9 -AllowVNCL #Allow VNC server->viewer in listening mode -AllowNTP #Allow Network Time Protocol (ntpd) -AllowRdate #Allow remote time (rdate). -AllowNNTP #Allow network news (Usenet). -AllowTrcrt #Allows Traceroute (20 hops) -AllowSNMP #Allows SNMP (including traps) -AllowPCA #Allows PCAnywhere (tm) - -Drop:DROP #Common Action for DROP policy -Reject:REJECT #Common Action for REJECT policy -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/bogons b/Lrp/usr/share/shorewall/bogons deleted file mode 100644 index 46af67c47..000000000 --- a/Lrp/usr/share/shorewall/bogons +++ /dev/null @@ -1,70 +0,0 @@ -# -# Shorewall 2.0-- Bogons File -# -# /etc/shorewall/bogons -# -# Lists the subnetworks that are blocked by the 'nobogons' interface option. -# -# The default list includes those those ip ADDRESSES listed -# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C -# reserved for use in documentation and examples. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNET The subnet (host addresses also allowed) -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -############################################################################### -#SUBNET TARGET -0.0.0.0 RETURN # Stop the DHCP whining -255.255.255.255 RETURN # We need to allow limited broadcast -169.254.0.0/16 DROP # DHCP autoconfig -192.0.2.0/24 logdrop # Example addresses (RFC 3330) -# -# The following are generated with the help of the Python program found at: -# -# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ -# -# The program was contributed by Andy Wiggin -# -0.0.0.0/7 logdrop # Reserved -2.0.0.0/8 logdrop # Reserved -5.0.0.0/8 logdrop # Reserved -7.0.0.0/8 logdrop # Reserved -23.0.0.0/8 logdrop # Reserved -27.0.0.0/8 logdrop # Reserved -31.0.0.0/8 logdrop # Reserved -36.0.0.0/7 logdrop # Reserved -39.0.0.0/8 logdrop # Reserved -41.0.0.0/8 logdrop # Reserved -42.0.0.0/8 logdrop # Reserved -49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -73.0.0.0/8 logdrop # Reserved -74.0.0.0/7 logdrop # Reserved -76.0.0.0/6 logdrop # Reserved -89.0.0.0/8 logdrop # Reserved -90.0.0.0/7 logdrop # Reserved -92.0.0.0/6 logdrop # Reserved -96.0.0.0/3 logdrop # Reserved -127.0.0.0/8 logdrop # Loopback -173.0.0.0/8 logdrop # Reserved -174.0.0.0/7 logdrop # Reserved -176.0.0.0/5 logdrop # Reserved -184.0.0.0/6 logdrop # Reserved -189.0.0.0/8 logdrop # Reserved -190.0.0.0/8 logdrop # Reserved -197.0.0.0/8 logdrop # Reserved -198.18.0.0/15 logdrop # Reserved -223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 -240.0.0.0/4 logdrop # Reserved -# -# End of generated entries -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/configpath b/Lrp/usr/share/shorewall/configpath deleted file mode 100644 index f676bd1b0..000000000 --- a/Lrp/usr/share/shorewall/configpath +++ /dev/null @@ -1,7 +0,0 @@ -# -# Shorewall version 2.0 - Default Config Path -# -# /usr/share/shorewall/configpath -# - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall \ No newline at end of file diff --git a/Lrp/usr/share/shorewall/firewall b/Lrp/usr/share/shorewall/firewall deleted file mode 100755 index b7d4ad47d..000000000 --- a/Lrp/usr/share/shorewall/firewall +++ /dev/null @@ -1,6429 +0,0 @@ -#!/bin/sh -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2004 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# shorewall reset Resets iptabless packet and -# byte counts -# shorewall clear Remove all Shorewall chains -# and rules/policies. -# shorewall refresh . Rebuild the common chain -# shorewall check Verify the more heavily-used -# configuration files. -# -# Mutual exclusion -- These functions are jackets for the mutual exclusion -# routines in $FUNCTIONS. They invoke -# the corresponding function in that file if the user did -# not specify "nolock" on the runline. -# -my_mutex_on() { - [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } -} - -my_mutex_off() { - [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } -} - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Fatal error -- stops the firewall after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " Error: $@" >&2 - if [ $COMMAND = check ]; then - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - else - stop_firewall - fi - exit 2 -} - -# -# Fatal error during startup -- generate an error message and abend with -# altering the state of the firewall -# -startup_error() # $* = Error Message -{ - echo " Error: $@" >&2 - my_mutex_off - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - kill $$ - exit 2 -} - -# -# Send a message to STDOUT and the System Log -# -report () { # $* = message - echo "$@" - logger "$@" -} - -# -# Write the passed args to $RESTOREBASE -# -save_command() -{ - echo "$@" >> $RESTOREBASE -} - -# -# Write a progress_message command to $RESTOREBASE -# -save_progress_message() -{ - - echo >> $RESTOREBASE - echo "progress_message \"$@\"" >> $RESTOREBASE - echo >> $RESTOREBASE -} - -# -# Save the passed command in the restore script then run it -- returns the status of the command -# If the command involves file redirection then it must be enclosed in quotes as in: -# -# run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" -# -run_and_save_command() -{ - echo "$@" >> $RESTOREBASE - eval $* -} - -# -# Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die -# -ensure_and_save_command() -{ - if eval $* ; then - echo "$@" >> $RESTOREBASE - else - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Append a file in $STATEDIR to $RESTOREBASE -# -append_file() # $1 = File Name -{ - save_command "cat > $STATEDIR/$1 << __EOF__" - cat $STATEDIR/$1 >> $RESTOREBASE - save_command __EOF__ -} - -# -# Run iptables and if an error occurs, stop the firewall and quit -# -run_iptables() { - - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - - if ! iptables $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Version of 'run_iptables' that inserts white space after "!" in the arg list -# -run_iptables2() { - - if [ "x${*%!*}" = "x$*" ]; then - # - # No "!" in the command -- just execute it - # - run_iptables $@ - return - fi - # - # Need to insert white space before each "!" - # - run_iptables $(fix_bang $@) -} - -# -# Quietly run iptables -# -qt_iptables() { - - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - - qt iptables $@ -} - -# -# Run ip and if an error occurs, stop the firewall and quit -# -run_ip() { - if ! ip $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Run arp and if an error occurs, stop the firewall and quit -# -run_arp() { - if ! arp $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Run tc and if an error occurs, stop the firewall and quit -# -run_tc() { - if ! tc $@ ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Create a filter chain -# -# If the chain isn't one of the common chains then add a rule to the chain -# allowing packets that are part of an established connection. Create a -# variable exists_${1} and set its value to Yes to indicate that the chain now -# exists. -# -createchain() # $1 = chain name, $2 = If "yes", create default rules -{ - local c=$(chain_base $1) - - run_iptables -N $1 - - if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval exists_${c}=Yes -} - -createchain2() # $1 = chain name, $2 = If "yes", create default rules -{ - local c=$(chain_base $1) - - if iptables -N $1; then - - if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval exists_${c}=Yes - fi -} - -# -# Determine if a chain exists -# -# When we create a chain "chain", we create a variable named exists_chain and -# set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havechain() # $1 = name of chain -{ - local c=$(chain_base $1) - - eval test \"\$exists_${c}\" = Yes -} - -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt iptables -L $1 -n -} - -# -# Query NetFilter about the existence of a mangle chain -# -mangle_chain_exists() # $1 = chain name -{ - qt iptables -t mangle -L $1 -n -} - -# -# Ensure that a chain exists (create it if it doesn't) -# -ensurechain() # $1 = chain name -{ - havechain $1 || createchain $1 yes -} - -ensurechain1() # $1 = chain name -{ - havechain $1 || createchain $1 no -} - -# -# Add a rule to a chain creating the chain if necessary -# -addrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables2 -A $@ -} - -# -# Create a nat chain -# -# Create a variable exists_nat_${1} and set its value to Yes to indicate that -# the chain now exists. -# -createnatchain() # $1 = chain name -{ - run_iptables -t nat -N $1 - - eval exists_nat_${1}=Yes -} - -# -# Determine if a nat chain exists -# -# When we create a chain "chain", we create a variable named exists_nat_chain -# and set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havenatchain() # $1 = name of chain -{ - eval test \"\$exists_nat_${1}\" = Yes -} - -# -# Ensure that a nat chain exists (create it if it doesn't) -# -ensurenatchain() # $1 = chain name -{ - havenatchain $1 || createnatchain $1 -} - -# -# Add a rule to a nat chain creating the chain if necessary -# -addnatrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurenatchain $1 - run_iptables2 -t nat -A $@ -} - -# -# Delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established and related connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Flush one of the Mangle table chains -# -flushmangle() # $1 = name of chain -{ - run_iptables -t mangle -F $1 -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne=$1 - local z - local interface - - for interface in $all_interfaces; do - eval z=\$$(chain_base $interface)_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo $(chain_base $1)_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo $(chain_base $1)_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo $(chain_base $1)_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo $(chain_base $1)_mac -} - -# -# Functions for creating dynamic zone rules -# -dynamic_fwd() # $1 = interface -{ - echo $(chain_base $1)_dynf -} - -dynamic_in() # $1 = interface -{ - echo $(chain_base $1)_dyni -} - -dynamic_out() # $1 = interface -{ - echo $(chain_base $1)_dyno -} - -dynamic_chains() #$1 = interface -{ - local c=$(chain_base $1) - - echo ${c}_dyni ${c}_dynf ${c}_dyno -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to a zone -# -snat_chain() # $1 = zone -{ - echo $(chain_base $1)_snat -} - -# -# ECN Chain to an interface -# -ecn_chain() # $1 = interface -{ - echo $(chain_base $1)_ecn -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c=$(chain_base $1) - - echo ${c}_fwd ${c}_in -} - -# -# Horrible hack to work around an iptables bug -# -physdev_echo() -{ - if [ -f $TMP_DIR/physdev ]; then - echo $@ - else - echo -m physdev $@ - > $TMP_DIR/physdev - fi -} - -# -# We allow hosts to be specified by IP address or by physdev. These two functions -# are used to produce the proper match in a netfilter rule. -# -match_source_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-in ${1%:*} -s ${1#*:}" - ;; - *.*.*.*) - echo -s $1 - ;; - *) - physdev_echo "--physdev-in $1" - ;; - esac - else - echo -s $1 - fi -} - -match_dest_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-out ${1%:*} -d ${1#*:}" - ;; - *.*.*.*) - echo -d $1 - ;; - *) - physdev_echo "--physdev-out $1" - ;; - esac - else - echo -d $1 - fi -} - -# -# Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in /etc/shorewall/interfaces then a normal interface match is -# generated (-i or -o); otherwise, a physdev match is generated. -#------------------------------------------------------------------------------------- -# -# loosely match the passed interface with those in /etc/shorewall/interfaces. -# -known_interface() # $1 = interface name -{ - local iface - - for iface in $all_interfaces ; do - if if_match $iface $1 ; then - return 0 - fi - done - - return 1 -} - -match_source_dev() -{ - if [ -n "$BRIDGING" ]; then - list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1 - else - echo -i $1 - fi -} - -match_dest_dev() -{ - if [ -n "$BRIDGING" ]; then - list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1 - else - echo -o $1 - fi -} - -verify_interface() -{ - known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; } -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts interface address addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo $interface:$address - done - fi - done < $TMP_DIR/hosts -} - -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $zones; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Determine the defined hosts in each zone and generate report -# -determine_hosts() { - - for zone in $zones; do - hosts=$(find_hosts $zone) - hosts=$(echo $hosts) # Remove extra trash - - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if interface_has_option $interface detectnets; then - networks=$(get_routed_networks $interface) - else - networks=0.0.0.0/0 - fi - - for network in $networks; do - if [ -z "$hosts" ]; then - hosts=$interface:$network - else - hosts="$hosts $interface:$network" - fi - - if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$network \$${zone}_routeback\" - fi - done - done - - interfaces= - - for host in $hosts; do - interface=${host%:*} - if list_search $interface $interfaces; then - list_search $interface:0.0.0.0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - list_search $interface:0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - eval ${zone}_is_complex=Yes - else - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_interfaces="\$interfaces" - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - eval display=\$${zone}_display - display_list "$display Zone:" $hosts - else - error_message "Warning: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $zones $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $zones -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - local wildcard - local found_obsolete_option= - local z interface networks options r iface option - - while read z interface networks options; do - expandv z interface networks options - r="$z $interface $networks $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - list_search $interface $all_interfaces && \ - startup_error "Duplicate Interface $interface" - - wildcard= - - case $interface in - *:*|+) - startup_error "Invalid Interface Name: $interface" - ;; - *+) - wildcard=Yes - ;; - esac - - all_interfaces="$all_interfaces $interface" - options=$(separate_list $options) - iface=$(chain_base $interface) - - eval ${iface}_broadcast="$networks" - eval ${iface}_zone="$z" - eval ${iface}_options=\"$options\" - - for option in $options; do - case $option in - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-) - ;; - dropunclean|logunclean) - if [ -z "$found_obsolete_option" ]; then - found_obsolete_option=yes - error_message \ - "WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0" - error_message \ - " PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..." - sleep 5 - error_message "GOTCHA!!!! :-)" - error_message \ - " Now please remove these options from your interfaces file -- Thanks" - fi - ;; - detectnets) - [ -n "$wildcard" ] && \ - startup_error "The \"detectnets\" option may not be used with a wild-card interface" - ;; - routeback) - [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - - [ -z "$all_interfaces" ] && startup_error "No Interfaces Defined" - - done < $TMP_DIR/interfaces -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - local z hosts options r interface host option port ports - - check_bridge_port() - { - list_search $1 $ports || ports="$ports $1" - list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" - list_search $1 $all_ports || all_ports="$all_ports $1" - } - - while read z hosts options; do - expandv z hosts options - r="$z $hosts $options" - validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - - interface=${hosts%%:*} - iface=$(chain_base $interface) - - list_search $interface $all_interfaces || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - hosts=${hosts#*:} - - eval ports=\$${iface}_ports - eval zports=\$${z}_ports - - for host in $(separate_list $hosts); do - - [ -n "$BRIDGING" ] && case $host in - *:*) - known_interface ${host%:*} && \ - startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - check_bridge_port ${host%%:*} - ;; - *.*.*.*) - ;; - *) - known_interface $host && \ - startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - check_bridge_port $host - ;; - esac - - for option in $(separate_list $options) ; do - case $option in - maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) - ;; - routeback) - [ -z "$ports" ] && \ - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - - if [ -n "$ports" ]; then - eval ${iface}_ports=\"$ports\" - eval ${z}_ports=\"$zports\" - fi - - done < $TMP_DIR/hosts - - [ -n "$all_ports" ] && echo " Bridge ports are: $all_ports" -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - -# -# validate the policy file -# -validate_policy() -{ - local clientwild - local serverwild - local zone - local zone1 - local pc - local chain - local policy - local loglevel - local synparams - - print_policy() # $1 = source zone, $2 = destination zone - { - [ $COMMAND != check ] || \ - [ $1 = $2 ] || \ - [ $1 = all ] || \ - [ $2 = all ] || \ - progress_message " Policy for $1 to $2 is $policy using chain $chain" - } - - all_policy_chains= - - strip_file policy - - while read client server policy loglevel synparams; do - expandv client server policy loglevel synparams - - clientwild= - serverwild= - - case "$client" in - all|ALL) - clientwild=Yes - ;; - *) - if ! validate_zone $client; then - startup_error "Undefined zone $client" - fi - esac - - case "$server" in - all|ALL) - serverwild=Yes - ;; - *) - if ! validate_zone $server; then - startup_error "Undefined zone $server" - fi - esac - - case $policy in - ACCEPT|REJECT|DROP|CONTINUE) - ;; - NONE) - [ "$client" = "$FW" -o "$server" = "$FW" ] && \ - startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" - - [ -n "$clientwild" -o -n "$serverwild" ] && \ - startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" - ;; - *) - startup_error "Invalid policy $policy" - ;; - esac - - chain=${client}2${server} - - if is_policy_chain $chain ; then - startup_error "Duplicate policy $policy" - fi - - [ "x$loglevel" = "x-" ] && loglevel= - - [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" - - eval ${chain}_is_policy=Yes - eval ${chain}_policy=$policy - eval ${chain}_loglevel=$loglevel - eval ${chain}_synparams=$synparams - - if [ -n "${clientwild}" ]; then - if [ -n "${serverwild}" ]; then - for zone in $zones $FW all; do - for zone1 in $zones $FW all; do - eval pc=\$${zone}2${zone1}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${zone1}_policychain=$chain - eval ${zone}2${zone1}_policy=$policy - print_policy $zone $zone1 - fi - done - done - else - for zone in $zones $FW all; do - eval pc=\$${zone}2${server}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${server}_policychain=$chain - eval ${zone}2${server}_policy=$policy - print_policy $zone $server - fi - done - fi - elif [ -n "$serverwild" ]; then - for zone in $zones $FW all; do - eval pc=\$${client}2${zone}_policychain - - if [ -z "$pc" ]; then - eval ${client}2${zone}_policychain=$chain - eval ${client}2${zone}_policy=$policy - print_policy $client $zone - fi - done - else - eval ${chain}_policychain=${chain} - print_policy $client $server - fi - - done < $TMP_DIR/policy -} - -# -# Find broadcast addresses -# -find_broadcasts() { - for interface in $all_interfaces; do - eval bcast=\$$(chain_base $interface)_broadcast - if [ "x$bcast" = "xdetect" ]; then - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u - elif [ "x${bcast}" != "x-" ]; then - echo $(separate_list $bcast) - fi - done -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $all_interfaces; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore hosts interface address addresses options - - while read ignore hosts options; do - expandv options - if list_search $1 $(separate_list $options); then - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo $interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $all_interfaces; do - interface_has_option $interface $1 && \ - echo ${interface}:0.0.0.0/0 - done -} - -# -# Determine if there are interfaces of the given zone and option -# -# Returns zero if any such interfaces are found and returns one otherwise. -# -have_interfaces_in_zone_with_option() # $1 = zone, $2 = option -{ - local zne=$1 - local z - local interface - - for interface in $all_interfaces; do - eval z=\$$(chain_base $interface)_zone - - [ "x$z" = "x$zne" ] && \ - list_search $1 $options && \ - return 0 - done - - return 1 -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - -# -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - . $user_exit - fi -} - -# -# Add a logging rule. -# -log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limit $5=log tag $... = predicates for the rule -{ - local level=$1 - local chain=$2 - local disposition=$3 - local rulenum= - local limit="${4:-$LOGLIMIT}" - local tag=${5:+$5 } - local prefix - local base=$(chain_base $displayChain) - - shift;shift;shift;shift;shift - - if [ -n "$LOGRULENUMBERS" ]; then - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$(printf "$LOGFORMAT" $chain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="$(echo $prefix | cut -b -29)" - error_message "Warning: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" - ;; - *) - iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level=$1 - local chain=$2 - local disposition=$3 - - shift;shift;shift - - log_rule_limit $level $chain $disposition "$LOGLIMIT" "" $@ -} - -# -# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING -# -setup_forwarding() { - - save_progress_message "Restoring IP Forwarding..." - - case "$IP_FORWARDING" in - [Oo][Nn]) - run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" - echo "IP Forwarding Disabled!" - ;; - esac -} - -# -# Disable IPV6 -# -disable_ipv6() { - local foo="$(ip -f inet6 addr ls 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt which ip6tables; then - save_progress_message "Disabling IPV6..." - ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -disable_ipv6_1() { - local foo="$(ip -f inet6 addr ls 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt which ip6tables; then - progress_message "Disabling IPV6..." - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -# -# Stop the Firewall -# -stop_firewall() { - # - # Turn off trace unless we were tracing "stop" or "clear" - # - - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - case $COMMAND in - stop|clear) - ;; - check) - kill $$ - exit 2 - ;; - *) - set +x - - [ -z "$RESTOREFILE" ] && RESTOREFILE=restore - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH - echo "Shorewall restored from $RESTOREPATH" - my_mutex_off - kill $$ - exit 2 - fi - ;; - esac - - stopping="Yes" - - terminator= - - deletechain shorewall - - run_user_exit stop - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$NAT_ENABLED" ] && delete_nat - delete_proxy_arp - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$DISABLE_IPV6" ] && disable_ipv6_1 - - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - deleteallchains - else - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - - hosts= - - strip_file routestopped - - while read interface host options; do - expandv interface host options - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n $options ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "Warning: Duplicate option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT - done - fi - ;; - *) - error_message "Warning: Unknown option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - iptables -A INPUT -i $interface -s $networks -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o $interface -d $networks -j ACCEPT - - for host1 in $hosts; do - [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} -d ${host1#*:} -j ACCEPT - done - done - - iptables -A INPUT -i lo -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o lo -j ACCEPT - - for interface in $(find_interfaces_by_option dhcp); do - iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT - # - # This might be a bridge - # - iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT - done - - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Disabled!" - ;; - esac - - run_user_exit stopped - - logger "Shorewall Stopped" - - rm -rf $TMP_DIR - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - my_mutex_off - kill $$ - ;; - esac -} - -# -# Remove all rules and remove all user-defined chains -# -clear_firewall() { - stop_firewall - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - if qt which ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - - run_user_exit clear - - logger "Shorewall Cleared" -} - -# -# Set up ipsec tunnels -# -setup_tunnels() # $1 = name of tunnels file -{ - local inchain - local outchain - - setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones - { - local kind=$2 noah= - - case $kind in - *:*) - noah=${kind#*:} - [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" - kind=${kind%:*} - ;; - esac - - [ $kind = IPSEC ] && kind=ipsec - - options="-m state --state NEW -j ACCEPT" - addrule $inchain -p 50 -s $1 -j ACCEPT - addrule $outchain -p 50 -d $1 -j ACCEPT - if [ -z "$noah" ]; then - run_iptables -A $inchain -p 51 -s $1 -j ACCEPT - run_iptables -A $outchain -p 51 -d $1 -j ACCEPT - fi - - run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options - - if [ $kind = ipsec ]; then - run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options - else - run_iptables -A $inchain -p udp -s $1 --dport 500 $options - run_iptables -A $inchain -p udp -s $1 --dport 4500 $options - fi - - for z in $(separate_list $3); do - if validate_zone $z; then - addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options - if [ $kind = ipsec ]; then - addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options - else - addrule ${z}2${FW} -p udp --dport 500 $options - addrule ${z}2${FW} -p udp --dport 4500 $options - fi - else - error_message "Warning: Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" may encounter keying problems" - fi - done - - progress_message " IPSEC tunnel to $gateway defined." - } - - setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol - { - addrule $inchain -p $3 -s $2 -j ACCEPT - addrule $outchain -p $3 -d $2 -j ACCEPT - - progress_message " $1 tunnel to $2 defined." - } - - setup_pptp_client() # $1 = gateway - { - addrule $outchain -p 47 -d $1 -j ACCEPT - addrule $inchain -p 47 -j ACCEPT - addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT - - progress_message " PPTP tunnel to $1 defined." - } - - setup_pptp_server() # $1 = gateway - { - addrule $inchain -p 47 -s $1 -j ACCEPT - addrule $outchain -p 47 -d $1 -j ACCEPT - addrule $inchain -p tcp --dport 1723 -s $1 -j ACCEPT - - progress_message " PPTP server defined." - } - - setup_one_openvpn() # $1 = gateway, $2 = kind[:port] - { - case $2 in - *:*) - p=${2#*:} - ;; - *) - p=5000 - ;; - esac - - addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT - addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT - - progress_message " OPENVPN tunnel to $1:$p defined." - } - - setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone - { - local protocol - local p= - - case $2 in - *:*:*) - p=${2##*:} - protocol=${2%:*} - protocol=${protocol#*:} - ;; - *:*) - protocol=${2#*:} - ;; - *) - protocol=udp - p=5000 - ;; - esac - - p=${p:+--dport $p} - - addrule $inchain -p $protocol -s $1 $p -j ACCEPT - addrule $outchain -p $protocol -d $1 $p -j ACCEPT - - for z in $(separate_list $3); do - if validate_zone $z; then - addrule ${FW}2${z} -p $protocol $p -j ACCEPT - addrule ${z}2${FW} -p $protocol $p -j ACCEPT - else - error_message "Warning: Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" may encounter problems" - fi - done - - progress_message " GENERIC tunnel to $1:$p defined." - } - - strip_file tunnels $1 - - while read kind z gateway z1; do - expandv kind z gateway z1 - tunnel="$(echo $kind $z $gateway $z1)" - if validate_zone $z; then - inchain=${z}2${FW} - outchain=${FW}2${z} - gateway=${gateway:-0.0.0.0/0} - case $kind in - ipsec|IPSEC|ipsec:*|IPSEC:*) - setup_one_ipsec $gateway $kind $z1 - ;; - ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*) - setup_one_ipsec $gateway $kind $z1 - ;; - ipip|IPIP) - setup_one_other IPIP $gateway 4 - ;; - gre|GRE) - setup_one_other GRE $gateway 47 - ;; - 6to4|6TO4) - setup_one_other 6to4 $gateway 41 - ;; - pptpclient|PPTPCLIENT) - setup_pptp_client $gateway - ;; - pptpserver|PPTPSERVER) - setup_pptp_server $gateway - ;; - openvpn|OPENVPN|openvpn:*|OPENVPN:*) - setup_one_openvpn $gateway $kind - ;; - generic:*|GENERIC:*) - setup_one_generic $gateway $kind $z1 - ;; - *) - error_message "Tunnels of type $kind are not supported:" \ - "Tunnel \"$tunnel\" Ignored" - ;; - esac - else - error_message "Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" Ignored" - fi - done < $TMP_DIR/tunnels -} - -# -# Setup Proxy ARP -# -setup_proxy_arp() { - - print_error() { - error_message "Invalid value for HAVEROUTE - ($haveroute)" - error_message "Entry \"$address $interface $external $haveroute\" ignored" - } - - print_error1() { - error_message "Invalid value for PERSISTENT - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored" - } - - print_warning() { - error_message "PERSISTENT setting ignored - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\"" - } - - setup_one_proxy_arp() { - - case $haveroute in - [Nn][Oo]) - haveroute= - ;; - [Yy][Ee][Ss]) - ;; - *) - if [ -n "$haveroute" ]; then - print_error - return - fi - ;; - esac - - case $persistent in - [Nn][Oo]) - persistent= - ;; - [Yy][Ee][Ss]) - [ -z "$haveroute" ] || print_warning - ;; - *) - if [ -n "$persistent" ]; then - print_error1 - return - fi - ;; - esac - - if [ -z "$haveroute" ]; then - ensure_and_save_command ip route replace $address dev $interface - [ -n "$persistent" ] && haveroute=yes - fi - - ensure_and_save_command arp -i $external -Ds $address $external pub - - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp" - - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp - - progress_message " Host $address connected to $interface added to ARP on $external" - } - - > ${STATEDIR}/proxyarp - - save_progress_message "Restoring Proxy ARP..." - - while read address interface external haveroute persistent; do - expandv address interface external haveroute persistent - setup_one_proxy_arp - done < $TMP_DIR/proxyarp - - interfaces=$(find_interfaces_by_option proxyarp) - - for interface in $interfaces; do - if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - progress_message " Enabled proxy ARP on $interface" - save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - else - error_message "Warning: Unable to enable proxy ARP on $interface" - fi - done -} - -# -# Set up MAC Verification -# -setup_mac_lists() { - local interface - local mac - local addresses - local address - local chain - local logpart - local macpart - local blob - local hosts - # - # Generate the list of interfaces having MAC verification - # - maclist_interfaces= - - for hosts in $maclist_hosts; do - interface=${hosts%%:*} - if ! list_search $interface $maclist_interfaces; then\ - if [ -z "$maclist_interfaces" ]; then - maclist_interfaces=$interface - else - maclist_interfaces="$maclist_interfaces $interface" - fi - fi - done - - progress_message "Setting up MAC Verification on $maclist_interfaces..." - # - # Be sure that they are all ethernet interfaces - # - for interface in $maclist_interfaces; do - case $interface in - eth*|wlan*|br[0-9]|ath[0-9]) - ;; - *) - fatal_error "MAC verification is only supported on ethernet and 802.11b devices: $interface" - ;; - esac - - createchain $(mac_chain $interface) no - done - # - # Process the maclist file producing the verification rules - # - - while read interface mac addresses; do - expandv interface mac addresses - - physdev_part= - - if [ -n "$BRIDGING" ]; then - case $interface in - *:*) - physdev_part="-m physdev --physdev-in ${interface#*:}" - interface=${interface%:*} - ;; - esac - fi - - chain=$(mac_chain $interface) - - if ! havechain $chain ; then - fatal_error "No hosts on $interface have the maclist option specified" - fi - - macpart=$(mac_match $mac) - - if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart $physdev_part -j RETURN - else - for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN - done - fi - done < $TMP_DIR/maclist - # - # Must take care of our own broadcasts and multicasts then terminate the verification - # chains - # - for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - - blob=$(ip link show $interface 2> /dev/null) - - [ -z "$blob" ] && \ - fatal_error "Interface $interface must be up before Shorewall can start" - - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do - if [ -n "$broadcast" ]; then - run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN - fi - - run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN - run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN - done - - if [ -n "$MACLIST_LOG_LEVEL" ]; then - log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION - fi - - run_iptables -A $chain -j $maclist_target - done - # - # Generate jumps from the input and forward chains - # - for hosts in $maclist_hosts; do - interface=${hosts%%:*} - hosts=${hosts#*:} - for chain in $(first_chains $interface) ; do - run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ - -j $(mac_chain $interface) - done - done -} - -# -# Set up SYN flood protection -# -setup_syn_flood_chain () - # $1 = policy chain - # $2 = synparams - # $3 = loglevel -{ - local chain=@$1 - local limit=$2 - local limit_burst= - - case $limit in - *:*) - limit_burst="--limit-burst ${limit#*:}" - limit=${limit%:*} - ;; - esac - - run_iptables -N $chain - run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN - [ -n "$3" ] && \ - log_rule_limit $3 $chain DROP "-m limit --limit 5/min --limit-burst 5" "" - run_iptables -A $chain -j DROP -} - -# -# Enable SYN flood protection on a chain -# -# Insert a jump rule to the protection chain from the first chain. Inserted -# as the second rule and restrict the jump to SYN packets -# -enable_syn_flood_protection() # $1 = chain, $2 = protection chain -{ - run_iptables -I $1 2 -p tcp --syn -j @$2 - progress_message " Enabled SYN flood protection" -} - -# -# Delete existing Proxy ARP -# -delete_proxy_arp() { - if [ -f ${STATEDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "$haveroute" ] && qt ip route del $address dev $interface - done < ${STATEDIR}/proxyarp - - rm -f ${STATEDIR}/proxyarp - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp - - for f in $(ls /proc/sys/net/ipv4/conf/*/proxy_arp); do - echo 0 > $f - done -} - -# -# Setup Static Network Address Translation (NAT) -# -setup_nat() { - local allints - # - # At this point, we're just interested in the network translation - # - > ${STATEDIR}/nat - - save_progress_message "Restoring one-to-one NAT..." - - while read external interface internal allints localnat; do - expandv external interface internal allints localnat - - iface=${interface%:*} - - if [ -n "$ADD_IP_ALIASES" ]; then - run_and_save_command qt ip addr del $external dev $iface - fi - - if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then - addnatrule nat_in -d $external -j DNAT --to-destination $internal - addnatrule nat_out -s $internal -j SNAT --to-source $external - - elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then - addnatrule $(input_chain $iface) \ - -d $external -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) \ - -s $internal -j SNAT --to-source $external - else - fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\"" - fi - - if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then - run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal - elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then - fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\"" - fi - - - if [ -n "$ADD_IP_ALIASES" ]; then - list_search $external $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $interface" - fi - - progress_message " Host $internal NAT $external on $interface" - done < $TMP_DIR/nat -} - -# -# Delete existing Static NAT -# -delete_nat() { - run_iptables -t nat -F - run_iptables -t nat -X - - if [ -f ${STATEDIR}/nat ]; then - while read external interface; do - qt ip addr del $external dev $interface - done < ${STATEDIR}/nat - - rm -f {$STATEDIR}/nat - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat -} - -# -# Setup Network Mapping (NETMAP) -# -setup_netmap() { - - while read type net1 interface net2 ; do - expandv type net1 interface net2 - - list_search $interface $all_interfaces || \ - fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" - - case $type in - DNAT) - addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 - ;; - SNAT) - addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 - ;; - *) - fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" - ;; - esac - - progress_message " Network $net1 on $interface mapped to $net2 ($type)" - - done < $TMP_DIR/netmap -} - -# -# Setup ECN disabling rules -# -setup_ecn() # $1 = file name -{ - local interfaces="" - local hosts - local h - - strip_file ecn $1 - - echo "Processing $1..." - - while read interface host; do - expandv interface host - list_search $interface $all_interfaces || \ - startup_error "Unknown interface $interface" - list_search $interface $interfaces || \ - interfaces="$interfaces $interface" - [ "x$host" = "x-" ] && host= - for h in $(separate_list ${host:-0.0.0.0/0}); do - hosts="$hosts $interface:$h" - done - done < $TMP_DIR/ecn - - if [ -n "$interfaces" ]; then - progress_message "Setting up ECN control on${interfaces}..." - - for interface in $interfaces; do - chain=$(ecn_chain $interface) - if mangle_chain_exists $chain; then - flushmangle $chain - else - run_iptables -t mangle -N $chain - run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain - run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain - fi - done - - for host in $hosts; do - interface=${host%:*} - h=${host#*:} - run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove - progress_message " ECN Disabled to $h through $interface" - done - fi -} - -# -# Process a TC Rule - $marking_chain is assumed to contain the name of the -# default marking chain -# -process_tc_rule() -{ - chain=$marking_chain - - add_a_tc_rule() { - r= - - if [ "x$source" != "x-" ]; then - case $source in - *.*.*) - r="-s $source " - ;; - ~*) - r="$(mac_match $source) " - ;; - $FW) - chain=tcout - ;; - *) - - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev) $source " - ;; - esac - fi - - if [ "x${user:--}" != "x-" ]; then - - [ "$chain" != tcout ] && \ - fatal_error "Invalid use of a user/group: rule \"$rule\"" - - case "$user" in - *:*) - r="$r-m owner" - temp="${user%:*}" - [ -n "$temp" ] && r="$r --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && r="$r --gid-owner $temp " - ;; - *) - r="$r-m owner --uid-owner $user " - ;; - esac - fi - - [ "x$dest" = "x-" ] || r="${r}-d $dest " - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}--dport $port " - [ "x$sport" = "x-" ] || r="${r}--sport $sport " - - run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark - - } - - if [ "$mark" != "${mark%:*}" ]; then - - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - - case "${mark#*:}" in - p|P) - chain=tcpre - ;; - f|F) - chain=tcfor - ;; - *) - fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" - ;; - esac - - mark="${mark%:*}" - fi - - for source in $(separate_list ${sources:=-}); do - for dest in $(separate_list ${dests:=-}); do - for port in $(separate_list ${ports:=-}); do - for sport in $(separate_list ${sports:=-}); do - add_a_tc_rule - done - done - done - done - - progress_message " TC Rule \"$rule\" added" -} - -# -# Setup queuing and classes -# -setup_tc1() { - # - # Create the TC mangle chains - # - - run_iptables -t mangle -N tcpre - run_iptables -t mangle -N tcfor - run_iptables -t mangle -N tcout - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports user; do - expandv mark sources dests proto ports sports user - rule=$(echo "$mark $sources $dests $proto $ports $sports $user") - process_tc_rule - done < $TMP_DIR/tcrules - # - # Link to the TC mangle chains from the main chains - # - - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A PREROUTING -j tcpre - run_iptables -t mangle -A OUTPUT -j tcout - - run_user_exit tcstart - - save_progress_message "Restoring Traffic Control..." - save_command . $(find_file tcstart) - -} - -setup_tc() { - - echo "Setting up Traffic Control Rules..." - - setup_tc1 -} - -# -# Clear Traffic Shaping -# -delete_tc() -{ - - clear_one_tc() { - run_and_save_command "tc qdisc del dev $1 root 2> /dev/null" - run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" - - } - - save_progress_message "Clearing Traffic Control/QOS" - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -delete_tc1() -{ - - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Process a record from the accounting file -# -process_accounting_rule() { - rule= - rule2= - jumpchain= - - accounting_error() { - error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport - } - - accounting_interface_error() { - error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport - } - - accounting_interface_verify() { - verify_interface $1 || accounting_interface_error $1 - } - - jump_to_chain() { - if ! havechain $jumpchain; then - if ! createchain2 $jumpchain No; then - accounting_error - return 2 - fi - fi - - rule="$rule -j $jumpchain" - } - - case $source in - *:*) - accounting_interface_verify ${source%:*} - rule="-s ${source#*:} $(match_source_dev ${source%:*})" - ;; - *.*.*.*) - rule="-s $source" - ;; - -|all|any) - ;; - *) - if [ -n "$source" ]; then - accounting_interface_verify $source - rule="$(match_source_dev $source)" - fi - ;; - esac - - [ -n "$dest" ] && case $dest in - *:*) - accounting_interface_verify ${dest%:*} - rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" - ;; - *.*.*.*) - rule="$rule -d $dest" - ;; - -|all|any) - ;; - *) - accounting_interface_verify $dest - rule="$rule $(match_dest_dev $dest)" - ;; - esac - - [ -n "$proto" ] && case $proto in - -|any|all) - ;; - *) - rule="$rule -p $proto" - ;; - esac - - [ -n "$port" ] && case $port in - -|any|all) - ;; - *) - rule="$rule --dport $port" - ;; - esac - - [ -n "$sport" ] && case $sport in - -|any|all) - ;; - *) - rule="$rule --sport $sport" - ;; - esac - - case $action in - COUNT) - ;; - DONE) - rule="$rule -j RETURN" - ;; - *:COUNT) - rule2="$rule" - jumpchain=${action%:*} - jump_to_chain || return - ;; - JUMP:*) - jumpchain=${action#*:} - jump_to_chain || return - ;; - *) - jumpchain=$action - jump_to_chain || return - ;; - esac - - [ "x$chain" = "x-" ] && chain=accounting - [ -z "$chain" ] && chain=accounting - - ensurechain1 $chain - - if iptables -A $chain $(fix_bang $rule) ; then - [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 - progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added - else - accounting_error - fi -} - -# -# Set up Accounting -# -setup_accounting() # $1 = Name of accounting file -{ - - echo "Setting up Accounting..." - - strip_file accounting $1 - - while read action chain source dest proto port sport ; do - expandv action chain source dest proto port sport - process_accounting_rule - done < $TMP_DIR/accounting - - if havechain accounting; then - for chain in INPUT FORWARD OUTPUT; do - run_iptables -A $chain -j accounting - done - fi - -} - -# -# Check the configuration -# -check_config() { - - disclaimer() { - echo - echo "Notice: The 'check' command is unsupported and problem" - echo " reports complaining about errors that it didn't catch" - echo " will not be accepted" - echo - } - - disclaimer - - report_capabilities - - echo "Verifying Configuration..." - - verify_os_version - - echo "Determining Zones..." - - determine_zones - - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - echo "Validating policy file..." - - validate_policy - - echo "Pre-validating Actions..." - - process_actions1 - - echo "Validating rules file..." - - rules=$(find_file rules) - strip_file rules $rules - process_rules - - echo "Validating Actions..." - - process_actions2 - - rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - echo "Configuration Validated" - - disclaimer - -} - -# -# Refresh queuing and classes -# -refresh_tc() { - - echo "Refreshing Traffic Control Rules..." - - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - - if mangle_chain_exists $chain; then - # - # Flush the TC mangle chains - # - run_iptables -t mangle -F $chain - - run_iptables -t mangle -F tcout - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=$(echo "$mark $sources $dests $proto $ports $sports") - process_tc_rule - done < $TMP_DIR/tcrules - - run_user_exit tcstart - else - setup_tc1 - fi - -} - -# -# Add one Filter Rule from an action -- Helper function for the action file processor -# -# The caller has established the following variables: -# check = current command. If 'check', we're executing a 'check' -# which only goes through the motions. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# action = The chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup = owner match clause -# logtag = Log tag -# -add_an_action() -{ - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - action_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - action_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) -s ${client#*:}" - ;; - *.*.*) - cli="-s $client" - ;; - ~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - action_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - action_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - servport=$serverport - multiport= - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - LOG) - [ -z "$loglevel" ] && fatal_error "LOG requires log level" - ;; - esac - - if [ $COMMAND != check ]; then - if [ -n "${serv}" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(ip_range $serv1); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli -d $srv $dports) - fi - - run_iptables2 -A $action $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target - done - done - else - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) - fi - - run_iptables2 -A $action $proto $multiport $cli $dest_interface $sports \ - $dports $ratelimit $userandgroup -j $target - fi - fi -} - -# -# Process a record from an action file for the 'start', 'restart' or 'check' commands -# -process_action() # $1 = action - # $2 = target - # $3 = clients - # $4 = servers - # $5 = protocol - # $6 = ports - # $7 = cports - # $8 = ratelimit - # $9 = userspec -{ - local action="$1" - local target="$2" - local clients="$3" - local servers="$4" - local protocol="$5" - local ports="$6" - local cports="$7" - local ratelimit="$8" - local userspec="$9" - local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)" - local userandgroup= - local logtag= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - -) - ratelimit= - ;; - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - [ "x$userspec" = "x-" ] && userspec= - - if [ -n "$userspec" ]; then - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - userandgroup="-m owner" - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" - ;; - *) - userandgroup="-m owner --uid-owner $userspec" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - fi - - logtarget="$target" - - case $target in - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - *) - ;; - esac - - # Generate Netfilter rule(s) - - [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - - if [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_an_action - done - done - done - done - fi - # - # Report Result - # - if [ $COMMAND = check ]; then - progress_message " Rule \"$rule\" checked." - else - progress_message " Rule \"$rule\" added." - fi -} - -# -# Create an action chain and run it's associated user exit -# - -createactionchain() # $1 = chain name -{ - createchain $1 no - run_user_exit $1 -} - -# -# Read /etc/shorewall/actions and for each defined , pre-process -# /etc/shorewall/action. -# - -process_actions1() { - - ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid allowInvalid" - USEDACTIONS= - - strip_file actions - - strip_file actions.std /usr/share/shorewall/actions.std - - for inputfile in actions.std actions; do - while read xaction rest; do - [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" - - case $xaction in - *:*) - temp=${xaction#*:} - xaction=${xaction%:*} - case $temp in - ACCEPT|REJECT|DROP) - eval ${temp}_common=$xaction - if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then - USEDACTIONS="$USEDACTIONS $xaction" - [ $COMMAND = check ] || createactionchain $xaction - fi - ;; - *) - fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" - ;; - esac - esac - - [ -z "$xaction" ] && continue - - [ "$xaction" = "$(chain_base $xaction)" ] || fatal_error "Invalid Action Name: $xaction" - - if ! list_search $xaction $ACTIONS; then - f=action.$xaction - fn=$(find_file $f) - - eval requiredby_${action}= - - if [ -f $fn ]; then - echo " Pre-processing $fn..." - strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do - expandv xtarget - temp="${xtarget%%:*}" - case "${temp%<*}" in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) - ;; - *) - if list_search $temp $ACTIONS; then - eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\" - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - fatal_error "Invalid TARGET in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/$f - else - fatal_error "Missing Action File: $f" - fi - - ACTIONS="$ACTIONS $xaction" - fi - done < $TMP_DIR/$inputfile - done -} -# -# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then -# process the associated action files. -# -process_actions2() { - - log_action() { - [ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn - } - - drop_broadcasts() { - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - run_iptables -A dropBcast -d $address -j DROP - done - } - - # - # Generate the transitive closure of $USEDACTIONS - # - changed=Yes - - while [ -n "$changed" ]; do - changed= - for xaction in $USEDACTIONS; do - eval required=\"\$requiredby_${xaction}\" - for action in $required; do - if ! list_search $action $USEDACTIONS; then - USEDACTIONS="$USEDACTIONS $action" - [ $COMMAND = check ] || createactionchain $action - changed=Yes - fi - done - done - done - # - # Now process the relevant action files -- they were already stripped in process_actions1() above. - # - for xaction in $USEDACTIONS; do - case $xaction in - dropBcast) - if [ "$COMMAND" != check ]; then - if [ -n "$PKTTYPE" ]; then - qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - drop_broadcasts - fi - else - drop_broadcasts - fi - fi - ;; - dropNonSyn) - error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\"" - [ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP - ;; - - dropNotSyn) - [ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP - ;; - rejNotSyn) - [ "$COMMAND" != check ] && run_iptables -A rejNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset - ;; - logNotSyn) - log_action logNotSyn LOG - ;; - rLogNotSyn) - log_action rLogNotSyn REJECT - ;; - dLogNotSyn) - log_action dLogNotSyn DROP - ;; - dropInvalid) - [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP - ;; - allowInvalid) - [ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j ACCEPT - ;; - *) - f=action.$xaction - fn=$(find_file $f) - - echo "Processing $fn..." - while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec ; do - expandv xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec - process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec - done < $TMP_DIR/$f - ;; - esac - done -} - -# -# Add a NAT rule - Helper function for the rules file processor -# -# The caller has established the following variables: -# command = The current command -- if 'check', we just go through -# the motions. -# cli = Source IP, interface or MAC Specification -# serv = Destination IP Specification -# servport = Port the server is listening on -# dest_interface = Destination Interface Specification -# proto = Protocol Specification -# addr = Original Destination Address -# dports = Destination Port Specification. 'dports' may be changed -# by this function -# cport = Source Port Specification -# multiport = String to invoke multiport match if appropriate -# ratelimit = Optional rate limiting clause -# userandgroup = -m owner match to limit the rule to a particular user and/or group -# logtag = Log tag -# -add_nat_rule() { - local chain - local excludedests= - - # Be sure we can NAT - - if [ -z "$NAT_ENABLED" ]; then - fatal_error "Rule \"$rule\" requires NAT which is disabled" - fi - - # Parse SNAT address if any - - if [ "$addr" != "${addr%:*}" ]; then - snat="${addr#*:}" - addr="${addr%:*}" - else - snat="" - fi - - # Set original destination address - - case $addr in - all) - addr= - ;; - detect) - addr= - if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then - eval interfaces=\$${source}_interfaces - for interface in $interfaces; do - addr=${addr:+$addr,}$(find_interface_address $interface) - done - fi - ;; - !*) - if [ $(list_count $addr) -gt 1 ]; then - excludedests="$(separate_list ${addr#\!})" - addr= - fi - ;; - esac - - addr=${addr:-0.0.0.0/0} - - # Select target - - if [ -n "$serv" ]; then - servport="${servport:+:$servport}" - serv1= - for srv in $(separate_list $serv); do - serv1="$serv1 --to-destination ${srv}${servport}" - done - target1="DNAT $serv1" - else - target1="REDIRECT --to-port $servport" - fi - - if [ $source = $FW ]; then - [ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\"" - fi - - # Generate nat table rules - - if [ $COMMAND != check ]; then - if [ "$source" = "$FW" ]; then - if [ -n "$excludedests" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - - for adr in $(separate_list $addr); do - run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports -d $adr -j $chain - done - - for adr in $excludedests; do - addnatrule $chain -d $adr -j RETURN - done - - if [ -n "$loglevel" ]; then - log_rule $loglevel $chain $logtarget -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ - $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) - fi - - run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup -d $adr $multiport $dports -j $target1 - done - fi - else - chain=$(dnat_chain $source) - - if [ -n "${excludezones}${excludedests}" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - - for adr in $(separate_list $addr); do - addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain - done - - for z in $(separate_list $excludezones); do - eval hosts=\$${z}_hosts - for host in $hosts; do - addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN - done - done - - for adr in $excludedests; do - addnatrule $chain -d $adr -j RETURN - done - - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - ensurenatchain $chain - log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat \ - $(fix_bang $proto $cli $sports -d $adr $multiport $dports) - fi - - addnatrule $chain $proto $ratelimit $cli $sports \ - -d $adr $multiport $dports -j $target1 - done - fi - fi - fi - - # Replace destination port by the new destination port - - if [ -n "$servport" ]; then - if [ -z "$multiport" ]; then - dports="--dport ${servport#*:}" - else - dports="--dports ${servport#*:}" - fi - fi - - # Handle SNAT - - if [ -n "$snat" ]; then - if [ -n "$cli" ]; then - [ $COMMAND = check ] || addnatrule $(snat_chain $dest) $proto $cli $multiport \ - $sports -d $serv $dports -j SNAT --to-source $snat - else - for source_host in $source_hosts; do - [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ - error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" - - [ $COMMAND = check ] || addnatrule $(snat_chain $dest) \ - $(match_source_hosts ${source_host#*:}) $proto $sports $multiport \ - -d $serv $dports -j SNAT --to-source $snat - done - fi - fi - - [ "x$addr" = "x0.0.0.0/0" ] && addr= - ratelimit= -} - -# -# Add one Filter Rule -- Helper function for the rules file processor -# -# The caller has established the following variables: -# command = current command. If 'check', we're executing a 'check' -# which only goes through the motions. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# servport = Port the server listens on -# chain = The canonical chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup= -m owner clause -# userspec = User name -# logtag = Log tag -# -add_a_rule() -{ - local natrule= - - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - rule_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - rule_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) -s ${client#*:}" - ;; - *.*.*) - cli="-s $client" - ;; - ~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - rule_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget" - rule_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - addr=$address - servport=$serverport - multiport= - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - all|ALL) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" - proto= - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - ACCEPT|DROP|REJECT|CONTINUE) - [ "$logtarget" = REJECT -a -n "$servport" ] && \ - fatal_error "Server port may not be specified in a REJECT rule; rule: \"$rule\"" - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - ;; - REDIRECT) - [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ - " specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - natrule=Yes - ;; - DNAT) - [ -n "$serv" ] || fatal_error "DNAT rules require a" \ - " server address; rule: \"$rule\"" - natrule=Yes - ;; - LOG) - [ -z "$loglevel" ] && fatal_error "LOG requires log level" - ;; - esac - - if [ -n "${serv}${servport}" ]; then - if [ $COMMAND != check ]; then - - # A specific server or server port given - - if [ -n "$natrule" ]; then - add_nat_rule - elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" - fi - - if [ -z "$dnat_only" ]; then - if [ -n "$serv" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(ip_range $serv1); do - if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then - for adr in $(separate_list $addr); do - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ - $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) - fi - - run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ - -d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target - done - else - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli -d $srv $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target - fi - done - done - else - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target - fi - fi - fi - else - - # Destination is a simple zone - - [ -n "$addr" ] && fatal_error \ - "An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT or REDIRECT: \"$rule\"" - - if [ $COMMAND != check ]; then - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) - fi - - if [ "$logtarget" != LOG ]; then - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $userandgroup -j $target - fi - fi - fi -} - -# -# Process a record from the rules file for the 'start', 'restart' or 'check' commands -# -process_rule() # $1 = target - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address - # $8 = ratelimit - # $9 = userspec -{ - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local address="$7" - local ratelimit="$8" - local userspec="$9" - local userandgroup= - local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)" - local logtag= - local nonat= - - # Function Body - isolate rate limit - - [ "x$ratelimit" = "x-" ] && ratelimit= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - fi - # - # Save the original target in 'logtarget' for logging rules - # - logtarget=${target%-} - # - # Targets ending in "-" only apply to the nat table - # - [ $target = $logtarget ] && dnat_only= || dnat_only=Yes - - # Tranform the rule: - # - # - parse the user specification - # - set 'target' to the filter table target. - # - make $FW the destination for REDIRECT - # - remove '-' suffix from logtargets while setting 'dnat_only' - # - clear 'address' if it has been set to '-' - - [ "x$userspec" = x- ] && userspec= - [ "x$address" = "x-" ] && address= - - if [ -n "$userspec" ]; then - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - userandgroup="-m owner" - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" - ;; - *) - userandgroup="-m owner --uid-owner $userspec" - ;; - esac - fi - - case $target in - ACCEPT+|NONAT) - nonat=Yes - target=ACCEPT - ;; - ACCEPT|LOG) - ;; - DROP) - [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" - ;; - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - DNAT*) - target=ACCEPT - address=${address:=detect} - ;; - REDIRECT*) - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="$FW::$servers" - fi - ;; - esac - - # Parse and validate source - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - fatal_error "Empty source zone or qualifier: rule \"$rule\"" - fi - - if [ "$clientzone" = "${clientzone%!*}" ]; then - excludezones= - else - excludezones="${clientzone#*!}" - clientzone="${clientzone%!*}" - - [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - fatal_error "Exclude list only allowed with DNAT or REDIRECT" - fi - - validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" - - # Parse and validate destination - - source=$clientzone - - if [ $source = $FW ]; then - source_hosts= - elif [ -n "$userspec" ]; then - fatal_error "Invalid use of a user-qualification: rule \"$rule\"" - else - eval source_hosts=\"\$${source}_hosts\" - fi - - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - fatal_error "Empty destination zone or server port: rule \"$rule\"" - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - fatal_error "Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - - if ! validate_zone $serverzone; then - fatal_error "Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - # Ensure that this rule doesn't apply to a NONE policy pair of zones - - chain=${source}2${dest} - - eval policy=\$${chain}_policy - - [ -z "$policy" ] && \ - fatal_error "No policy defined from zone $source to zone $dest" - - [ $policy = NONE ] && \ - fatal_error "Rules may not override a NONE policy: rule \"$rule\"" - - # Create the canonical chain if it doesn't already exist - - [ $COMMAND = check ] || ensurechain $chain - - # Generate Netfilter rule(s) - - protocol=${protocol:=all} - - case $logtarget in - DNAT*) - if [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - server=${servers:=-} - add_a_rule - done - done - done - fi - ;; - *) - - if [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_a_rule - done - done - done - done - fi - ;; - esac - # - # Report Result - # - if [ $COMMAND = check ]; then - progress_message " Rule \"$rule\" checked." - else - progress_message " Rule \"$rule\" added." - fi -} - -# -# Process the rules file for the 'start', 'restart' or 'check' command. -# -process_rules() -{ - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() { - local yclients yservers ysourcezone ydestzone ypolicy - - for yclients in $xclients; do - for yservers in $xservers; do - ysourcezone=${yclients%%:*} - ydestzone=${yservers%%:*} - if [ "${ysourcezone}" != "${ydestzone}" ] ; then - eval ypolicy=\$${ysourcezone}2${ydestzone}_policy - if [ "$ypolicy" != NONE ] ; then - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec - fi - fi - done - done - } - - do_it() { - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec - } - - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - temp="${xtarget%%:*}" - case "${temp%<*}" in - ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) - do_it - ;; - *) - if list_search $temp $ACTIONS; then - if ! list_search $temp $USEDACTIONS; then - [ $COMMAND = check ] || createactionchain $temp - USEDACTIONS="$USEDACTIONS $temp" - fi - - do_it - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - fatal_error "Invalid Action in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/rules -} - -# -# Process a record from the tos file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# src dst protocol sport dport tos -# -# and has loaded a space-separated list of their values in "rule". -# -process_tos_rule() { - # - # Parse the contents of the 'src' variable - # - if [ "$src" = "${src%:*}" ]; then - srczone="$src" - src= - else - srczone="${src%:*}" - src="${src#*:}" - fi - - source= - # - # Validate the source zone - # - if validate_zone $srczone; then - source=$srczone - elif [ "$srczone" = "all" ]; then - source="all" - else - error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$src" ] && case "$src" in - *.*.*) - # - # IP Address or networks - # - src="-s $src" - ;; - ~*) - src=$(mac_match $src) - ;; - *) - # - # Assume that this is a device name - # - if ! verify_interface $src ; then - error_message "Warning: Unknown Interface in rule \"$rule\" ignored" - return - fi - - src="$(match_source_dev $src)" - ;; - esac - - # - # Parse the contents of the 'dst' variable - # - if [ "$dst" = "${dst%:*}" ]; then - dstzone="$dst" - dst= - else - dstzone="${dst%:*}" - dst="${dst#*:}" - fi - - dest= - # - # Validate the destination zone - # - if validate_zone $dstzone; then - dest=$dstzone - elif [ "$dstzone" = "all" ]; then - dest="all" - else - error_message \ - "Warning: Undefined Destination Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$dst" ] && case "$dst" in - *.*.*) - # - # IP Address or networks - # - ;; - *) - # - # Assume that this is a device name - # - error_message \ - "Warning: Invalid Destination - rule \"$rule\" ignored" - return - ;; - esac - - # - # Setup PROTOCOL and PORT variables - # - sports="" - dports="" - - case $protocol in - tcp|udp|TCP|UDP|6|17) - [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ - sports="--sport $sport" - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--dport $dport" - ;; - icmp|ICMP|0) - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--icmp-type $dport" - ;; - all|ALL) - protocol= - ;; - *) - ;; - esac - - protocol="${protocol:+-p $protocol}" - - tos="-j TOS --set-tos $tos" - - case "$dstzone" in - all|ALL) - dst=0.0.0.0/0 - ;; - *) - [ -z "$dst" ] && eval dst=\$${dstzone}_hosts - ;; - esac - - for dest in $dst; do - dest="-d $dest" - - case $srczone in - $FW) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - ;; - all|ALL) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - run_iptables2 -t mangle -A pretos \ - $protocol $dest $dports $sports $tos - ;; - *) - if [ -n "$src" ]; then - run_iptables2 -t mangle -A pretos $src \ - $protocol $dest $dports $sports $tos - else - eval interfaces=\$${srczone}_interfaces - - for interface in $interfaces; do - run_iptables2 -t mangle -A pretos -i $interface \ - $protocol $dest $dports $sports $tos - done - fi - ;; - esac - done - - progress_message " Rule \"$rule\" added." -} - -# -# Process the tos file -# -process_tos() # $1 = name of tos file -{ - echo "Processing $1..." - - run_iptables -t mangle -N pretos - run_iptables -t mangle -N outtos - - strip_file tos $1 - - while read src dst protocol sport dport tos; do - expandv src dst protocol sport dport tos - rule="$(echo $src $dst $protocol $sport $dport $tos)" - process_tos_rule - done < $TMP_DIR/tos - - run_iptables -t mangle -A PREROUTING -j pretos - run_iptables -t mangle -A OUTPUT -j outtos -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Add policy rule ( and possibly logging rule) to the passed chain -# -policy_rules() # $1 = chain to add rules to - # $2 = policy - # $3 = loglevel -{ - local target="$2" - - case "$target" in - ACCEPT) - [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common - ;; - DROP) - [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common - ;; - REJECT) - [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common - target=reject - ;; - CONTINUE) - target= - ;; - *) - fatal_error "Invalid policy ($policy) for $1" - ;; - esac - - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 - fi - - [ -n "$target" ] && run_iptables -A $1 -j $target -} - -# -# Generate default policy & log level rules for the passed client & server -# zones -# -# This function is only called when the canonical chain for this client/server -# pair is known to exist. If the default policy for this pair specifies the -# same chain then we add the policy (and logging) rule to the canonical chain; -# otherwise add a rule to the canonical chain to jump to the appropriate -# policy chain. -# -default_policy() # $1 = client $2 = server -{ - local chain="${1}2${2}" - local policy= - local loglevel= - local chain1 - - jump_to_policy_chain() { - # - # Add a jump to from the canonical chain to the policy chain. On return, - # $chain is set to the name of the policy chain - # - run_iptables -A $chain -j $chain1 - chain=$chain1 - } - - apply_default() - { - # - # Generate policy file column values from the policy chain - # - eval policy=\$${chain1}_policy - eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams - # - # Add the appropriate rules to the canonical chain ($chain) to enforce - # the specified policy - - if [ "$chain" = "$chain1" ]; then - # - # The policy chain is the canonical chain; add policy rule to it - # The syn flood jump has already been added if required. - # - policy_rules $chain $policy $loglevel - else - # - # The policy chain is different from the canonical chain -- approach - # depends on the policy - # - case $policy in - ACCEPT) - if [ -n "$synparams" ]; then - # - # To avoid double-counting SYN packets, enforce the policy - # in this chain. - # - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - else - # - # No problem with double-counting so just jump to the - # policy chain. - # - jump_to_policy_chain - fi - ;; - CONTINUE) - # - # Silly to jump to the policy chain -- add any logging - # rules and enable SYN flood protection if requested - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - ;; - *) - # - # DROP or REJECT policy -- enforce in the policy chain and - # enable SYN flood protection if requested. - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - jump_to_policy_chain - ;; - esac - fi - - progress_message " Policy $policy for $1 to $2 using chain $chain" - } - - eval chain1=\$${1}2${2}_policychain - - if [ -n "$chain1" ]; then - apply_default $1 $2 - else - fatal_error "No default policy for zone $1 to zone $2" - fi -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone -{ - local policy= - local loglevel= - local policychain= - - run_user_exit $1 - - eval policychain=\$${2}2${3}_policychain - - if [ -n "$policychain" ]; then - eval policy=\$${policychain}_policy - eval loglevel=\$${policychain}_loglevel - - policy_rules $1 $policy $loglevel - else - policy_rules $1 DROP INFO - fi -} - -# -# Find the appropriate chain to pass packets from a source zone to a -# destination zone -# -# If the canonical chain for this zone pair exists, echo it's name; otherwise -# locate and echo the name of the appropriate policy chain -# -rules_chain() # $1 = source zone, $2 = destination zone -{ - local chain=${1}2${2} - - havechain $chain && { echo $chain; return; } - - [ "$1" = "$2" ] && { echo ACCEPT; return; } - - eval chain=\$${chain}_policychain - - [ -n "$chain" ] && { echo $chain; return; } - - fatal_error "No appropriate chain for zone $1 to zone $2" -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - if [ "x$address" = xdefault ]; then - error_message "Warning: default route ignored on interface $1" - else - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - fi - done -} - -# -# Set up Source NAT (including masquerading) -# -setup_masq() -{ - setup_one() { - local using - - case $fullinterface in - *:*:*) - # Both alias name and networks - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:*) - # Alias name OR networks - case ${fullinterface#*:} in - *.*) - # It's a networks - destnets="${fullinterface#*:}" - fullinterface="${fullinterface%:*}" - ;; - *) - #it's an alias name - destnets="0.0.0.0/0" - ;; - esac - ;; - *) - destnets="0.0.0.0/0" - ;; - esac - - interface=${fullinterface%:*} - - if ! list_search $interface $all_interfaces; then - fatal_error "Unknown interface $interface" - fi - - if [ "$networks" = "${networks%!*}" ]; then - nomasq= - else - nomasq="${networks#*!}" - networks="${networks%!*}" - fi - - - source="$networks" - - case $networks in - *.*.*) - ;; - *) - networks=$(get_routed_networks $networks) - [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" - networks="$networks" - ;; - esac - - [ "x$addresses" = x- ] && addresses= - - if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then - for address in $(separate_list $addresses); do - for addr in $(ip_range_explicit $address) ; do - if ! list_search $addr $aliases_to_add; then - save_command qt ip addr del $addr dev $interface - aliases_to_add="$aliases_to_add $addr $fullinterface" - case $fullinterface in - *:*) - fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) - ;; - esac - fi - done - done - fi - - [ "x$proto" = x- ] && proto= - [ "x$ports" = x- ] && ports= - - if [ -n "$proto" ]; then - - displayproto="($proto)" - - case $proto in - tcp|TCP|udp|UDP|6|17) - if [ -n "$ports" ]; then - displayproto="($proto $ports)" - - listcount=$(list_count $ports) - - if [ $listcount -gt 1 ]; then - case $ports in - *:*) - fatal_error "Port Range not allowed in list ($ports)" - ;; - *) - if [ -n "$MULTIPORT" ]; then - [ $listcount -gt 15 ] && fatal_error "Too many entries in port list ($ports)" - ports="-m multiport --dports $ports" - else - fatal_error "Port Ranges require multiport match support in your kernel ($ports)" - fi - ;; - esac - else - ports="--dport $ports" - fi - fi - ;; - *) - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - ;; - esac - - proto="-p $proto" - else - displayproto="(all)" - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - fi - - destination=$destnets - - chain=$(masq_chain $interface) - - case $destnets in - !*) - newchain=masq${masq_seq} - createnatchain $newchain - destnets=${destnets#!} - - for destnet in $(separate_list $destnets); do - addnatrule $newchain -d $destnet -j RETURN - done - - if [ -n "$networks" ]; then - for s in $networks; do - addnatrule $chain -s $s $proto $ports -j $newchain - done - networks= - else - addnatrule $chain -j $newchain - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - destnets=0.0.0.0/0 - proto= - ports= - - if [ -n "$nomasq" ]; then - for addr in $(separate_list $nomasq); do - addnatrule $chain -s $addr -j RETURN - done - source="$source except $nomasq" - fi - ;; - *) - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain - - if [ -n "$networks" ]; then - for s in $networks; do - for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain - done - done - else - for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports -j $newchain - done - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - networks= - destnets=0.0.0.0/0 - proto= - ports= - - for addr in $(separate_list $nomasq); do - addnatrule $chain -s $addr -j RETURN - done - - source="$source except $nomasq" - fi - ;; - esac - - addrlist= - - if [ -n "$addresses" ]; then - for address in $(separate_list $addresses); do - addrlist="$addrlist --to-source $address" - done - fi - - if [ -n "$networks" ]; then - for s in $networks; do - if [ -n "$addresses" ]; then - for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet $proto $ports -j SNAT $addrlist - done - progress_message " To $destination $displayproto from $s through ${interface} using $addresses" - else - for destnet in $(separate_list $destnets); do - addnatrule $chain -s $s -d $destnet $proto $ports -j MASQUERADE - done - progress_message " To $destination $displayproto from $s through ${interface}" - fi - done - elif [ -n "$addresses" ]; then - for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports -j SNAT $addrlist - done - echo " To $destination $displayproto from $source through ${interface} using $addresses" - else - for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports -j MASQUERADE - done - progress_message " To $destination $displayproto from $source through ${interface}" - fi - - } - - strip_file masq $1 - - [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..." - - while read fullinterface networks addresses proto ports; do - expandv fullinterface networks addresses proto ports - [ -n "$NAT_ENABLED" ] && setup_one || \ - error_message "Warning: NAT disabled; masq rule ignored" - done < $TMP_DIR/masq -} - -# -# Add a record to the blacklst chain -# -# $source = address match -# $proto = protocol selector -# $dport = destination port selector -# -add_blacklist_rule() { - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) - fi - - run_iptables2 -A blacklst $source $proto $dport -j $disposition -} - -# -# Process a record from the blacklist file -# -# $networks = address/networks -# $protocol = Protocol Number/Name -# $port = Port Number/Name -# -process_blacklist_rec() { - local source - local addr - local proto - local dport - - for addr in $(separate_list $networks); do - case $addr in - ~*) - addr=$(echo $addr | sed 's/~//;s/-/:/g') - source="--match mac --mac-source $addr" - ;; - *) - source="-s $addr" - ;; - esac - - if [ -n "$protocol" ]; then - proto=" -p $protocol " - - case $protocol in - tcp|TCP|6|udp|UDP|17) - if [ -n "$ports" ]; then - if [ -n "$MULTIPORT" -a \ - "$ports" != "${ports%,*}" -a \ - "$ports" = "${ports%:*}" -a \ - $(list_count $ports) -le 15 ] - then - dport="-m multiport --dports $ports" - add_blacklist_rule - else - for dport in $(separate_list $ports); do - dport="--dport $dport" - add_blacklist_rule - done - fi - else - add_blacklist_rule - fi - ;; - icmp|ICMP|0) - if [ -n "$ports" ]; then - for dport in $(separate_list $ports); do - dport="--icmp-type $dport" - add_blacklist_rule - done - else - add_blacklist_rule - fi - ;; - *) - add_blacklist_rule - ;; - esac - else - add_blacklist_rule - fi - - if [ -n "$ports" ]; then - addr="$addr $protocol $ports" - elif [ -n "$protocol" ]; then - addr="$addr $protocol" - fi - - progress_message " $addr added to Black List" - done -} - -# -# Setup the Black List -# -setup_blacklist() { - local hosts="$(find_hosts_by_option blacklist)" - local f=$(find_file blacklist) - local disposition=$BLACKLIST_DISPOSITION - - if [ -n "$hosts" -a -f $f ]; then - echo "Setting up Blacklisting..." - - strip_file blacklist $f - - createchain blacklst no - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - for host in $hosts; do - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst - done - - [ $network = 0/0.0.0.0 ] && network= || network=":$network" - - progress_message " Blacklisting enabled on ${interface}${network}" - done - - [ "$disposition" = REJECT ] && disposition=reject - - while read networks protocol ports; do - expandv networks protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - - fi -} - -# -# Refresh the Black List -# -refresh_blacklist() { - local f=$(find_file blacklist) - local disposition=$BLACKLIST_DISPOSITION - - if qt iptables -L blacklst -n ; then - echo "Refreshing Black List..." - - strip_file blacklist $f - - [ "$disposition" = REJECT ] && disposition=reject - - run_iptables -F blacklst - - while read networks protocol ports; do - expandv networks protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - fi -} - -# -# Verify that kernel has netfilter support -# -verify_os_version() { - - osversion=$(uname -r) - - case $osversion in - 2.4.*|2.5.*|2.6.*) - ;; - *) - startup_error "Shorewall version $version does not work with kernel version $osversion" - ;; - esac - - [ $COMMAND = start -a -n "$(lsmod 2> /dev/null | grep '^ipchains')" ] && \ - startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8" -} - -# -# Add IP Aliases -# -add_ip_aliases() -{ - local addresses external interface inet cidr rest val - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - ensure_and_save_command ip addr add ${external}${val} dev $interface $label - echo "$external $interface" >> ${STATEDIR}/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - set -- $aliases_to_add - - save_progress_message "Restoring IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift;shift - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - -# -# Load kernel modules required for Shorewall -# -load_kernel_modules() -{ - save_modules_dir=$MODULESDIR - - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - modules=$(find_file modules) - - if [ -f $modules -a -d $MODULESDIR ]; then - progress_message "Loading Modules..." - . $modules - fi - - MODULESDIR=$save_modules_dir -} - -save_load_kernel_modules() -{ - - modules=$(find_file modules) - - save_progress_message "Loading kernel modules..." - save_command "reload_kernel_modules <<__EOF__" - - while read command; do - case "$command" in - loadmodule*) - save_command $command - ;; - esac - done < $modules - - save_command __EOF__ - -} - -# Verify that the 'ip' program is installed - -verify_ip() { - qt ip link ls ||\ - startup_error "Shorewall $version requires the iproute package ('ip' utility)" -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - CONNTRACK_MATCH= - MULTIPORT= - - if qt iptables -N fooX1234 ; then - qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - - qt iptables -F fooX1234 - qt iptables -X fooX1234 - fi -} - -report_capability() # $1 = Capability Name, $2 Capability Setting (if any) -{ - local setting= - - [ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" - - echo " " $@: $setting -} - -report_capabilities() { - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability $NAT_ENABLED "NAT" - report_capability $MANGLE_ENABLED "Packet Mangling" - report_capability $MULTIPORT "Multi-port Match" - report_capability $CONNTRACK_MATCH "Connection Tracking Match" -} - -# -# Perform Initialization -# - Delete all old rules -# - Delete all user chains -# - Set the POLICY on all standard chains and add a rule to allow packets -# that are part of established connections -# - Determine the zones -# -initialize_netfilter () { - - report_capabilities - - echo "Determining Zones..." - - determine_zones - - [ -z "$zones" ] && startup_error "No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Validating Policy file..." - - validate_policy - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - run_user_exit init - - # - # The some files might be large so strip them while the firewall is still running - # (restart command). This reduces the length of time that the firewall isn't - # accepting new connections. - # - - strip_file rules - strip_file proxyarp - strip_file maclist - strip_file nat - strip_file netmap - - terminator=fatal_error - - deletechain shorewall - - [ -n "$NAT_ENABLED" ] && delete_nat - - delete_proxy_arp - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$CLEAR_TC" ] && delete_tc - - echo "Deleting user chains..." - - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - - [ -n "$DISABLE_IPV6" ] && disable_ipv6 - - # - # Enable the Loopback interface for now - # - run_iptables -A INPUT -i lo -j ACCEPT - run_iptables -A OUTPUT -o lo -j ACCEPT - - accounting_file=$(find_file accounting) - - [ -f $accounting_file ] && setup_accounting $accounting_file - - # - # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets - # - - for chain in INPUT OUTPUT FORWARD; do - run_iptables -A $chain -p udp --dport 53 -j ACCEPT - [ -n "$DROPINVALID" ] && \ - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP - done - - [ -n "$CLAMPMSS" ] && \ - run_iptables -A FORWARD -p tcp \ - --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - - if [ -z "$NEWNOTSYN" ]; then - createchain newnotsyn no - - for host in $(find_hosts_by_option newnotsyn); do - interface=${host%%:*} - network=${host#*:} - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN - done - - run_user_exit newnotsyn - - if [ -n "$LOGNEWNOTSYN" ]; then - log_rule $LOGNEWNOTSYN newnotsyn DROP - fi - - run_iptables -A newnotsyn -j DROP - fi - - createchain icmpdef no - createchain reject no - createchain dynamic no - createchain smurfs no - - if [ -f /var/lib/shorewall/save ]; then - echo "Restoring dynamic rules..." - - if [ -f /var/lib/shorewall/save ]; then - while read target ignore1 ignore2 address rest; do - case $target in - DROP|reject) - run_iptables2 -A dynamic -s $address -j $target - ;; - *) - ;; - esac - done < /var/lib/shorewall/save - fi - fi - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - echo "Creating Interface Chains..." - - for interface in $all_interfaces; do - createchain $(forward_chain $interface) no - run_iptables -A $(forward_chain $interface) $state -j dynamic - createchain $(input_chain $interface) no - run_iptables -A $(input_chain $interface) $state -j dynamic - done -} - -# -# Construct zone-independent rules -# -add_common_rules() { - local savelogparms="$LOGPARMS" - local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" - - drop_broadcasts() { - for address in $broadcasts ; do - run_iptables -A reject -d $address -j DROP - done - } - - # - # Populate the smurf chain - # - for address in $broadcasts ; do - [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address - run_iptables -A smurfs -s $address -j DROP - done - # - # Reject Rules -- Don't respond to broadcasts with an ICMP - # - if [ -n "$PKTTYPE" ]; then - qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - drop_broadcasts - fi - else - drop_broadcasts - fi - # - # Don't feed the smurfs - # - for address in $broadcasts ; do - run_iptables -A reject -s $address -j DROP - done - - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset - run_iptables -A reject -p udp -j REJECT - # - # Not all versions of iptables support these so don't complain if they don't work - # - qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable - if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then - # - # In case the above doesn't work - # - run_iptables -A reject -j REJECT - fi - - run_user_exit initdone - - # - # Process Black List - # - setup_blacklist - - # - # SMURFS - # - hosts=$(find_hosts_by_option nosmurfs) - - if [ -n "$hosts" ]; then - - echo "Adding Anti-smurf Rules" - - for host in $hosts; do - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j smurfs - done - done - fi - # - # DHCP - # - interfaces=$(find_interfaces_by_option dhcp) - - if [ -n "$interfaces" ]; then - - echo "Adding rules for DHCP" - - for interface in $interfaces; do - if [ -n "$BRIDGING" ]; then - eval is_bridge=\$$(chain_base $interface)_ports - [ -n "$is_bridge" ] && \ - iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT - fi - run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT - run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT - done - fi - # - # RFC 1918 - # - hosts="$(find_hosts_by_option norfc1918)" - - if [ -n "$hosts" ]; then - echo "Enabling RFC1918 Filtering" - - strip_file rfc1918 - - createchain norfc1918 no - - createchain rfc1918 no - - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP - - run_iptables -A rfc1918 -j DROP - - if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then - # - # Mangling is enabled but conntrack match isn't available -- - # create a chain in the mangle table to filter RFC1918 destination - # addresses. This must be done in the mangle table before we apply - # any DNAT rules in the nat table - # - # Also add a chain to log and drop any RFC1918 packets that we find - # - run_iptables -t mangle -N man1918 - run_iptables -t mangle -N rfc1918 - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle - run_iptables -t mangle -A rfc1918 -j DROP - fi - - while read networks target; do - case $target in - logdrop) - target=rfc1918 - ;; - DROP|RETURN) - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - run_iptables2 -A norfc1918 -s $networks -j $target - - if [ -n "$CONNTRACK_MATCH" ]; then - # - # We have connection tracking match -- match on the original destination - # - run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target - elif [ -n "$MANGLE_ENABLED" ]; then - # - # No connection tracking match but we have mangling -- add a rule to - # the mangle table - # - run_iptables2 -t mangle -A man1918 -d $networks -j $target - fi - done < $TMP_DIR/rfc1918 - - for host in $hosts; do - interface=${host%%:*} - networks=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) -j norfc1918 - done - - [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ - run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) -j man1918 - done - fi - # - # Bogons - # - hosts="$(find_hosts_by_option nobogons)" - - if [ -n "$hosts" ]; then - echo "Enabling Bogon Filtering" - - strip_file bogons - - createchain nobogons no - - createchain bogons no - - log_rule $BOGON_LOG_LEVEL bogons DROP - - run_iptables -A bogons -j DROP - - while read networks target; do - case $target in - logdrop) - target=bogons - ;; - DROP|RETURN) - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - run_iptables2 -A nobogons -s $networks -j $target - - done < $TMP_DIR/bogons - - for host in $hosts; do - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons - done - done - - fi - - hosts=$(find_hosts_by_option tcpflags) - - if [ -n "$hosts" ]; then - echo "Setting up TCP Flags checking..." - - createchain tcpflags no - - if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then - createchain logflags no - - savelogparms="$LOGPARMS" - - LOGPARMS="$LOGPARMS --log-ip-options" - - log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION - - LOGPARMS="$savelogparms" - - case $TCP_FLAGS_DISPOSITION in - REJECT) - run_iptables -A logflags -j REJECT --reject-with tcp-reset - ;; - *) - run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION - ;; - esac - - disposition="-j logflags" - else - disposition="-j $TCP_FLAGS_DISPOSITION" - fi - - run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition - run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition - # - # There are a lot of probes to ports 80, 3128 and 8080 that use a source - # port of 0. This catches them even if they are directed at an IP that - # hosts a web server. - # - run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - - for host in $hosts; do - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags - done - done - fi - # - # ARP Filtering - # - save_progress_message "Restoring ARP filtering..." - - for f in /proc/sys/net/ipv4/conf/*/arp_filter; do - run_and_save_command "echo 0 > $f" - done - - interfaces=$(find_interfaces_by_option arp_filter) - - if [ -n "$interfaces" ]; then - echo "Setting up ARP Filtering..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/arp_filter - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set ARP filtering on $interface" - fi - done - fi - # - # Route Filtering - # - interfaces="$(find_interfaces_by_option routefilter)" - - if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then - echo "Setting up Kernel Route Filtering..." - - save_progress_message "Restoring Route Filtering..." - - for f in /proc/sys/net/ipv4/conf/*/rp_filter; do - run_and_save_command "echo 0 > $f" - done - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/rp_filter - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set route filtering on $interface" - fi - done - - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - - if [ -n "$ROUTE_FILTER" ]; then - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" - fi - - run_and_save_command ip route flush cache - fi - - if [ -n "$DYNAMIC_ZONES" ]; then - echo "Setting up Dynamic Zone Chains..." - - for interface in $all_interfaces; do - for chain in $(dynamic_chains $interface); do - createchain $chain no - done - - chain=$(dynamic_in $interface) - createnatchain $chain - - run_iptables -A $(input_chain $interface) -j $chain - run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) - done - fi - - setup_forwarding -} - -# -# Scan the policy file defining the necessary chains -# Add the appropriate policy rule(s) to the end of each canonical chain -# -apply_policy_rules() { - # - # Create policy chains - # - for chain in $all_policy_chains; do - eval policy=\$${chain}_policy - eval loglevel=\$${chain}_loglevel - eval synparams=\$${chain}_synparams - - [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel - - if havechain $chain; then - [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - else - # - # The chain doesn't exist. Create the chain and add policy - # rules - # - # We must include the ESTABLISHED and RELATED state - # rule here to account for replys and reverse - # related sessions associated with sessions going - # in the other direction - # - createchain $chain yes - - # - # If either client or server is 'all' then this MUST be - # a policy chain and we must apply the appropriate policy rules - # - # Otherwise, this is a canonical chain which will be handled in - # the for loop below - # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac - - [ -n "$synparams" ] && \ - [ $policy = ACCEPT -o $policy = CONTINUE ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - fi - - done - - # - # Add policy rules to canonical chains - # - for zone in $FW $zones; do - for zone1 in $FW $zones; do - chain=${zone}2${zone1} - if havechain $chain; then - run_user_exit $chain - default_policy $zone $zone1 - fi - done - done -} - -# -# Activate the rules -# -activate_rules() -{ - local PREROUTING_rule=1 - local POSTROUTING_rule=1 - # - # Jump to a NAT chain from one of the builtin nat chains - # - addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain ; then - run_iptables2 -t nat -A $sourcechain $@ -j $destchain - elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then - rm -f #TMP_DIR/physdev - fi - } - - # - # Jump to a RULES chain from one of the builtin nat chains. These jumps are - # are inserted before jumps to static NAT chains. - # - addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain; then - eval run_iptables2 -t nat -I $sourcechain \ - \$${sourcechain}_rule $@ -j $destchain - eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) - elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then - rm -f $TMP_DIR/physdev - fi - } - - # - # Add jumps for dynamic nat chains - # - [ -n "$DYNAMIC_ZONES" ] && for interface in $all_interfaces ; do - addrulejump PREROUTING $(dynamic_in $interface) -i $interface - done - # - # Add jumps from the builtin chains to the nat chains - # - addnatjump PREROUTING nat_in - addnatjump POSTROUTING nat_out - - for interface in $all_interfaces; do - addnatjump PREROUTING $(input_chain $interface) -i $interface - addnatjump POSTROUTING $(output_chain $interface) -o $interface - done - - > ${STATEDIR}/chains - > ${STATEDIR}/zones - - for zone in $zones; do - eval source_hosts=\$${zone}_hosts - - chain1=$(rules_chain $FW $zone) - chain2=$(rules_chain $zone $FW) - - eval complex=\$${zone}_is_complex - - if [ -n "$complex" ]; then - frwd_chain=${zone}_frwd - createchain $frwd_chain No - fi - - if [ -n "$DYNAMIC_ZONES" ]; then - echo $zone $source_hosts >> ${STATEDIR}/zones - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains - fi - - need_broadcast= - - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) -j $chain1 - - # - # Add jumps from the builtin chains for DNAT and SNAT rules - # - addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) - addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) - - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2 - - [ -n "$complex" ] && \ - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) -j $frwd_chain - - case $networks in - *.*.*.*) - if [ "$networks" != 0.0.0.0/0 ]; then - if ! list_search $interface $need_broadcast ; then - interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" - fi - fi - ;; - esac - done - - - for interface in $need_broadcast ; do - run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 - run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 - done - - for zone1 in $zones; do - - eval policy=\$${zone}2${zone1}_policy - - [ "$policy" = NONE ] && continue - - eval dest_hosts=\$${zone1}_hosts - - chain="$(rules_chain $zone $zone1)" - - [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - - if [ $zone = $zone1 ]; then - # - # Try not to generate superfluous intra-zone rules - # - eval routeback=\"\$${zone}_routeback\" - eval interfaces=\"\$${zone}_interfaces\" - eval ports="\$${zone}_ports" - - num_ifaces=$(list_count1 $interfaces) - # - # If the zone has a single interface then what matters is how many ports it has - # - [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) - # - # If we don't need to route back and if we have only one interface or one port to - # the zone then assume that hosts in the zone can communicate directly. - # - if [ $num_ifaces -lt 2 -a -z "$routeback" ] ; then - continue - fi - else - routeback= - num_ifaces=0 - fi - - if [ -n "$complex" ]; then - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - # - # Only generate an intrazone rule if the zone has more than one interface (port) or if - # routeback was specified for this host group - # - if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then - run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) -j $chain - fi - done - else - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - chain1=$(forward_chain $interface) - - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - - if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) -j $chain - fi - done - done - fi - done - done - - for interface in $all_interfaces ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) - run_iptables -A INPUT -i $interface -j $(input_chain $interface) - addnatjump POSTROUTING $(masq_chain $interface) -o $interface - # - # Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev. - # To accomodate this feature/bug, we effectively set 'routeback' on bridge ports. - # - eval ports=\$$(chain_base $interface)_ports - for port in $ports; do - run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT - done - done - - chain=${FW}2${FW} - - if havechain $chain; then - # - # There is a fw->fw chain. Send loopback output through that chain - # - run_ip link ls | grep LOOPBACK | while read ordinal interface rest ; do - run_iptables -A OUTPUT -o ${interface%:*} -j $chain - done - # - # And delete the unconditional ACCEPT rule - # - run_iptables -D OUTPUT -o lo -j ACCEPT - fi - - complete_standard_chain INPUT all $FW - complete_standard_chain OUTPUT $FW all - complete_standard_chain FORWARD all all - # - # Remove rules added to keep the firewall alive during [re]start" - # - for chain in INPUT OUTPUT FORWARD; do - run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT - run_iptables -D $chain -p udp --dport 53 -j ACCEPT - done -} - -# -# Check for disabled startup -# -check_disabled_startup() { - if [ -f /etc/shorewall/startup_disabled ]; then - echo " Shorewall Startup is disabled -- to enable startup" - echo " after you have completed Shorewall configuration," - echo " remove the file /etc/shorewall/startup_disabled" - - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2 - fi -} - -# -# Start/Restart the Firewall -# -define_firewall() # $1 = Command (Start or Restart) -{ - check_disabled_startup - - echo "${1}ing Shorewall..." - - verify_os_version - verify_ip - - [ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; } - - RESTOREBASE=$(mktempfile /var/lib/shorewall) - - [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall" - - echo '#bin/sh' >> $RESTOREBASE - save_command "#" - save_command "# Restore base file generated by Shorewall $version - $(date)" - save_command "#" - save_command ". /usr/share/shorewall/functions" - - save_command "MODULESDIR=\"$MODULESDIR\"" - save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" - - save_load_kernel_modules - - echo "Initializing..."; initialize_netfilter - echo "Configuring Proxy ARP"; setup_proxy_arp - echo "Setting up NAT..."; setup_nat - echo "Setting up NETMAP..."; setup_netmap - echo "Adding Common Rules"; add_common_rules - - tunnels=$(find_file tunnels) - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels - - maclist_hosts=$(find_hosts_by_option maclist) - [ -n "$maclist_hosts" ] && setup_mac_lists - - echo "Pre-processing Actions..."; process_actions1 - echo "Processing $(find_file rules)..."; process_rules - echo "Processing Actions..."; process_actions2 - echo "Processing $(find_file policy)..."; apply_policy_rules - - masq=$(find_file masq) - [ -f $masq ] && setup_masq $masq - - tos=$(find_file tos) - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos - - ecn=$(find_file ecn) - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - - [ -n "$TC_ENABLED" ] && setup_tc - - echo "Activating Rules..."; activate_rules - - [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && add_ip_aliases - - for file in chains nat proxyarp zones; do - append_file $file - done - - save_progress_message "Restoring Netfilter Configuration..." - - save_command 'iptables-restore << __EOF__' - - # 'shorewall save' appends the iptables-save output and '__EOF__' - - mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$ - - > $RESTOREBASE - - save_command "#" - save_command "# Restore tail file generated by Shorewall $version - $(date)" - save_command "#" - save_command "date > $STATEDIR/restarted" - - run_user_exit start - - createchain shorewall no - - date > $STATEDIR/restarted - - report "Shorewall ${1}ed" - - rm -rf $TMP_DIR - - mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base - mv -f $RESTOREBASE /var/lib/shorewall/restore-tail - -} - -# -# Refresh the firewall -# -refresh_firewall() -{ - echo "Refreshing Shorewall..." - - echo "Determining Zones and Interfaces..." - - determine_zones - - validate_interfaces_file - - [ -z "$zones" ] && startup_error "No Zones Defined" - - determine_interfaces - - run_user_exit refresh - - # - # Blacklist - # - refresh_blacklist - - ecn=$(find_file ecn) - - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - # - # Refresh Traffic Control - # - [ -n "$TC_ENABLED" ] && refresh_tc - - report "Shorewall Refreshed" - - rm -rf $TMP_DIR -} - -# -# Add a host or networks to a zone -# -add_to_zone() # $1 = [:] $2 = zone -{ - local base interface host newhost zone z h z1 z2 chain terminator - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts - - nat_chain_exists() # $1 = chain name - { - qt iptables -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - if ! iptables $@ ; then - startup_error "Can't add $1 to zone $2" - fi - } - - # - # Isolate interface and host parts - # - interface=${1%%:*} - host=${1#*:} - - [ -z "$host" ] && host="0.0.0.0/0" - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Zone - # - zone=$2 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - # - # Normalize the first argument to this function - # - newhost="$interface:$host" - - terminator=fatal_error - # - # Create a new Zone state file - # - > ${STATEDIR}/zones_$$ - # - # Add $1 to the Zone state file - # - while read z hosts; do - if [ "$z" = "$zone" ]; then - for h in $hosts; do - if [ "$h" = "$newhost" ]; then - rm -f ${STATEDIR}/zones_$$ - startup_error "$1 already in zone $zone" - fi - done - - [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain - else - source_chain=$(dynamic_fwd $interface) - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain - fi - done - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain - fi - done - fi - fi - done < ${STATEDIR}/chains - - rm -rf $TMP_DIR - - progress_message "$1 added to zone $2" -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - # - # Delete the subject host(s) from the zone state file - # - delete_from_zones_file() - { - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for h in $temp; do - if [ "$h" = "$delhost" ]; then - echo Yes - else - hosts="$hosts $h" - fi - done - fi - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - } - # - # Isolate interface and host parts - # - interface=${1%%:*} - host=${1#*:} - - [ -z "$host" ] && host="0.0.0.0/0" - # - # Load $zones - # - determine_zones - - zone=$2 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone" - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Be sure that the interface was present at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "Interface $interface is not dynamic" - fi - # - # Normalize the first argument to this function - # - delhost="$interface:$host" - # - # Delete the passed hosts from the zone state file - # - [ -z "$(delete_from_zones_file)" ] && \ - error_message "Warning: $1 does not appear to be in zone $2" - # - # Construct the zone host maps - # - while read z hosts; do - eval ${z}_hosts=\"$hosts\" - done < ${STATEDIR}/zones - - terminator=fatal_error - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) -j $chain - else - source_chain=$(dynamic_fwd $interface) - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts $delhost; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain - fi - done - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain - fi - done - fi - fi - done < ${STATEDIR}/chains - - rm -rf $TMP_DIR - - progress_message "$1 removed from zone $2" -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - terminator=startup_error - # - # Clear all configuration variables - # - version= - FW= - SUBSYSLOCK= - STATEDIR= - ALLOWRELATED=Yes - LOGRATE= - LOGBURST= - LOGPARMS= - LOGLIMIT= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - TC_ENABLED= - BLACKLIST_DISPOSITION= - BLACKLIST_LOGLEVEL= - CLAMPMSS= - ROUTE_FILTER= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - NEWNOTSYN= - LOGNEWNOTSYN= - FORWARDPING= - MACLIST_DISPOSITION= - MACLIST_LOG_LEVEL= - TCP_FLAGS_DISPOSITION= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - BOGON_LOG_LEVEL= - MARK_IN_FORWARD_CHAIN= - SHARED_DIR=/usr/share/shorewall - FUNCTIONS= - VERSION_FILE= - LOGFORMAT= - LOGRULENUMBERS= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - MODULE_SUFFIX= - ACTIONS= - USEDACTIONS= - SMURF_LOG_LEVEL= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - DROPINVALID= - RESTOREBASE= - TMP_DIR= - - stopping= - have_mutex= - masq_seq=1 - nonat_seq=1 - aliases_to_add= - - FUNCTIONS=$SHARED_DIR/functions - - if [ -f $FUNCTIONS ]; then - [ -n "$QUIET" ] || echo "Loading $FUNCTIONS..." - . $FUNCTIONS - else - startup_error "$FUNCTIONS does not exist!" - fi - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - startup_error "Can't create a temporary directory" - - trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - - ensure_config_path - - VERSION_FILE=$SHARED_DIR/version - - [ -f $VERSION_FILE ] && version=$(cat $VERSION_FILE) - - run_user_exit params - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - [ -n "$QUIET" ] || echo "Processing $config..." - . $config - else - echo " ERROR: Cannot read $config (Hint: Are you root?)" - exit 2 - fi - else - echo "$config does not exist!" >&2 - exit 2 - fi - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to acurately determine - # capabilities when module autoloading isn't enabled. - # - - [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" - load_kernel_modules - determine_capabilities - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - [ -z "$FW" ] && FW=fw - - ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" - [ -n "$ALLOWRELATED" ] || \ - startup_error "ALLOWRELATED=No is not supported" - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - TC_ENABLED="$(added_param_value_yes TC_ENABLED $TC_ENABLED)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$TC_ENABLED" -a -z "$MANGLE_ENABLED" ]; then - startup_error "Traffic Control requires Mangle" - fi - - [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP - - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) - [ -n "$FORWARDPING" ] && \ - startup_error "FORWARDPING=Yes is no longer supported" - - NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN) - - maclist_target=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - ACCEPT|DROP) - maclist_target=$MACLIST_DISPOSITION - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info - [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre - if [ -n "$TC_ENABLED" ]; then - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - else - CLEAR_TC= - fi - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - if [ ${#temp} -gt 29 ]; then - startup_error "LOGFORMAT string is too long: \"$LOGFORMAT\"" - fi - else - LOGFORMAT="Shorewall:%s:%s:" - fi - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE) - DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts - # - # Check out the user's shell - # - [ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - rm -f $TMP_DIR/physdev - -} - -# -# Give Usage Information -# -usage() { - echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear|{add|delete} [:hosts] zone}}" - exit 1 -} - -# -# E X E C U T I O N B E G I N S H E R E -# -# -# Start trace if first arg is "debug" -# -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } - -nolock= - -[ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } - -trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 - -COMMAND="$1" - -case "$COMMAND" in - stop) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - # - # Don't want to do a 'stop' when startup is disabled - # - check_disabled_startup - echo -n "Stopping Shorewall..." - stop_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - start) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt iptables -L shorewall -n ; then - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - echo "Shorewall Already Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 0; - fi - define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; - - restart) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt iptables -L shorewall -n ; then - define_firewall "Restart" - else - echo "Shorewall Not Currently Running" - define_firewall "Start" - fi - - [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; - - status) - [ $# -ne 1 ] && usage - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - iptables -L -n -v - ;; - - reset) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - iptables -Z - iptables -t nat -Z - iptables -t mangle -Z - report "Shorewall Counters Reset" - date > $STATEDIR/restarted - my_mutex_off - ;; - - refresh) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - refresh_firewall; - my_mutex_off - ;; - - clear) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - echo -n "Clearing Shorewall..." - clear_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - check) - [ $# -ne 1 ] && usage - do_initialize - check_config - ;; - - add) - [ $# -ne 3 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - add_to_zone $2 $3 - my_mutex_off - ;; - - delete) - [ $# -ne 3 ] && usage - do_initialize - my_mutex_on - if ! qt iptables -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - delete_from_zone $2 $3 - my_mutex_off - ;; - - call) - # - # Undocumented way to call functions in /usr/share/shorewall/firewall directly - # - shift; - do_initialize - EMPTY= - $@ - ;; - *) - usage - ;; - -esac diff --git a/Lrp/usr/share/shorewall/functions b/Lrp/usr/share/shorewall/functions deleted file mode 100644 index 152b10e91..000000000 --- a/Lrp/usr/share/shorewall/functions +++ /dev/null @@ -1,769 +0,0 @@ -#!/bin/sh -# -# Shorewall 2.0 -- /usr/share/shorewall/functions - -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# Functions to count list elements -# - - - - - - - - - - - - - - - - -# Whitespace-separated list -# -list_count1() { - echo $# -} -# -# Comma-separated list -# -list_count() { - list_count1 $(separate_list $1) -} - -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - [ -n "$QUIET" ] || echo "$@" -} - -# -# Suppress all output for a command -# -qt() -{ - "$@" >/dev/null 2>&1 -} - -# -# Perform variable substitution on the passed argument and echo the result -# -expand() # $@ = contents of variable which may be the name of another variable -{ - eval echo \"$@\" -} - -# -# Perform variable substitition on the values of the passed list of variables -# -expandv() # $* = list of variable names -{ - local varval - - while [ $# -gt 0 ]; do - eval varval=\$${1} - eval $1=\"$varval\" - shift - done -} - -# -# Replace all leading "!" with "! " in the passed argument list -# - -fix_bang() { - local i; - - for i in $@; do - case $i in - !*) - echo "! ${i#!}" - ;; - *) - echo $i - ;; - esac - done -} - -# -# Set default config path -# -ensure_config_path() { - local F=/usr/share/shorewall/configpath - if [ -z "$CONFIG_PATH" ]; then - [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } - . $F - fi -} - -# -# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall -# -find_file() -{ - local saveifs= directory - - case $1 in - /*) - echo $1 - ;; - *) - if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then - echo $SHOREWALL_DIR/$1 - else - saveifs=$IFS - IFS=: - for directory in $CONFIG_PATH; do - if [ -f $directory/$1 ]; then - echo $directory/$1 - IFS=$saveifs - return - fi - done - - IFS=$saveifs - - echo /etc/shorewall/$1 - fi - ;; - esac -} - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - local part - local newlist - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - # The 'terminator' function will be set by the 'firewall' script to - # either 'startup_error' or 'fatal_error' depending on the command and - # command phase - # - case "$@" in - *,|,*|*,,*|*[[:space:]]*) - [ -n "$terminator" ] && \ - $terminator "Invalid comma-separated list \"$@\"" - echo "Warning -- invalid comma-separated list \"$@\"" >&2 - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# Load a Kernel Module -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename=$1 - local modulefile - local suffix - moduleloader=modprobe - - if ! qt which modprobe; then - moduleloader=insmod - fi - - if [ -z "$(lsmod | grep $modulename)" ]; then - shift - - for suffix in $MODULE_SUFFIX ; do - modulefile=$MODULESDIR/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - - return - fi - done - fi -} - -# -# Reload the Modules -# -reload_kernel_modules() { - - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - while read command; do - eval $command - done - -} - -# -# Find the zones -# -find_zones() # $1 = name of the zone file -{ - while read zone display comments; do - [ -n "$zone" ] && case "$zone" in - \#*) - ;; - $FW) - echo "Reserved zone name \"$zone\" in zones file ignored" >&2 - ;; - *) - echo $zone - ;; - esac - done < $1 -} - -find_display() # $1 = zone, $2 = name of the zone file -{ - grep ^$1 $2 | while read z display comments; do - [ "x$1" = "x$z" ] && echo $display - done -} -# -# This function assumes that the TMP_DIR variable is set and that -# its value named an existing directory. -# -determine_zones() -{ - local zonefile=$(find_file zones) - - multi_display=Multi-zone - strip_file zones $zonefile - zones=$(find_zones $TMP_DIR/zones) - zones=$(echo $zones) # Remove extra trash - - for zone in $zones; do - dsply=$(find_display $zone $TMP_DIR/zones) - eval ${zone}_display=\$dsply - done -} - -# -# The following functions may be used by apps that wish to ensure that -# the state of Shorewall isn't changing -# -# This function loads the STATEDIR variable (directory where Shorewall is to -# store state files). If your application supports alternate Shorewall -# configurations then the name of the alternate configuration directory should -# be in $SHOREWALL_DIR at the time of the call. -# -# If the shorewall.conf file does not exist, this function does not return -# -get_statedir() -{ - MUTEX_TIMEOUT= - - local config=$(find_file shorewall.conf) - - if [ -f $config ]; then - . $config - else - echo "/etc/shorewall/shorewall.conf does not exist!" >&2 - exit 2 - fi - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -} - -# -# Call this function to assert MUTEX with Shorewall. If you invoke the -# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" -# -# This function uses the lockfile utility from procmail if it exists. -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the -# behavior of lockfile. -# -mutex_on() -{ - local try=0 - local lockf=$STATEDIR/lock - - MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} - - if [ $MUTEX_TIMEOUT -gt 0 ]; then - - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - if qt which lockfile; then - lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} - else - while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do - sleep 1 - try=$((${try} + 1)) - done - - if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then - # Create the lockfile - echo $$ > ${lockf} - else - echo "Giving up on lock file ${lockf}" >&2 - fi - fi - fi -} - -# -# Call this function to release MUTEX -# -mutex_off() -{ - rm -f $STATEDIR/lock -} - -# -# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: -# -# None - No mktemp -# BSD - BSD mktemp (Mandrake) -# STD - mktemp.org mktemp -# -find_mktemp() { - local mktemp=`which mktemp 2> /dev/null` - - if [ -n "$mktemp" ]; then - if qt mktemp -V ; then - MKTEMP=STD - else - MKTEMP=BSD - fi - else - MKTEMP=None - fi -} - -# -# create a temporary file. If a directory name is passed, the file will be created in -# that directory. Otherwise, it will be created in a temporary directory. -# -mktempfile() { - - [ -z "$MKTEMP" ] && find_mktemp - - if [ $# -gt 0 ]; then - case "$MKTEMP" in - BSD) - mktemp $1/shorewall.XXXXXX - ;; - STD) - mktemp -p $1 shorewall.XXXXXX - ;; - None) - > $1/shorewall-$$ && echo $1/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempfile" - ;; - esac - else - case "$MKTEMP" in - BSD) - mktemp /tmp/shorewall.XXXXXX - ;; - STD) - mktemp -t shorewall.XXXXXX - ;; - None) - rm -f /tmp/shorewall-$$ - > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempfile" - ;; - esac - fi -} - -# -# create a temporary directory -# -mktempdir() { - - [ -z "$MKTEMP" ] && find_mktemp - - case "$MKTEMP" in - STD) - mktemp -td shorewall.XXXXXX - ;; - None|BSD) - # - # Not all versions of the BSD mktemp support the -d option under Linux - # - mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempdir" - ;; - esac -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 - fi - else - echo "$first $rest" - fi - done < $1 - else - [ -n "$terminator" ] && $terminator "No such file: $1" - echo "Warning -- No such file: $1" - fi -} - -# -# Function for including one file into another -# -INCLUDE() { - . $(find_file $(expand $@)) -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) -{ - local fname - - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi -} - -# -# Note: The following set of IP address manipulation functions have anomalous -# behavior when the shell only supports 32-bit signed arithmatic and -# the IP address is 128.0.0.0 or 128.0.0.1. -# -# -# So that emacs doesn't get lost, we use $LEFTSHIFT rather than << -# -LEFTSHIFT='<<' - -# -# Convert an IP address in dot quad format to an integer -# -decodeaddr() { - local x - local temp=0 - local ifs=$IFS - - IFS=. - - for x in $1; do - temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) - done - - echo $temp - - IFS=$ifs -} - -# -# convert an integer to dot quad format -# -encodeaddr() { - addr=$1 - local x - local y=$(($addr & 255)) - - for x in 1 2 3 ; do - addr=$(($addr >> 8)) - y=$(($addr & 255)).$y - done - - echo $y -} - -# -# Enumerate the members of an IP range -- When using a shell supporting only -# 32-bit signed arithmetic, the range cannot span 128.0.0.0. -# -# Comes in two flavors: -# -# ip_range() - produces a mimimal list of network/host addresses that spans -# the range. -# -# ip_range_explicit() - explicitly enumerates the range. -# -ip_range() { - local first last l x y z vlsm - - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if [ $first -gt $last ]; then - fatal_error "Invalid IP address range: $1" - fi - - l=$(( $last + 1 )) - - while [ $first -le $last ]; do - vlsm= - x=31 - y=2 - z=1 - - while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do - vlsm=/$x - x=$(( $x - 1 )) - z=$y - y=$(( $y * 2 )) - done - - echo $(encodeaddr $first)$vlsm - first=$(($first + $z)) - done -} - -ip_range_explicit() { - local first last - - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if [ $first -gt $last ]; then - fatal_error "Invalid IP address range: $1" - fi - - while [ $first -le $last ]; do - echo $(encodeaddr $first) - first=$(($first + 1)) - done -} - -# -# Netmask from CIDR -# -ip_netmask() { - local vlsm=${1#*/} - - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) -} - -# -# Network address from CIDR -# -ip_network() { - local decodedaddr=$(decodeaddr ${1%/*}) - local netmask=$(ip_netmask $1) - - echo $(encodeaddr $(($decodedaddr & $netmask))) -} - -# -# The following hack is supplied to compensate for the fact that many of -# the popular light-weight Bourne shell derivatives don't support XOR ("^"). -# - -ip_broadcast() { - local x=$(( 32 - ${1#*/} )) - - [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) -} - -# -# Calculate broadcast address from CIDR -# -broadcastaddress() { - local decodedaddr=$(decodeaddr ${1%/*}) - local netmask=$(ip_netmask $1) - local broadcast=$(ip_broadcast $1) - - echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) -} - -# -# Test for network membership -# -in_network() # $1 = IP address, $2 = CIDR network -{ - local netmask=$(ip_netmask $2) - - test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask )) -} - -# -# Netmask to VLSM -# -ip_vlsm() { - local mask=$(decodeaddr $1) - local vlsm=0 - local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000 - - while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. - vlsm=$(($vlsm + 1)) - done - - if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff - echo "Invalid net mask: $1" >&2 - else - echo $vlsm - fi -} - - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c=${1%%+} - - while true; do - case $c in - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - -# -# Loosly Match the name of an interface -# - -if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Full interface name - may also end in "+" -{ - local pattern=${1%+} - - case $1 in - *+) - # - # Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of - # variable expansion :-( - # - test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}" - ;; - *) - test "x$1" = "x$2" - ;; - esac -} - -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route ls | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - -# -# Find the default route's interface -# -find_default_interface() { - ip route ls | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev="$(find_rt_interface $1)" - local first rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - diff --git a/Lrp/usr/share/shorewall/help b/Lrp/usr/share/shorewall/help deleted file mode 100755 index 7343d2f43..000000000 --- a/Lrp/usr/share/shorewall/help +++ /dev/null @@ -1,310 +0,0 @@ -#!/bin/sh -# -# Shorewall help subsystem - V2.0 - 2/14/2004 -# -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net) -# Steve Herber (herber@thing.com) -# -# This file should be placed in /usr/share/shorewall/help -# -# Shorewall documentation is available at http://shorewall.sourceforge.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -################################################################################## - -case $1 in - -add) - echo "add: add [:][:] - Adds a host or subnet to a dynamic zone usually used with VPN's. - - shorewall add interface[:port][:host] zone - Adds the specified interface - (and bridge port/host if included) to the specified zone. - - Example: - - shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 - from interface ipsec0 to the zone vpn1. - - See also \"help host\"" - ;; - -address|host) - echo "<$1>: - May be either a host IP address such as 192.168.1.4 or a network address in - CIDR format like 192.168.1.0/24" - ;; - -allow) - echo "allow: allow
... - Re-enables receipt of packets from hosts previously blacklisted - by a drop or reject command. - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -check) - echo "check: check [ -c ] - Performs a cursory validation of the zones, interfaces, hosts, - rules and policy files. Use this if you are unsure of any edits - you have made to the shorewall configuration. See the try command - examples for a recommended way to make changes." - ;; - -clear) - echo "clear: clear - Clear will remove all rules and chains installed by Shoreline. - The firewall is then wide open and unprotected. Existing - connections are untouched. Clear is often used to see if the - firewall is causing connection problems." - ;; - -debug) - echo "debug: debug - If you include the keyword debug as the first argument to any - of these commands: - - start|stop|restart|reset|clear|refresh|check|add|delete - - then a shell trace of the command is produced. For example: - - shorewall debug start 2> /tmp/trace - - The above command would trace the 'start' command and - place the trace information in the file /tmp/trace. - - The word 'trace' is a synonym for 'debug'." - ;; - -delete) - echo "delete: delete [:][:] - Deletes a host or subnet from a dynamic zone usually used with VPN's. - - shorewall delete interface[:port][:host] zone - Deletes the specified - interface (and bridge port/host if included) from the specified zone. - - Example: - - shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address - 192.0.2.24 from interface ipsec0 from zone vpn1 - - See also \"help host\"" - ;; - -drop) - echo "$1: $1
... - Causes packets from the specified
to be ignored - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -forget) - echo "forget: forget [ ] - Deletes /var/lib/shorewall/. If no is given then - the file specified by RESTOREFILE in shorewall.conf is removed. - - See also \"help save\"" - ;; - -help) - echo "help: help [ | host | address ] - Display helpful information about the shorewall commands." - ;; - -hits) - echo "hits: hits - Produces several reports about the Shorewall packet log messages - in the current /var/log/messages file." - ;; - -ipcalc) - echo "ipcalc: ipcalc [ address mask | address/vlsm ] - Ipcalc displays the network address, broadcast address, - network in CIDR notation and netmask corresponding to the input[s]." - ;; - -iprange) - echo "iprange: iprange address1-address2 - Iprange decomposes the specified range of IP addresses into the - equivalent list of network/host addresses." - ;; - -logwatch) - echo "logwatch: logwatch [] - Monitors the LOGFILE, $LOGFILE, - and produces an audible alarm when new Shorewall messages are logged." - ;; - -monitor) - echo "monitor: monitor [] - - shorewall [-x] monitor [] - - Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -refresh) - echo "refresh: [ -q ] refresh - The rules involving the broadcast addresses of firewall interfaces, - the black list, traffic control rules and ECN control rules are recreated - to reflect any changes made. Existing connections are untouched - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" - ;; - -reject) - echo "$1: $1
... - Causes packets from the specified
to be rejected - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -reset) - echo "reset: reset - All the packet and byte counters in the firewall are reset." - ;; - -restart) - echo "restart: restart [ -q ] [ -c ] - Restart is the same as a shorewall stop && shorewall start. - Existing connections are maintained. - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" - ;; - -restore) - echo "restore: restore [ ] - Restore Shorewall to a state saved using the 'save' command - Existing connections are maintained. The names a restore file in - /var/lib/shorewall created using "shorewall save"; if no is given - then Shorewall will be restored from the file specified by the RESTOREFILE - option in shorewall.conf. - - See also \"help save\" and \"help forget\"" - ;; - -save) - echo "save: save [ ] - The dynamic data is stored in /var/lib/shorewall/save. The state of the - firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' - and 'shorewall -f start' commands. If is not given then the state is saved - in the file specified by the RESTOREFILE option in shorewall.conf. - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help restore\" and \"help forget\"" - ;; - -show) - echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos] - - shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). - (iptables -L chain -n -v) - - shorewall [-x] show nat - produce a verbose report about the nat table. - (iptables -t nat -L -n -v) - - shorewall [-x] show tos - produce a verbose report about the mangle table. - (iptables -t mangle -L -n -v) - - shorewall show log - display the last 20 packet log entries. - - shorewall show connections - displays the IP connections currently - being tracked by the firewall. - - shorewall show tc - displays information about the traffic - control/shaping configuration. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -start) - echo "start: [ -q ] [ -f ] [ -c ] start - Start shorewall. Existing connections through shorewall managed - interfaces are untouched. New connections will be allowed only - if they are allowed by the firewall rules or policies. - If \"-q\" is specified, less detail is displayed making it easier to spot warnings - If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option - in shorewall.conf will be restored if that saved configuration exists" - ;; - -stop) - echo "stop: stop - Stops the firewall. All existing connections, except those - listed in /etc/shorewall/routestopped, are taken down. - The only new traffic permitted through the firewall - is from systems listed in /etc/shorewall/routestopped." - ;; - -status) - echo "status: status - - shorewall [-x] status - - Produce a verbose report about the firewall. - - (iptables -L -n -) - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -trace) - echo "trace: trace - If you include the keyword trace as the first argument to any - of these commands: - - start|stop|restart|reset|clear|refresh|check|add|delete - - then a shell trace of the command is produced. For example: - - shorewall trace start 2> /tmp/trace - - The above command would trace the 'start' command and - place the trace information in the file /tmp/trace. - - The word 'debug' is a synonym for 'trace'." - ;; - -try) - echo "try: try [ ] - Restart shorewall using the specified configuration. If an error - occurs during the restart, then another shorewall restart is performed - using the default configuration. If a timeout is specified then - the restart is always performed after the timeout occurs and uses - the default configuration." - ;; - -version) - echo "version: version - Show the current shorewall version which is: $version" - ;; - -*) - echo "$1: $1 is not recognized by the help command" - ;; - -esac - -exit 0 # always ok - diff --git a/Lrp/usr/share/shorewall/rfc1918 b/Lrp/usr/share/shorewall/rfc1918 deleted file mode 100644 index 42bd82e3d..000000000 --- a/Lrp/usr/share/shorewall/rfc1918 +++ /dev/null @@ -1,26 +0,0 @@ -# -# Shorewall 2.0-- RFC1918 File -# -# /etc/shorewall/rfc1918 -# -# Lists the subnetworks that are blocked by the 'norfc1918' interface option. -# -# The default list includes those IP addresses listed in RFC 1918. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNET The subnet (host addresses also allowed) -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -############################################################################### -#SUBNET TARGET -172.16.0.0/12 logdrop # RFC 1918 -192.168.0.0/16 logdrop # RFC 1918 -10.0.0.0/8 logdrop # RFC 1918 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp/usr/share/shorewall/version b/Lrp/usr/share/shorewall/version deleted file mode 100644 index a6e7bcb30..000000000 --- a/Lrp/usr/share/shorewall/version +++ /dev/null @@ -1 +0,0 @@ -2.0.17 diff --git a/Lrp/var/lib/lrpkg/shorwall.conf b/Lrp/var/lib/lrpkg/shorwall.conf deleted file mode 100644 index 7a5ea778e..000000000 --- a/Lrp/var/lib/lrpkg/shorwall.conf +++ /dev/null @@ -1,24 +0,0 @@ -/etc/shorewall/params Params Assign parameter values -/etc/shorewall/zones Zones Partition the network into Zones -/etc/shorewall/interfaces Ifaces Shorewall Networking Interfaces -/etc/shorewall/hosts Hosts Define specific zones -/etc/shorewall/policy Policy Firewall high-level policy -/etc/shorewall/rules Rules Exceptions to policy -/etc/shorewall/maclist Maclist MAC Verification -/etc/shorewall/masq Masq Internal MASQ Server Configuration -/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration -/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop' -/etc/shorewall/nat Nat Static NAT Configuration -/etc/shorewall/tunnels Tunnels Tunnel Definition (ipsec) -/etc/shorewall/tcrules TCRules FWMark Rules -/etc/shorewall/shorewall.conf Config Shorewall Global Parameters -/etc/shorewall/modules Modules Netfilter modules to load -/etc/shorewall/tos TOS Type of Service policy -/etc/shorewall/blacklist Blacklist Blacklisted hosts -/etc/shorewall/ecn ECN Disable ECN to hosts and networks -/etc/shorewall/init Init Commands executed before [re]start -/etc/shorewall/start Start Commands executed after [re]start -/etc/shorewall/stop Stop Commands executed before stop -/etc/shorewall/stopped Stopped Commands executed after stop -/etc/shorewall/accounting Account Traffic Accounting Rules -/etc/shorewall/actions Actions Define user actions diff --git a/Lrp/var/lib/lrpkg/shorwall.exclude.list b/Lrp/var/lib/lrpkg/shorwall.exclude.list deleted file mode 100644 index cca3782fb..000000000 --- a/Lrp/var/lib/lrpkg/shorwall.exclude.list +++ /dev/null @@ -1 +0,0 @@ -var/lib/shorewall/* diff --git a/Lrp/var/lib/lrpkg/shorwall.help b/Lrp/var/lib/lrpkg/shorwall.help deleted file mode 100644 index 61523f806..000000000 --- a/Lrp/var/lib/lrpkg/shorwall.help +++ /dev/null @@ -1,3 +0,0 @@ -Shoreline Firewall (Shorewall) -Homepage: http://www.shorewall.net -Requires: iptables.lrp diff --git a/Lrp/var/lib/lrpkg/shorwall.list b/Lrp/var/lib/lrpkg/shorwall.list deleted file mode 100644 index 04bd7a15b..000000000 --- a/Lrp/var/lib/lrpkg/shorwall.list +++ /dev/null @@ -1,6 +0,0 @@ -etc/init.d/shorewall -etc/shorewall -sbin/shorewall -usr/share/shorewall -var/lib/shorewall -var/lib/lrpkg/shorwall.* diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version deleted file mode 100644 index a6e7bcb30..000000000 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ /dev/null @@ -1 +0,0 @@ -2.0.17 diff --git a/Lrp2/etc/init.d/shorewall b/Lrp2/etc/init.d/shorewall deleted file mode 100755 index dc6cdd5aa..000000000 --- a/Lrp2/etc/init.d/shorewall +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh -RCDLINKS="2,S41 3,S41 6,K41" -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) -# -# On most distributions, this file should be called /etc/init.d/shorewall. -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# -#### BEGIN INIT INFO -# Provides: shorewall -# Required-Start: $network -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Description: starts and stops the shorewall firewall -### END INIT INFO - -# chkconfig: 2345 25 90 -# description: Packet filtering firewall -# - -################################################################################ -# Give Usage Information # -################################################################################ -usage() { - echo "Usage: $0 start|stop|restart|status" - exit 1 -} - -################################################################################ -# E X E C U T I O N B E G I N S H E R E # -################################################################################ -command="$1" - -case "$command" in - - stop|start|restart|status) - - exec /sbin/shorewall $@ - ;; - *) - - usage - ;; - -esac diff --git a/Lrp2/etc/shorewall/accounting b/Lrp2/etc/shorewall/accounting deleted file mode 100644 index d21c03326..000000000 --- a/Lrp2/etc/shorewall/accounting +++ /dev/null @@ -1,96 +0,0 @@ -# -# Shorewall version 2.2 - Accounting File -# -# /etc/shorewall/accounting -# -# Accounting rules exist simply to count packets and bytes in categories -# that you define in this file. You may display these rules and their -# packet and byte counters using the "shorewall show accounting" command. -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -# -# Columns are: -# -# ACTION - What to do when a match is found. -# -# COUNT - Simply count the match and continue -# with the next rule -# DONE - Count the match and don't attempt -# to match any other accounting rules -# in the chain specified in the CHAIN -# column. -# [:COUNT] -# - Where is the name of -# a chain. Shorewall will create -# the chain automatically if it -# doesn't already exist. Causes -# a jump to that chain. If :COUNT -# is including, a counting rule -# matching this record will be -# added to -# -# CHAIN - The name of a chain. If specified as "-" the -# 'accounting' chain is assumed. This is the chain -# where the accounting rule is added. The chain will -# be created if it doesn't already exist. -# -# SOURCE - Packet Source -# -# The name of an interface, an address (host or net) or -# an interface name followed by ":" -# and a host or net address. -# -# DESTINATION - Packet Destination -# -# Format the same as the SOURCE column. -# -# PROTOCOL A protocol name (from /etc/protocols), a protocol -# number, or "ipp2p" -# -# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then -# this column must contain an ipp2p option ("iptables -m -# ipp2p --help") without the leading "--". If no option -# is given in this column, "ipp2p" is assumed. -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# SOURCE PORT Source Port number -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# USER/GROUP This column may only be non-empty if the CHAIN is -# OUTPUT. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -# In all of the above columns except ACTION and CHAIN, the values "-", -# "any" and "all" may be used as wildcards -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT PORT GROUP -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/actions b/Lrp2/etc/shorewall/actions deleted file mode 100644 index c057929d5..000000000 --- a/Lrp2/etc/shorewall/actions +++ /dev/null @@ -1,32 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/actions -# -# This file allows you to define new ACTIONS for use in rules -# (/etc/shorewall/rules). You define the iptables rules to -# be performed in an ACTION in -# /etc/shorewall/action.. -# -# ACTION names should begin with an upper-case letter to -# distinguish them from Shorewall-generated chain names and -# they must meet the requirements of a Netfilter chain. If -# you intend to log from the action then the name must be -# no longer than 11 character in length. Names must also -# meet the requirements for a Bourne Shell identifier (must -# begin with a letter and be composed of letters, digits and -# underscore characters). -# -# If you follow the action name with ":DROP", ":REJECT" or -# :ACCEPT then the action will be taken before a DROP, REJECT or -# ACCEPT policy respectively is enforced. If you specify ":DROP", -# ":REJECT" or ":ACCEPT" on more than one action then only the -# last such action will be taken. -# -# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by -# itself, the associated policy will have no common action. -# -# Please see http://shorewall.net/Actions.html for additional -# information. -# -#ACTION - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/blacklist b/Lrp2/etc/shorewall/blacklist deleted file mode 100644 index 8511c3137..000000000 --- a/Lrp2/etc/shorewall/blacklist +++ /dev/null @@ -1,48 +0,0 @@ -# -# Shorewall 2.2 -- Blacklist File -# -# /etc/shorewall/blacklist -# -# This file contains a list of IP addresses, MAC addresses and/or subnetworks. -# -# Columns are: -# -# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address -# range (if your kernel and iptables contain iprange -# match support). -# -# MAC addresses must be prefixed with "~" and use "-" -# as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# PROTOCOL - Optional. If specified, must be a protocol number -# or a protocol name from /etc/protocols. -# -# PORTS - Optional. May only be specified if the protocol -# is TCP (6) or UDP (17). A comma-separated list -# of port numbers or service names from /etc/services. -# -# When a packet arrives on an interface that has the 'blacklist' option -# specified in /etc/shorewall/interfaces, its source IP address is checked -# against this file and disposed of according to the BLACKLIST_DISPOSITION and -# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf -# -# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. -# -# Example: -# -# To block DNS queries from address 192.0.2.126: -# -# ADDRESS/SUBNET PROTOCOL PORT -# 192.0.2.126 udp 53 -# -# Please see http://shorewall.net/blacklisting_support.htm for additional -# information. -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - diff --git a/Lrp2/etc/shorewall/continue b/Lrp2/etc/shorewall/continue deleted file mode 100644 index d1300c577..000000000 --- a/Lrp2/etc/shorewall/continue +++ /dev/null @@ -1,8 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/continue -# -# Add commands below that you want to be executed after shorewall has -# cleared any existing Netfilter rules and has enabled existing connections. -# -# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm -# diff --git a/Lrp2/etc/shorewall/ecn b/Lrp2/etc/shorewall/ecn deleted file mode 100644 index 77b981b76..000000000 --- a/Lrp2/etc/shorewall/ecn +++ /dev/null @@ -1,22 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/ecn -# -# Use this file to list the destinations for which you want to -# disable ECN. -# -# This feature requires kernel 2.4.20 or later. If you run 2.4.20, -# you also need the patch found at http://www.shorewall.net/ecn/patch. -# That patch is included in kernels 2.4.21 and later. -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. If your kernel and iptables -# include iprange match support then IP address ranges -# are also permitted. -# -# For additional information, see http://shorewall.net/Documentation.htm#ECN -############################################################################## -#INTERFACE HOST(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/hosts b/Lrp2/etc/shorewall/hosts deleted file mode 100644 index 0016f976d..000000000 --- a/Lrp2/etc/shorewall/hosts +++ /dev/null @@ -1,141 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/hosts -# -# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN -# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. -# -# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. -#------------------------------------------------------------------------------ -# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN -# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT -# ZONE AND INTERFACE IN THIS FILE. -#------------------------------------------------------------------------------ -# This file is used to define zones in terms of subnets and/or -# individual IP addresses. Most simple setups don't need to -# (should not) place anything in this file. -# -# The order of entries in this file is not significant in -# determining zone composition. Rather, the order that the zones -# are defined in /etc/shorewall/zones determines the order in -# which the records in this file are interpreted. -# -# ZONE - The name of a zone defined in /etc/shorewall/zones -# -# HOST(S) - The name of an interface defined in the -# /etc/shorewall/interfaces file followed by a colon (":") and -# a comma-separated list whose elements are either: -# -# a) The IP address of a host -# b) A subnetwork in the form -# / -# c) An IP address range of the form -. Your kernel and iptables must have iprange -# match support. -# d) A physical port name; only allowed when the -# interface names a bridge created by the -# brctl addbr command. This port must not -# be defined in /etc/shorewall/interfaces and may -# optionally followed by a colon (":") and a -# host or network IP or a range. -# See http://www.shorewall.net/Bridge.html for details. -# -# Examples: -# -# eth1:192.168.1.3 -# eth2:192.168.2.0/24 -# eth3:192.168.2.0/24,192.168.3.1 -# br0:eth4 -# br0:eth0:192.168.1.16/28 -# eth4:192.168.1.44-192.168.1.49 -# -# OPTIONS - A comma-separated list of options. Currently-defined -# options are: -# -# maclist - Connection requests from these hosts -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# routeback - Shorewall should set up the infrastructure -# to pass packets from this/these -# address(es) back to themselves. This is -# necessary if hosts in this group use the -# services of a transparent proxy that is -# a member of the group or if DNAT is used -# to send requests originating from this -# group to a server in the group. -# -# norfc1918 - This option only makes sense for ports -# on a bridge. -# -# The port should not accept -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# nobogons - This option only makes sense for ports -# on a bridge. -# -# This port should not accept -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see -# 'norfc1918' above). -# -# blacklist - This option only makes sense for ports -# on a bridge. -# -# Check packets arriving on this port -# against the /etc/shorewall/blacklist -# file. -# -# tcpflags - Packets arriving from these hosts are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# nosmurfs - This option only makes sense for ports -# on a bridge. -# -# Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from these hosts, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# ipsec - The zone is accessed via a -# kernel 2.6 ipsec SA. Note that if the -# zone named in the ZONE column is -# specified as an IPSEC zone in the -# /etc/shorewall/ipsec file then you do NOT -# need to specify the 'ipsec' option here. -# -# For additional information, see http://shorewall.net/Documentation.htm#Hosts -# -#ZONE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/init b/Lrp2/etc/shorewall/init deleted file mode 100644 index 571a9b31d..000000000 --- a/Lrp2/etc/shorewall/init +++ /dev/null @@ -1,8 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. -# -# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm -# diff --git a/Lrp2/etc/shorewall/initdone b/Lrp2/etc/shorewall/initdone deleted file mode 100644 index 74460af0e..000000000 --- a/Lrp2/etc/shorewall/initdone +++ /dev/null @@ -1,9 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/initdone -# -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. -# -# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm -# diff --git a/Lrp2/etc/shorewall/interfaces b/Lrp2/etc/shorewall/interfaces deleted file mode 100644 index 88f2a800b..000000000 --- a/Lrp2/etc/shorewall/interfaces +++ /dev/null @@ -1,212 +0,0 @@ -# -# Shorewall 2.2 -- Interfaces File -# -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the short name -# of a zone defined in /etc/shorewall/zones. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you -# select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# nobogons - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see above). -# -# I PERSONALLY RECOMMEND AGAINST USING -# THE 'nobogons' OPTION. -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# logmartians - turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this interface -# are processed as if NEWNOTSYN=Yes had been -# specified in /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow filtering -# traffic arriving on this interface back -# out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# upnp - Incoming requests from this interface may -# be remapped via UPNP (upnpd). -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -# -# For additional information, see http://shorewall.net/Documentation.htm#Interfaces -# -############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS -# -net eth0 detect dhcp,routefilter,norfc1918 -loc eth1 detect dhcp -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/ipsec b/Lrp2/etc/shorewall/ipsec deleted file mode 100644 index b6692d8fd..000000000 --- a/Lrp2/etc/shorewall/ipsec +++ /dev/null @@ -1,58 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/ipsec -# -# This file defines the attributes of zones with respect to -# IPSEC. To use this file, you must be running a 2.6 kernel and -# both your kernel and iptables must include Policy Match Support. -# -# The columns are: -# -# ZONE The name of a zone defined in /etc/shorewall/zones. The -# $FW zone may not be listed. -# -# IPSEC Yes -- Communication with all zone hosts is encrypted -# ONLY No -- Communication with some zone hosts is encrypted. -# Encrypted hosts are designated using the 'ipsec' -# option in /etc/shorewall/hosts. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -################################################################################### -#ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - diff --git a/Lrp2/etc/shorewall/maclist b/Lrp2/etc/shorewall/maclist deleted file mode 100644 index f364048cd..000000000 --- a/Lrp2/etc/shorewall/maclist +++ /dev/null @@ -1,31 +0,0 @@ -# -# Shorewall 2.2 - MAC list file -# -# This file is used to define the MAC addresses and optionally their -# associated IP addresses to be allowed to use the specified interface. -# The feature is enabled by using the maclist option in the interfaces -# or hosts configuration file. -# -# /etc/shorewall/maclist -# -# Columns are: -# -# INTERFACE Network interface to a host. If the interface -# names a bridge, it may be optionally followed by -# a colon (":") and a physical port name (e.g., -# br0:eth4). -# -# MAC MAC address of the host -- you do not need to use -# the Shorewall format for MAC addresses here -# -# IP ADDRESSES Optional -- if specified, both the MAC and IP address -# must match. This column can contain a comma-separated -# list of host and/or subnet addresses. If your kernel -# and iptables have iprange match support then IP -# address ranges are also allowed. -# -# For additional information, see http://shorewall.net/MAC_Validation.html -# -############################################################################## -#INTERFACE MAC IP ADDRESSES (Optional) -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/masq b/Lrp2/etc/shorewall/masq deleted file mode 100644 index f5e1cea76..000000000 --- a/Lrp2/etc/shorewall/masq +++ /dev/null @@ -1,217 +0,0 @@ -# -# Shorewall 2.2 - Masquerade file -# -# /etc/shorewall/masq -# -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). -# -# Columns are: -# -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. -# -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: -# -# eth0: -# eth2::192.0.2.32/27 -# -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": -# -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 -# -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. -# -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. -# -# Example: eth1!192.168.1.4,192.168.32.0/27 -# -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 -# -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# You may also specify a range of up to 256 -# IP addresses if you want the SNAT address to -# be assigned from that range in a round-robin -# range by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 -# -# Finally, you may also specify a comma-separated -# list of ranges and/or addresses in this column. -# -# This column may not contain DNS Names. -# -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. -# -# Examples: -# -# 192.0.2.4:5000-6000 -# :4000-5000 -# -# You can invoke the SAME target using the -# following in this column: -# -# SAME:[nodst:][,...] -# -# The may be single addresses. -# -# SAME works like SNAT with the exception that the -# same local IP address is assigned to each connection -# from a local address to a given remote address. If -# the 'nodst:' option is included, then the same source -# address is used for a given internal system regardless -# of which remote system is involved. -# -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. -# -# PROTO -- (Optional) If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. -# -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). -# -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be -# listed. -# -# IPSEC -- (Optional) If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. -# -# Comma-separated list of options from the following. -# Only packets that will be encrypted via an SA that -# matches these options will have their source address -# changed. -# -# Yes or yes -- must be the only option listed -# and matches all outbound traffic that will be -# encrypted. -# -# reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA. -# -# proto=ah|esp|ipcomp -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all -# rules. -# -# next Separates rules; can only be used -# with strict.. -# -# Example 1: -# -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. -# -# Your entry in the file can be either: -# -# eth0 eth1 -# -# or -# -# eth0 192.168.0.0/24 -# -# Example 2: -# -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: -# -# eth0 192.168.1.0/24 -# -# Example 3: -# -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: -# -# ipsec0:10.1.1.0/24 196.168.1.0/24 -# -# Example 4: -# -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. -# -# eth0:0 192.168.1.0/24 206.124.146.176 -# -# Example 5: -# -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. -# -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 -# -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! -# -# For additional information, see http://shorewall.net/Documentation.htm#Masq -# -############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC -eth0 eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/modules b/Lrp2/etc/shorewall/modules deleted file mode 100644 index 4b969b4bb..000000000 --- a/Lrp2/etc/shorewall/modules +++ /dev/null @@ -1,22 +0,0 @@ -############################################################################## -# Shorewall 2.2 /etc/shorewall/modules -# -# This file loads the modules needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 before -# you load M2. -# -# For additional information, see http://shorewall.net/Documentation.htm#modules - - loadmodule ip_tables - loadmodule iptable_filter - loadmodule ip_conntrack - loadmodule ip_conntrack_ftp - loadmodule ip_conntrack_tftp - loadmodule ip_conntrack_irc - loadmodule iptable_nat - loadmodule ip_nat_ftp - loadmodule ip_nat_tftp - loadmodule ip_nat_irc - diff --git a/Lrp2/etc/shorewall/nat b/Lrp2/etc/shorewall/nat deleted file mode 100644 index 5078bec21..000000000 --- a/Lrp2/etc/shorewall/nat +++ /dev/null @@ -1,47 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Network Address Translation Table -# -# /etc/shorewall/nat -# -# This file is used to define one-to-one Network Address Translation -# (NAT). -# -# WARNING: If all you want to do is simple port forwarding, do NOT use this -# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most -# cases, Proxy ARP is a better solution that one-to-one NAT. -# -# Columns must be separated by white space and are: -# -# EXTERNAL External IP Address - this should NOT be the primary -# IP address of the interface named in the next -# column and must not be a DNS Name. -# -# INTERFACE Interface that you want to EXTERNAL address to appear -# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may -# follow the interface name with ":" and a digit to -# indicate that you want Shorewall to add the alias -# with this name (e.g., "eth0:0"). That allows you to -# see the alias with ifconfig. THAT IS THE ONLY THING -# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT -# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. -# -# If you want to override ADD_IP_ALIASES=Yes for a -# particular entry, follow the interface name with -# ":" and no digit (e.g., "eth0:"). -# INTERNAL Internal Address (must not be a DNS Name). -# -# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. -# If No or no (or left empty) then NAT will be effective -# only through the interface named in the INTERFACE -# column -# -# LOCAL If Yes or yes, NAT will be effective from the firewall -# system -# -# For additional information, see http://shorewall.net/NAT.htm -############################################################################## -#EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES -# -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/netmap b/Lrp2/etc/shorewall/netmap deleted file mode 100644 index 8faac6fc1..000000000 --- a/Lrp2/etc/shorewall/netmap +++ /dev/null @@ -1,38 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Network Mapping Table -# -# /etc/shorewall/netmap -# -# This file is used to map addresses in one network to corresponding -# addresses in a second network. -# -# WARNING: To use this file, your kernel and iptables must have -# NETMAP support included. -# -# Columns must be separated by white space and are: -# -# TYPE Must be DNAT or SNAT. -# -# If DNAT, traffic entering INTERFACE and addressed to -# NET1 has it's destination address rewritten to the -# corresponding address in NET2. -# -# If SNAT, traffic leaving INTERFACE with a source -# address in NET1 has it's source address rewritten to -# the corresponding address in NET2. -# -# NET1 Network in CIDR format (e.g., 192.168.1.0/24) -# -# INTERFACE The name of a network interface. The interface must -# be defined in /etc/shorewall/interfaces. -# -# NET2 Network in CIDR format -# -# See http://shorewall.net/netmap.html for an example and usage -# information. -# -############################################################################## -#TYPE NET1 INTERFACE NET2 -# -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/params b/Lrp2/etc/shorewall/params deleted file mode 100644 index 24d1c94ae..000000000 --- a/Lrp2/etc/shorewall/params +++ /dev/null @@ -1,25 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/params -# -# Assign any variables that you need here. -# -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs -# -# Example: -# -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 -# -# Example (/etc/shorewall/interfaces record): -# -# net $NET_IF $NET_BCAST $NET_OPTIONS -# -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter,norfc1918 -# -############################################################################## -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/policy b/Lrp2/etc/shorewall/policy deleted file mode 100644 index 49ebf8e62..000000000 --- a/Lrp2/etc/shorewall/policy +++ /dev/null @@ -1,93 +0,0 @@ -# -# Shorewall 2.2 -- Policy File -# -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, send -# "port unreachable" ICMP. -# QUEUE - Send the request to a user-space -# application using the QUEUE target. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or destination -# zone in those rules is a superset of -# the SOURCE or DEST in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set up -# any infrastructure to handle such -# packets and you may not have any rules -# with this SOURCE and DEST in the -# /etc/shorewall/rules file. If such a -# packet _is_ received, the result is -# undefined. NONE may not be used if the -# SOURCE or DEST columns contain the -# firewall zone ($FW) or "all". -# -# If this column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in -# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) -# then that action will be invoked before the policy named in -# this column is inforced. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# As shipped, the default policies are: -# -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. -# -# See http://shorewall.net/Documentation.htm#Policy for additional information. -############################################################################### -#SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL -loc net ACCEPT -net all DROP ULOG -# If you want open access to the Internet from your Firewall -# remove the comment from the following line. -#fw net ACCEPT - -# -# THE FOLLOWING POLICY MUST BE LAST -# -all all REJECT ULOG -#LAST LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/proxyarp b/Lrp2/etc/shorewall/proxyarp deleted file mode 100644 index a48fefc53..000000000 --- a/Lrp2/etc/shorewall/proxyarp +++ /dev/null @@ -1,46 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Proxy ARP -# -# /etc/shorewall/proxyarp -# -# This file is used to define Proxy ARP. -# -# Columns must be separated by white space and are: -# -# ADDRESS IP Address -# -# INTERFACE Local interface where system is connected. If the -# local interface is obvious from the subnetting, -# you may enter "-" in this column. -# -# EXTERNAL External Interface to be used to access this system -# -# HAVEROUTE If there is already a route from the firewall to -# the host whose address is given, enter "Yes" or "yes" -# in this column. Otherwise, entry "no", "No" or leave -# the column empty and Shorewall will add the route for -# you. If Shorewall adds the route,the route will be -# persistent if the PERSISTENT column contains Yes; -# otherwise, "shorewall stop" or "shorewall clear" will -# delete the route. -# -# PERSISTENT If HAVEROUTE is No or "no", then the value of this -# column determines if the route added by Shorewall -# persists after a "shorewall stop" or a "shorewall -# clear". If this column contains "Yes" or "yes" then -# the route persists; If the column is empty or contains -# "No"or "no" then the route is deleted at "shorewall -# stop" or "shorewall clear". -# -# Example: Host with IP 155.186.235.6 is connected to -# interface eth1 and we want hosts attached via eth0 -# to be able to access it using that address. -# -# #ADDRESS INTERFACE EXTERNAL -# 155.186.235.6 eth1 eth0 -# -# See http://shorewall.net/ProxyARP.htm for additional information. -############################################################################## -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/routestopped b/Lrp2/etc/shorewall/routestopped deleted file mode 100644 index 64b0fe504..000000000 --- a/Lrp2/etc/shorewall/routestopped +++ /dev/null @@ -1,40 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped -# -# /etc/shorewall/routestopped -# -# This file is used to define the hosts that are accessible when the -# firewall is stopped or when it is in the process of being -# [re]started. -# -# Columns must be separated by white space and are: -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. -# -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of -# options. The currently-supported options are: -# -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. -# -# Example: -# -# INTERFACE HOST(S) OPTIONS -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 -# br0 - routeback -# -# See http://shorewall.net/Documentation.htm#Routestopped and -# http://shorewall.net/starting_and_stopping_shorewall.htm for additional -# information. -############################################################################## -#INTERFACE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/rules b/Lrp2/etc/shorewall/rules deleted file mode 100644 index 7944e01d4..000000000 --- a/Lrp2/etc/shorewall/rules +++ /dev/null @@ -1,371 +0,0 @@ -# -# Shorewall version 2.2 - Rules File -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#-------------------------------------------------------------------------------# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# SAME -- Similar to DNAT except that the -# port may not be remapped and when -# multiple server addresses are -# listed, all requests from a given -# remote system go to the same -# server. -# SAME- -- Advanced users only. -# Like SAME but only generates the -# NAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# If the ACTION names an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std then: -# -# - If the log level is followed by "!' then all rules -# in the action are logged at the log level. -# -# - If the log level is not followed by "!" then only -# those rules in the action that do not specify -# logging are logged at the specified level. -# -# - The special log level 'none!' suppresses logging -# by the action. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all" or "none" If the ACTION is DNAT or -# REDIRECT, sub-zones of the specified zone may be -# excluded from the rule by following the zone name with -# "!' and a comma-separated list of sub-zone names. -# -# When "none" is used either in the SOURCE or DEST column, -# the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. -# -# Except when "all" is specified, clients may be further -# restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all" or "none". -# -# When "none" is used either in the SOURCE or DEST column, -# the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. -# -# Except when "all" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then place -# "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or -# REDIRECT[-]) If included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 fw \ -# tcp 22 -#################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -# Accept DNS connections from the firewall to the network -# -ACCEPT fw net tcp 53 -ACCEPT fw net udp 53 -# Accept SSH connections from the local network for administration -# -ACCEPT loc fw tcp 22 -# Allow Ping To Firewall -# -ACCEPT loc fw icmp 8 -ACCEPT net fw icmp 8 -# -# Allow all ICMP types (including ping) From Firewall -# -ACCEPT fw loc icmp -ACCEPT fw net icmp -# -# Bering specific rules: -# allow loc to fw udp/53 for local/caching DNS servers to work -# allow loc to fw tcp/80 for weblet to work -ACCEPT loc fw udp 53 -ACCEPT loc fw tcp 80 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf deleted file mode 100755 index 1424f33cd..000000000 --- a/Lrp2/etc/shorewall/shorewall.conf +++ /dev/null @@ -1,829 +0,0 @@ -############################################################################## -# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to -# match your setup -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# This file should be placed in /etc/shorewall -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -############################################################################## -# S T A R T U P E N A B L E D -############################################################################## -# Once you have configured Shorewall, you may change the setting of -# this variable to 'Yes' - -STARTUP_ENABLED=No - -############################################################################## -# L O G G I N G -############################################################################## -# -# General note about log levels. Log levels are a method of describing -# to syslog (8) the importance of a message and a number of parameters -# in this file have log levels as their value. -# -# These levels are defined by syslog and are used to determine the destination -# of the messages through entries in /etc/syslog.conf (5). The syslog -# documentation refers to these as "priorities"; Netfilter calls them "levels" -# and Shorewall also uses that term. -# -# Valid levels are: -# -# 7 debug -# 6 info -# 5 notice -# 4 warning -# 3 err -# 2 crit -# 1 alert -# 0 emerg -# -# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall -# log messages are generated by NetFilter and are logged using facility -# 'kern' and the level that you specifify. If you are unsure of the level -# to choose, 6 (info) is a safe bet. You may specify levels by name or by -# number. -# -# If you have built your kernel with ULOG target support, you may also -# specify a log level of ULOG (must be all caps). Rather than log its -# messages to syslogd, Shorewall will direct netfilter to log the messages -# via the ULOG target which will send them to a process called 'ulogd'. -# ulogd is available with most Linux distributions (although it probably isn't -# installed by default). Ulogd is also available from -# http://www.gnumonks.org/projects/ulogd and can be configured to log all -# Shorewall message to their own log file -################################################################################ -# -# LOG FILE LOCATION -# -# This variable tells the /sbin/shorewall program where to look for Shorewall -# log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. -# -# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see -# -# http://www.shorewall.net/shorewall_logging.html - -LOGFILE=/var/log/shorewall.log - -# -# LOG FORMAT -# -# Shell 'printf' Formatting template for the --log-prefix value in log messages -# generated by Shorewall to identify Shorewall log messages. The supplied -# template is expected to accept either two or three arguments; the first is -# the chain name, the second (optional) is the logging rule number within that -# chain and the third is the ACTION specifying the disposition of the packet -# being logged. You must use the %d formatting type for the rule number; if your -# template does not contain %d then the rule number will not be included. -# -# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: -# -# LOGFORMAT="fp=%s:%d a=%s " -# -# If not specified or specified as empty (LOGFORMAT="") then the value -# "Shorewall:%s:%s:" is assumed. -# -# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up -# to but not including the first '%') to find log messages in the 'show log', -# 'status' and 'hits' commands. This part should not be omitted (the -# LOGFORMAT should not begin with "%") and the leading part should be -# sufficiently unique for /sbin/shorewall to identify Shorewall messages. - -LOGFORMAT="Shorewall:%s:%s:" - -# -# LOG FORMAT Continued -# -# Using the default LOGFORMAT, chain names may not exceed 11 characters or -# truncation of the log prefix may occur. Longer chain names may be used with -# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is -# specified then the tag is included in the log prefix in place of the chain -# name. -# - -LOGTAGONLY=No - -# -# LOG RATE LIMITING -# -# The next two variables can be used to control the amount of log output -# generated. LOGRATE is expressed as a number followed by an optional -# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum -# rate at which a particular message will occur. LOGBURST determines the -# maximum initial burst size that will be logged. If set empty, the default -# value of 5 will be used. -# -# If BOTH variables are set empty then logging will not be rate-limited. -# -# Example: -# -# LOGRATE=10/minute -# LOGBURST=5 -# -# For each logging rule, the first time the rule is reached, the packet -# will be logged; in fact, since the burst is 5, the first five packets -# will be logged. After this, it will be 6 seconds (1 minute divided by -# the rate of 10) before a message will be logged from the rule, regardless -# of how many packets reach it. Also, every 6 seconds which passes without -# matching a packet, one of the bursts will be regained; if no packets hit -# the rule for 30 seconds, the burst will be fully recharged; back where -# we started. -# - -LOGRATE= -LOGBURST= - -# -# LOG ALL NEW -# -# This option should only be used when you are trying to analyze a problem. -# It causes all packets in the Netfilter NEW state to be logged as the -# first rule in each builtin chain. To use this option, set LOGALLNEW to -# the log level that you want these packets logged at (e.g., -# LOGALLNEW=debug). -# - -LOGALLNEW= - -# -# BLACKLIST LOG LEVEL -# -# Set this variable to the syslogd level that you want blacklist packets logged -# (beware of DOS attacks resulting from such logging). If not set, no logging -# of blacklist packets occurs. -# -# See the comment at the top of this section for a description of log levels -# -BLACKLIST_LOGLEVEL= - -# -# LOGGING 'New not SYN' rejects -# -# This variable only has an effect when NEWNOTSYN=No (see below). -# -# When a TCP packet that does not have the SYN flag set and the ACK and RST -# flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, -# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. -# -# See the comment at the top of this section for a description of log levels -# -# Example: LOGNEWNOTSYN=debug - - -LOGNEWNOTSYN=ULOG - -# -# MAC List Log Level -# -# Specifies the logging level for connection requests that fail MAC -# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -MACLIST_LOG_LEVEL=ULOG - -# -# TCP FLAGS Log Level -# -# Specifies the logging level for packets that fail TCP Flags -# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -TCP_FLAGS_LOG_LEVEL=ULOG - -# -# RFC1918 Log Level -# -# Specifies the logging level for packets that fail RFC 1918 -# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then -# RFC1918_LOG_LEVEL=info is assumed. -# -# See the comment at the top of this section for a description of log levels -# - -RFC1918_LOG_LEVEL=ULOG - -# -# SMURF Log Level -# -# Specifies the logging level for smurf packets dropped by the -#'nosmurfs' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" -# ) then dropped smurfs are not logged. - -# -# See the comment at the top of this section for a description of log levels -# - -SMURF_LOG_LEVEL=ULOG - -# -# BOGON Log Level -# -# Specifies the logging level for bogon packets dropped by the -#'nobogons' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value -# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' -# in /usr/share/shorewall/bogons are logged at the 'info' level. -# -# See the comment at the top of this section for a description of log levels -# - -BOGON_LOG_LEVEL=ULOG - -# -# MARTIAN LOGGING -# -# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets -# that have impossible source IP addresses. This logging may be enabled -# on individual interfaces by using the 'logmartians' option in -# /etc/shorewall/interfaces. -# - -LOG_MARTIANS=No -################################################################################ -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -################################################################################ -# -# IPTABLES -# -# Full path to iptables executable Shorewall uses to build the firewall. If -# not specified or if specified with an empty value (e.g., IPTABLES="") then -# the iptables executable located via the PATH setting below is used. -# -IPTABLES= - -# -# PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. -# -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -# -# SHELL -# -# The firewall script is normally interpreted by /bin/sh. If you wish to change -# the shell used to interpret that script, specify the shell here. - -SHOREWALL_SHELL=/bin/sh - -# SUBSYSTEM LOCK FILE -# -# Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't -# use lock files, set this to "". -# - -SUBSYSLOCK=/var/run/shorewall - -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/state/shorewall - -# -# KERNEL MODULE DIRECTORY -# -# If your netfilter kernel modules are in a directory other than -# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that -# directory in this variable. Example: MODULESDIR=/etc/modules. - -MODULESDIR= - -# -# CONFIGURATION SEARCH PATH -# -# This option holds a list of directory names separated by colons -# (":"). Shorewall will search each directory in turn when looking for a -# configuration file. When processing a 'try' command or a command -# containing the "-c" option, Shorewall will automatically add the -# directory specified in the command to the front of this list. -# -# If not specified or specified as null ("CONFIG_PATH=""), -# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall - -# -# RESTORE SCRIPT -# -# This option determines the script to be run in the following cases: -# -# shorewall -f start -# shorewall restore -# shorewall save -# shorewall forget -# Failure of shorewall start or shorewall restart -# -# The value of the option must be the name of an executable file in the -# directory /var/lib/shorewall. If this option is not set or if it is -# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is -# assumed. - -RESTOREFILE= -################################################################################ -# F I R E W A L L O P T I O N S -################################################################################ - -# NAME OF THE FIREWALL ZONE -# -# Name of the firewall zone -- if not set or if set to an empty string, "fw" -# is assumed. -# -FW=fw - -# -# ENABLE IP FORWARDING -# -# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you -# say "Off" or "off", packet forwarding will be disabled. You would only want -# to disable packet forwarding if you are installing Shorewall on a -# standalone system or if you want all traffic through the Shorewall system -# to be handled by proxies. -# -# If you set this variable to "Keep" or "keep", Shorewall will neither -# enable nor disable packet forwarding. -# -IP_FORWARDING=On - -# -# AUTOMATICALLY ADD NAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each NAT external address that you give in /etc/shorewall/nat. If you say -# "No" or "no", you must add these aliases youself. -# -ADD_IP_ALIASES=Yes - -# -# AUTOMATICALLY ADD SNAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless -# you are sure that you need it -- most people don't!!! -# -ADD_SNAT_ALIASES=No - -# -# RETAIN EXISTING ALIASES/IP ADDRESSES -# -# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall -# will first delete the address then re-add it. This is to ensure that the -# address is added with the specified label. Unfortunately, this can cause -# problems if it results in the deletion of the last IP address on an -# interface because then all routes through the interface are automatically -# removed. -# -# You can cause Shorewall to retain existing addresses by setting -# RETAIN_ALIASES=Yes. -# -RETAIN_ALIASES=No - -# -# ENABLE TRAFFIC SHAPING -# -# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If -# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic -# shaping you must have iproute[2] installed (the "ip" and "tc" utilities). - -TC_ENABLED=No - -# -# Clear Traffic Shapping/Control -# -# If this option is set to 'No' then Shorewall won't clear the current -# traffic control rules during [re]start. This setting is intended -# for use by people that prefer to configure traffic shaping when -# the network interfaces come up rather than when the firewall -# is started. If that is what you want to do, set TC_ENABLED=Yes and -# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That -# way, your traffic shaping rules can still use the 'fwmark' -# classifier based on packet marking defined in /etc/shorewall/tcrules. -# -# If omitted, CLEAR_TC=Yes is assumed. - -CLEAR_TC=Yes - -# -# Mark Packets in the forward chain -# -# When processing the tcrules file, Shorewall normally marks packets in the -# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., -# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. -# -# Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. -# -# Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. - -MARK_IN_FORWARD_CHAIN=No - -# -# MSS CLAMPING -# -# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" -# option. This option is most commonly required when your internet -# interface is some variant of PPP (PPTP or PPPoE). Your kernel must -# have CONFIG_IP_NF_TARGET_TCPMSS set. -# -# [From the kernel help: -# -# This option adds a `TCPMSS' target, which allows you to alter the -# MSS value of TCP SYN packets, to control the maximum size for that -# connection (usually limiting it to your outgoing interface's MTU -# minus 40). -# -# This is used to overcome criminally braindead ISPs or servers which -# block ICMP Fragmentation Needed packets. The symptoms of this -# problem are that everything works fine from your Linux -# firewall/router, but machines behind it can never exchange large -# packets: -# 1) Web browsers connect, then hang with no data received. -# 2) Small mail works fine, but large emails hang. -# 3) ssh works fine, but scp hangs after initial handshaking. -# ] -# -# If left blank, or set to "No" or "no", the option is not enabled. -# -# You may also set this option to a numeric value in which case Shorewall will -# set up a rule to modify the MSS value in SYN packets to the value that -# you specify. -# -# Example: -# -# CLAMPMSS=1400 -# -CLAMPMSS=No - -# -# ROUTE FILTERING -# -# Set this variable to "Yes" or "yes" if you want kernel route filtering on all -# interfaces started while Shorewall is started (anti-spoofing measure). -# -# If this variable is not set or is set to the empty value, "No" is assumed. -# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering -# on individual interfaces using the 'routefilter' option in the -# /etc/shorewall/interfaces file. - -ROUTE_FILTER=No - -# DNAT IP ADDRESS DETECTION -# -# Normally when Shorewall encounters the following rule: -# -# DNAT net loc:192.168.1.3 tcp 80 -# -# it will forward TCP port 80 connections from the net to 192.168.1.3 -# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is -# convenient for two reasons: -# -# a) If the the network interface has a dynamic IP address, the -# firewall configuration will work even when the address -# changes. -# -# b) It saves having to configure the IP address in the rule -# while still allowing the firewall to be started before the -# internet interface is brought up. -# -# This default behavior can also have a negative effect. If the -# internet interface has more than one IP address then the above -# rule will forward connection requests on all of these addresses; -# that may not be what is desired. -# -# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply -# only if the original destination address is the primary IP address of -# one of the interfaces associated with the source zone. Note that this -# requires all interfaces to the source zone to be up when the firewall -# is [re]started. - -DETECT_DNAT_IPADDRS=No - -# -# MUTEX TIMEOUT -# -# The value of this variable determines the number of seconds that programs -# will wait for exclusive access to the Shorewall lock file. After the number -# of seconds corresponding to the value of this variable, programs will assume -# that the last program to hold the lock died without releasing the lock. -# -# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. -# -# An appropriate value for this parameter would be twice the length of time -# that it takes your firewall system to process a "shorewall restart" command. - -MUTEX_TIMEOUT=60 - -# -# NEWNOTSYN -# -# TCP connections are established using the familiar three-way "handshake": -# -# CLIENT SERVER -# -# SYN--------------------> -# <------------------SYN,ACK -# ACK--------------------> -# -# The first packet in that exchange (packet with the SYN flag on and the ACK -# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. -# A packet is said to be NEW if it is not part of or related to an already -# established connection. -# -# The NEWNOTSYN option determines the handling of non-SYN packets (those with -# SYN off or with ACK or RST on) that are not associated with an already -# established connection. -# -# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not -# part of an already established connection will be dropped by the -# firewall. The setting of LOGNEWNOTSYN above determines if these packets are -# logged before they are dropped. -# -# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule/policy processing. -# -# Users with a High-availability setup with two firewall's and one acting -# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may -# also need to select NEWNOTSYN=Yes. -# -# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis -# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a -# network or host basis using the same option in /etc/shorewall/hosts. - -# -# I find that NEWNOTSYN=No tends to result in lots of "stuck" -# connections because any network timeout during TCP session tear down -# results in retries being dropped (Netfilter has removed the -# connection from the conntrack table but the end-points haven't -# completed shutting down the connection). I therefore have chosen -# NEWNOTSYN=Yes as the default value. - -NEWNOTSYN=Yes - -# -# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT -# -# Normally, when a "shorewall stop" command is issued or an error occurs during -# the execution of another shorewall command, Shorewall puts the firewall into -# a state where only traffic to/from the hosts listed in -# /etc/shorewall/routestopped is accepted. -# -# When performing remote administration on a Shorewall firewall, it is -# therefore recommended that the IP address of the computer being used for -# administration be added to the firewall's /etc/shorewall/routestopped file. -# -# Some administrators have a hard time remembering to do this with the result -# that they get to drive across town in the middle of the night to restart -# a remote firewall (or worse, they have to get someone out of bed to drive -# across town to restart a very remote firewall). -# -# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, -# when the firewall enters the 'stopped' state: -# -# All traffic that is part of or related to established connections is still -# allowed and all OUTPUT traffic is allowed. This is in addition to traffic -# to and from hosts listed in /etc/shorewall/routestopped. -# -# If this variable is not set or it is set to the null value then -# ADMINISABSENTMINDED=No is assumed. -# -ADMINISABSENTMINDED=Yes - -# -# BLACKLIST Behavior -# -# Shorewall offers two types of blacklisting: -# -# - static blacklisting through the /etc/shorewall/blacklist file together -# with the 'blacklist' interface option. -# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. -# -# The following variable determines whether the blacklist is checked for each -# packet or for each new connection. -# -# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection -# requests -# -# BLACKLISTNEWONLY=No Consult blacklists for all packets. -# -# If the BLACKLISTNEWONLY option is not set or is set to the empty value then -# BLACKLISTNEWONLY=No is assumed. -# -BLACKLISTNEWONLY=Yes - -# -# Users with a large blacklist find that "shorwall [re]start" takes a long -# time and that new connections are disabled during that time. By setting -# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections -# before loading the blacklist. - -DELAYBLACKLISTLOAD=No - -# MODULE NAME SUFFIX -# -# When loading a module named in /etc/shorewall/modules, Shorewall normally -# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names -# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a -# different naming convention then you can specify the suffix (extension) for -# module names in this variable. -# -# To see what suffix is used by your distribution: -# -# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter -# -# All of the file names listed should have the same suffix (extension). Set -# MODULE_SUFFIX to that suffix. -# -# Examples: -# -# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" -# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" -# - -MODULE_SUFFIX= - -# -# DISABLE IPV6 -# -# Distributions (notably SuSE) are beginning to ship with IPV6 -# enabled. If you are not using IPV6, you are at risk of being -# exploited by users who do. Setting DISABLE_IPV6=Yes will cause -# Shorewall to disable IPV6 traffic to/from and through your -# firewall system. This requires that you have ip6tables installed. -# Should be set to "No" for LEAF/LRP - -DISABLE_IPV6=No - -# -# BRIDGING -# -# If you wish to control traffic through a bridge (see http://bridge.sf.net), -# then set BRIDGING=Yes. Your kernel must have the physdev match option -# enabled; that option is available at the above URL for 2.4 kernels and -# is included as a standard part of the 2.6 series kernels. If not -# specified or specified as empty (BRIDGING="") then "No" is assumed. -# - -BRIDGING=No - -# -# DYNAMIC ZONES -# -# If you need to be able to add and delete hosts from zones dynamically then -# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. - -DYNAMIC_ZONES=No - -# -# USE PKTTYPE MATCH -# -# Some users have reported problems with the PKTTYPE match extension not being -# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall -# will use IP addresses to detect broadcasts rather than pkttype. If not given -# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. - -PKTTYPE=Yes - -# -# DROP INVALID PACKETS -# -# Netfilter classifies packets relative to its connection tracking table into -# four states: -# -# NEW - thes packet initiates a new connection -# ESTABLISHED - thes packet is part of an established connection -# RELATED - thes packet is related to an established connection; it may -# establish a new connection -# INVALID - the packet does not related to the table in any sensible way. -# -# Recent 2.6 kernels include code that evaluates TCP packets based on TCP -# Window analysis. This can cause packets that were previously classified as -# NEW or ESTABLISHED to be classified as INVALID. -# -# The new kernel code can be disabled by including this command in your -# /etc/shorewall/init file: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal -# -# Additional kernel logging about INVALID TCP packets may be obtained by -# adding this command to /etc/shorewall/init: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid -# -# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID -# option allows INVALID packets to be passed through the normal rules chains by -# setting DROPINVALID=No. -# -# If not specified or if specified as empty (e.g., DROPINVALID="") then -# DROPINVALID=Yes is assumed. - -DROPINVALID=No - -# -# RFC 1918 BEHAVIOR -# -# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918' -# processing to cease for a packet if the packet's source IP address matches -# the rule. Thus, if you have: -# -# SUBNETS TARGET -# 192.168.1.0/24 RETURN -# -# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you -# also have: -# -# SUBNETS TARGET -# 10.0.0.0/8 logdrop -# -# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped -# since while the packet's source matches the RETURN rule, the packet's -# destination matches the 'logdrop' rule. -# -# If not specified or specified as empty (e.g., RFC1918_STRICT="") then -# RFC1918_STRICT=No is assumed. -# -# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support -# 'conntrack state' match. - -RFC1918_STRICT=No - -# -# MACLIST caching -# -# If your iptables and kernel support the "Recent Match" (see the output of -# "shorewall check" near the top), you can cache the results of a 'maclist' -# file lookup and thus reduce the overhead associated with MAC Verification -# (/etc/shorewall/maclist). -# -# When a new connection arrives from a 'maclist' interface, the packet passes -# through then list of entries for that interface in /etc/shorewall/maclist. If -# there is a match then the source IP address is added to the 'Recent' set for -# that interface. Subsequent connection attempts from that IP address occuring -# within $MACLIST_TTL seconds will be accepted without having to scan all of -# the entries. After $MACLIST_TTL from the first accepted connection request, -# the next connection request from that IP address will be checked against -# the entire list. -# -# If MACLIST_TTL is not specified or is specified as empty (e.g, -# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not -# be cached. - -MACLIST_TTL= - -################################################################################ -# P A C K E T D I S P O S I T I O N -################################################################################ -# -# BLACKLIST DISPOSITION -# -# Set this variable to the action that you want to perform on packets from -# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, -# DROP is assumed. -# - -BLACKLIST_DISPOSITION=DROP - -# -# MAC List Disposition -# -# This variable determines the disposition of connection requests arriving -# on interfaces that have the 'maclist' option and that are from a device -# that is not listed for that interface in /etc/shorewall/maclist. Valid -# values are ACCEPT, DROP and REJECT. If not specified or specified as -# empty (MACLIST_DISPOSITION="") then REJECT is assumed - -MACLIST_DISPOSITION=REJECT - -# -# TCP FLAGS Disposition -# -# This variable determins the disposition of packets having an invalid -# combination of TCP flags that are received on interfaces having the -# 'tcpflags' option specified in /etc/shorewall/interfaces or in -# /etc/shorewall/hosts. If not specified or specified as empty -# (TCP_FLAGS_DISPOSITION="") then DROP is assumed. - -TCP_FLAGS_DISPOSITION=DROP - -#LAST LINE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/start b/Lrp2/etc/shorewall/start deleted file mode 100644 index 646b4eea9..000000000 --- a/Lrp2/etc/shorewall/start +++ /dev/null @@ -1,12 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -for file in /etc/shorewall/start.d/* ; do - run_user_exit $file -done diff --git a/Lrp2/etc/shorewall/stop b/Lrp2/etc/shorewall/stop deleted file mode 100644 index 25491b367..000000000 --- a/Lrp2/etc/shorewall/stop +++ /dev/null @@ -1,11 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -for file in /etc/shorewall/stop.d/* ; do - run_user_exit $file -done diff --git a/Lrp2/etc/shorewall/stopped b/Lrp2/etc/shorewall/stopped deleted file mode 100644 index b1aa78ab4..000000000 --- a/Lrp2/etc/shorewall/stopped +++ /dev/null @@ -1,8 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. diff --git a/Lrp2/etc/shorewall/tcrules b/Lrp2/etc/shorewall/tcrules deleted file mode 100644 index 3a758b262..000000000 --- a/Lrp2/etc/shorewall/tcrules +++ /dev/null @@ -1,155 +0,0 @@ -# -# Shorewall version 2.2 - Traffic Control Rules File -# -# /etc/shorewall/tcrules -# -# Entries in this file cause packets to be marked as a means of -# classifying them for traffic control or policy routing. -# -# I M P O R T A N T ! ! ! ! -# -# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET -# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf -# -# Unlike rules in the /etc/shorewall/rules file, evaluation -# of rules in this file will continue after a match. So the -# final mark for each packet will be the one assigned by the -# LAST tcrule that matches. -# -# Columns are: -# -# -# MARK/ a) A mark value which is a integer in the range 1-255 -# CLASSIFY -# May optionally be followed by ":P" or ":F" -# where ":P" indicates that marking should occur in -# the PREROUTING chain and ":F" indicates that marking -# should occur in the FORWARD chain. If neither -# ":P" nor ":F" follow the mark value then the chain is -# determined by the setting of MARK_IN_FORWARD_CHAIN in -# /etc/shorewall/shorewall.conf. -# -# If your kernel and iptables include CONNMARK support -# then you can also mark the connection rather than -# the packet. -# -# The mark value may be optionally followed by "/" -# and a mask value (used to determine those bits of -# the connection mark to actually be set). The -# mark and optional mask are then followed by one of: -# -# C - Mark the connection in the chain determined -# by the setting of MARK_IN_FORWARD_CHAIN -# -# CF: Mark the connection in the FORWARD chain -# -# CP: Mark the connection in the PREROUTING chain. -# -# b) A classification of the form : where -# and are integers. Corresponds to -# the 'class' specification in these traffic shaping -# modules: -# -# - atm -# - cbq -# - dsmark -# - pfifo_fast -# - htb -# - prio -# -# Classify always occurs in the POSTROUTING chain. -# -# c) RESTORE[/mask] -- restore the packet's mark from the -# connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK support. -# As in a) above, may be followed by ":P" or ":F -# -# c) SAVE[/mask] -- save the packet's mark to the -# connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK support. -# As in a) above, may be followed by ":P" or ":F -# -# d) CONTINUE -- don't process any more marking rules in -# the table. As in a) above, may be followed by ":P" or -# ":F". -# -# SOURCE Source of the packet. A comma-separated list of -# interface names, IP addresses, MAC addresses -# and/or subnets. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. Use $FW if the packet originates on -# the firewall in which case the MARK column may NOT -# specify either ":P" or ":F" (marking always occurs -# in the OUTPUT chain). $FW may be optionally followed -# by ":" and a host/network address. -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. If your kernel and -# iptables include iprange match support, IP address -# ranges are also allowed. -# -# If the MARK column specificies a classification of -# the form : then this column may also -# contain an interface name. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no PORT is given, "ipp2p" is -# assumed. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following field is supplied. -# In that case, it is suggested that this field contain -# "-" -# -# SOURCE PORT(S) (Optional) Source port(s). If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# USER This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective user and/or group. -# -# It may contain : -# -# []:[] -# -# The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users -# -# TEST Defines a test on the existing packet or connection mark. -# The rule will match only if the test returns true. Tests -# have the format [!][/][:C] -# -# Where: -# -# ! Inverts the test (not equal) -# Value of the packet or connection mark. -# A mask to be applied to the mark before -# testing -# :C Designates a connection mark. If omitted, -# the packet mark's value is tested. -# -# See http://shorewall.net/traffic_shaping.htm for additional information. -############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/tos b/Lrp2/etc/shorewall/tos deleted file mode 100644 index 1a41a5d6c..000000000 --- a/Lrp2/etc/shorewall/tos +++ /dev/null @@ -1,46 +0,0 @@ -# -# Shorewall 2.2 -- /etc/shorewall/tos -# -# This file defines rules for setting Type Of Service (TOS) -# -# Columns are: -# -# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address, a MAC address, a subnet -# specification or the name of an interface. -# -# Example: loc:192.168.2.3 -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address or a subnet specification -# -# Example: loc:192.168.2.3 -# -# PROTOCOL Protocol. -# -# SOURCE PORTS Source port or port range. If all ports, use "-". -# -# DEST PORTS Destination port or port range. If all ports, use "-" -# -# TOS Type of service. Must be one of the following: -# -# Minimize-Delay (16) -# Maximize-Throughput (8) -# Maximize-Reliability (4) -# Minimize-Cost (2) -# Normal-Service (0) -# -############################################################################## -#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS -#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/tunnels b/Lrp2/etc/shorewall/tunnels deleted file mode 100644 index 83a4d7949..000000000 --- a/Lrp2/etc/shorewall/tunnels +++ /dev/null @@ -1,117 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/tunnels -# -# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. -# -# IPIP, GRE and OPENVPN tunnels must be configured on the -# firewall/gateway itself. IPSEC endpoints may be defined -# on the firewall/gateway or on an internal system. -# -# The columns are: -# -# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip" -# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or -# "generic" -# -# If the type is "ipsec" or "ipsecnat", it may be followed -# by ":noah" to indicate that the Authentication Header -# protocol (51) is not used by the tunnel. -# -# If type is "openvpn", it may optionally be followed -# by ":" and the port number used by the tunnel. if no -# ":" and port number are included, then the default port -# of 5000 will be used -# -# If type is "generic", it must be followed by ":" and -# a protocol name (from /etc/protocols) or a protocol -# number. If the protocol is "tcp" or "udp" (6 or 17), -# then it may optionally be followed by ":" and a -# port number. -# -# ZONE -- The zone of the physical interface through which -# tunnel traffic passes. This is normally your internet -# zone. -# -# GATEWAY -- The IP address of the remote tunnel gateway. If the -# remote getway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. May be -# specified as a network address and if your kernel and -# iptables include iprange match support then IP address -# ranges are also allowed. -# -# GATEWAY -# ZONES -- Optional. If the gateway system specified in the third -# column is a standalone host then this column should -# contain a comma-separated list of the names of the -# zones that the host might be in. This column only -# applies to IPSEC and generic tunnels. -# -# Example 1: -# -# IPSec tunnel. The remote gateway is 4.33.99.124 and -# the remote subnet is 192.168.9.0/24. The tunnel does -# not use the AH protocol -# -# ipsec:noah net 4.33.99.124 -# -# Example 2: -# -# Road Warrior (LapTop that may connect from anywhere) -# where the "gw" zone is used to represent the remote -# LapTop. -# -# ipsec net 0.0.0.0/0 gw -# -# Example 3: -# -# Host 4.33.99.124 is a standalone system connected -# via an ipsec tunnel to the firewall system. The host -# is in zone gw. -# -# ipsec net 4.33.99.124 gw -# -# Example 4: -# -# Road Warriors that may belong to zones vpn1, vpn2 or -# vpn3. The FreeS/Wan _updown script will add the -# host to the appropriate zone using the "shorewall add" -# command on connect and will remove the host from the -# zone at disconnect time. -# -# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 -# -# Example 5: -# -# You run the Linux PPTP client on your firewall and -# connect to server 192.0.2.221. -# -# pptpclient net 192.0.2.221 -# -# Example 6: -# -# You run a PPTP server on your firewall. -# -# pptpserver net -# -# Example 7: -# -# OPENVPN tunnel. The remote gateway is 4.33.99.124 and -# openvpn uses port 7777. -# -# openvpn:7777 net 4.33.99.124 -# -# Example 8: -# -# You have a tunnel that is not one of the supported types. -# Your tunnel uses UDP port 4444. The other end of the -# tunnel is 4.3.99.124. -# -# generic:udp:4444 net 4.3.99.124 -# -# -# See http://shorewall.net/Documentation.htm#Tunnels for additional information. -# -# TYPE ZONE GATEWAY GATEWAY -# ZONE -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/etc/shorewall/zones b/Lrp2/etc/shorewall/zones deleted file mode 100755 index b7b3e45fa..000000000 --- a/Lrp2/etc/shorewall/zones +++ /dev/null @@ -1,21 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/zones -# -# This file determines your network zones. Columns are: -# -# ZONE Short name of the zone (5 Characters or less in length). -# The names "all" and "none" are reserved and may not be -# used as zone names. -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone -# -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR -# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. -# -# See http://www.shorewall.net/Documentation.htm#Nested -# -#ZONE DISPLAY COMMENTS -net Net Internet -loc Local Local networks -#dmz DMZ Demilitarized zone -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp2/sbin/shorewall b/Lrp2/sbin/shorewall deleted file mode 100755 index 5c19408da..000000000 --- a/Lrp2/sbin/shorewall +++ /dev/null @@ -1,1330 +0,0 @@ -#!/bin/sh -# -# Shorewall Packet Filtering Firewall Control Program - V2.2 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# This file should be placed in /sbin/shorewall. -# -# Shorewall documentation is available at http://shorewall.sourceforge.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# The firewall uses configuration files in /etc/shorewall/ - skeleton -# files is included with the firewall. -# -# Commands are: -# -# shorewall add [:] zone Adds a host or subnet to a zone -# shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status -# plus the last 20 "interesting" -# packets -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and -# byte counts -# shorewall clear Open the floodgates by -# removing all iptables rules -# and setting the three permanent -# chain policies to ACCEPT -# shorewall refresh Rebuild the common chain to -# compensate for a change of -# broadcast address on any "detect" -# interface. -# shorewall show [ ... ] Display the rules in each listed -# shorewall show log Print the last 20 log messages -# shorewall show connections Show the kernel's connection -# tracking table -# shorewall show nat Display the rules in the nat table -# shorewall show {mangle|tos} Display the rules in the mangle table -# shorewall show tc Display traffic control info -# shorewall show classifiers Display classifiers -# shorewall show capabilities Display iptables/kernel capabilities -# shorewall version Display the installed version id -# shorewall check Verify the more heavily-used -# configuration files. -# shorewall try [ ] Try a new configuration and if -# it doesn't work, revert to the -# standard one. If a timeout is supplied -# the command reverts back to the -# standard configuration after that many -# seconds have elapsed after successfully -# starting the new configuration. -# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall drop
... Temporarily drop all packets from the -# listed address(es) -# shorewall reject
... Temporarily reject all packets from the -# listed address(es) -# shorewall allow
... Reenable address(es) previously -# disabled with "drop" or "reject" -# shorewall save [ ] Save the list of "rejected" and -# "dropped" addresses so that it will -# be automatically reinstated the -# next time that Shorewall starts. -# Save the current state so that 'shorewall -# restore' can be used. -# -# shorewall forget [ ] Discard the data saved by 'shorewall save' -# -# shorewall restore [ ] Restore the state of the firewall from -# previously saved information. -# -# shorewall ipaddr [
/ |
] -# -# Displays information about the network -# defined by the argument[s] -# -# shorewall iprange
-
Decomposes a range of IP addresses into -# a list of network/host addresses. -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " $@" >&2 - exit 2 -} - -# Display a chain if it exists -# - -showfirstchain() # $1 = name of chain -{ - awk \ - 'BEGIN {prnt=0; rslt=1; }; \ - /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ - /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; };\ - END { exit rslt; }' $TMPFILE -} - -showchain() # $1 = name of chain -{ - if [ "$firstchain" = "Yes" ]; then - if showfirstchain $1; then - firstchain= - fi - else - awk \ - 'BEGIN {prnt=0;};\ - /^$|^ pkts/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ - /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' $TMPFILE - fi -} - -# -# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed. -# - -iptablesbug() -{ - if qt which awk ; then - awk 'BEGIN {sline=""; };\ - /^-j/ { print sline $0; next };\ - /-m policy.*-j/ { print $0; next };\ - /-m policy/ { sline=$0; next };\ - {print ; sline="" }' - else - echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 - cat - fi -} - -# -# Validate the value of RESTOREFILE -# -validate_restorefile() # $* = label -{ - case $RESTOREFILE in - */*) - echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2 - exit 2 - ;; - esac -} - -# -# Set the configuration variables from shorewall.conf -# -get_config() { - - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if [ ! -f $LOGFILE ]; then - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - # - # See if we have a real version of "tail" -- use separate redirection so - # that ash (aka /bin/sh on LRP) doesn't crap - # - if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then - realtail="Yes" - else - realtail="" - fi - - [ -n "$FW" ] || FW=fw - - [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - - [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" - - if [ -n "$IPTABLES" ]; then - if [ ! -e "$IPTABLES" ]; then - echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IPTABLES=$(which iptables 2> /dev/null) - if [ -z "$IPTABLES" ] ; then - echo " ERROR: Can't find iptables executable" >&2 - exit 2 - fi - fi - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -e "$SHOREWALL_SHELL" ]; then - echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 - exit 2 - fi - fi - - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - export RESTOREFILE - -} - -# -# Clear descriptor 1 if it is a terminal -# -clear_term() { - [ -t 1 ] && clear -} - -# -# Display IPTABLES rules -- we used to store them in a variable but ash -# dies when trying to display large sets of rules -# -display_chains() -{ - trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 - - if [ "$haveawk" = "Yes" ]; then - # - # Send the output to a temporary file since ash craps if we try to store - # the output in a variable. - # - TMPFILE=$(mktempfile) - [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - - $IPTABLES -L $IPT_OPTIONS >> $TMPFILE - - clear_term - echo "$banner $(date)" - echo - echo "Standard Chains" - echo - firstchain="Yes" - showchain INPUT - showchain OUTPUT - showchain FORWARD - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Input Chains" - echo - - chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2) - - for chain in $chains; do - showchain $chain - done - - timed_read - - for zone in $zones; do - - if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - eval display=\$${zone}_display - echo "$display Chains" - echo - for zone1 in $FW $zones; do - showchain ${zone}2$zone1 - showchain @${zone}2$zone1 - [ "$zone" != "$zone1" ] && \ - showchain ${zone1}2${zone} && \ - showchain @${zone1}2${zone} - done - - timed_read - fi - done - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Policy Chains" - echo - showchain common - showchain badpkt - showchain icmpdef - showchain rfc1918 - showchain blacklst - showchain reject - showchain newnotsyn - for zone in $zones all; do - showchain ${zone}2all - showchain @${zone}2all - [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } - done - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Dynamic Chain" - echo - showchain dynamic - timed_read - - qt rm -f $TMPFILE - else - $IPTABLES -L -n -v - timed_read - fi - trap - 1 2 3 4 5 6 9 - -} - -# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow -# to terminate the delay -# -timed_read () -{ - read -t $timeout foo 2> /dev/null - - test $? -eq 2 && sleep $timeout -} - -# -# Display the last $1 packets logged -# -packet_log() # $1 = number of messages -{ - local options - - [ -n "$realtail" ] && options="-n$1" - - if [ -n "$VERBOSE" ]; then - grep "${LOGFORMAT}" $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - tail $options - else - grep "${LOGFORMAT}" $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - sed 's/MAC=.* SRC=/SRC=/' | \ - tail $options - fi -} - -# -# Show traffic control information -# -show_tc() { - - show_one_tc() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s -d qdisc show dev $device - tc -s -d class show dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_tc ${interface%:} - ;; - *) - ;; - esac - done - -} - -# -# Show classifier information -# -show_classifiers() { - - show_one_classifier() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s filter ls dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_classifier ${interface%:} - ;; - *) - ;; - esac - done - -} -# -# Monitor the Firewall -# -monitor_firewall() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - let "timeout=- $1" - pause="Yes" - else - pause="No" - timeout=$1 - fi - - - if qt which awk; then - TMP_DIR=$(mktempdir) - [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; } - haveawk=Yes - determine_zones - rm -rf $TMP_DIR - else - haveawk= - fi - - while true; do - display_chains - - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 20 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 20 - timed_read - fi - - clear_term - echo "$banner $(date)" - echo - echo "NAT Status" - echo - $IPTABLES -t nat -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "TOS/MARK Status" - echo - $IPTABLES -t mangle -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Tracked Connections" - echo - cat /proc/net/ip_conntrack - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Traffic Shaping/Control" - echo - show_tc - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Packet Classifiers" - echo - show_classifiers - timed_read - done -} - -# -# Watch the Firewall Log -# -logwatch() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - timeout=$((- $1)) - pause="Yes" - else - pause="No" - timeout=$1 - fi - - qt which awk && haveawk=Yes || haveawk= - - while true; do - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 40 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 40 - timed_read - fi - done -} - -# -# Help information -# -help() -{ - [ -x $HELP ] && { export version; exec $HELP $*; } - echo "Help subsystem is not installed at $HELP" -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] " - echo "where is one of:" - echo " add [:{[:]|}[,...]] ... " - echo " allow
..." - echo " check [ ]" - echo " clear" - echo " delete [:{[:]|}[,...]] ... " - echo " drop
..." - echo " forget [ ]" - echo " help [ | host | address ]" - echo " hits" - echo " ipcalc [
/ |
]" - echo " iprange
-
" - echo " logwatch []" - echo " monitor []" - echo " refresh" - echo " reject
..." - echo " reset" - echo " restart [ ]" - echo " restore [ ]" - echo " save [ ]" - echo " show [ [ ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]" - echo " start [ ]" - echo " stop" - echo " status" - echo " try [ ]" - echo " version" - echo - exit $1 -} - -# -# Display the time that the counters were last reset -# -show_reset() { - [ -f $STATEDIR/restarted ] && \ - echo "Counters reset $(cat $STATEDIR/restarted)" && \ - echo -} -# -# Display's the passed file name followed by "=" and the file's contents. -# -show_proc() # $1 = name of a file -{ - [ -f $1 ] && echo " $1 = $(cat $1)" -} - -# -# Execution begins here -# -debugging= - -if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then - debugging=debug - shift -fi - -nolock= - -if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then - nolock=nolock - shift -fi - -SHOREWALL_DIR= -QUIET= -IPT_OPTIONS="-nv" -FAST= -VERBOSE= - -done=0 - -while [ $done -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - c) - [ $# -eq 1 ] && usage 1 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - option= - shift - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - q*) - QUIET=Yes - option=${option#q} - ;; - f*) - FAST=Yes - option=${option#f} - ;; - v*) - VERBOSE=Yes - option=${option#v} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - done=1 - ;; - esac -done - -if [ $# -eq 0 ]; then - usage 1 -fi - -[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR -[ -n "$QUIET" ] && export QUIET - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -MUTEX_TIMEOUT= - -SHARED_DIR=/usr/share/shorewall -FIREWALL=$SHARED_DIR/firewall -FUNCTIONS=$SHARED_DIR/functions -VERSION_FILE=$SHARED_DIR/version -HELP=$SHARED_DIR/help - -if [ -f $FUNCTIONS ]; then - . $FUNCTIONS -else - echo "$FUNCTIONS does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -config=$(find_file shorewall.conf) - -if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi -else - echo "$config does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -export CONFIG_PATH - -get_config - -[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - -if [ ! -f $FIREWALL ]; then - echo "ERROR: Shorewall is not properly installed" - if [ -L $FIREWALL ]; then - echo " $FIREWALL is a symbolic link to a" - echo " non-existant file" - else - echo " The file $FIREWALL does not exist" - fi - - exit 2 -fi - -if [ -f $VERSION_FILE ]; then - version=$(cat $VERSION_FILE) -else - echo "ERROR: Shorewall is not properly installed" - echo " The file $VERSION_FILE does not exist" - exit 1 -fi - -banner="Shorewall-$version Status at $HOSTNAME -" - -case $(echo -e) in - -e*) - RING_BELL="echo \a" - ;; - *) - RING_BELL="echo -e \a" - ;; -esac - -case $(echo -n "Testing") in - -n*) - ECHO_N= - ;; - *) - ECHO_N=-n - ;; -esac - -case "$1" in - start) - case $# in - 1) - ;; - 2) - [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - - if [ -n "$FAST" ]; then - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH - date > $STATEDIR/restarted - echo Shorewall restored from $RESTOREPATH - else - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start - fi - else - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start - fi - ;; - stop|reset|clear|refresh) - [ $# -ne 1 ] && usage 1 - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 - ;; - check|restart) - case $# in - 1) - ;; - 2) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 - ;; - add|delete) - [ $# -lt 3 ] && usage 1 - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ - ;; - show|list) - [ -n "$debugging" ] && set -x - case "$2" in - connections) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Connections at $HOSTNAME - $(date)" - echo - cat /proc/net/ip_conntrack - ;; - nat) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version NAT at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version TOS at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Log at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 2 ] && usage 1 - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - if [ -f $STATEDIR/zones ]; then - echo "Shorewall-$version Zones at $HOSTNAME - $(date)" - echo - while read zone hosts; do - echo $zone - for host in $hosts; do - echo " $host" - done - done < $STATEDIR/zones - echo - else - echo " ERROR: $STATEDIR/zones does not exist" >&2 - exit 1 - fi - ;; - capabilities) - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities - ;; - *) - shift - - echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IPTABLES -L $chain $IPT_OPTIONS - done - else - $IPTABLES -L $IPT_OPTIONS - fi - ;; - esac - ;; - monitor) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - monitor_firewall $2 - elif [ $# -eq 1 ]; then - monitor_firewall 30 - else - usage 1 - fi - ;; - status) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - clear_term - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - $IPTABLES -L $IPT_OPTIONS - echo - packet_log 20 - echo - echo "NAT Table" - echo - $IPTABLES -t nat -L $IPT_OPTIONS - echo - echo "Mangle Table" - echo - $IPTABLES -t mangle -L $IPT_OPTIONS - echo - cat /proc/net/ip_conntrack - echo - echo "IP Configuration" - echo - ip addr ls - echo - echo "IP Stats" - echo - ip -stat link ls - - if qt which brctl; then - echo - echo "Bridges" - echo - brctl show - fi - - echo - echo "/proc" - echo - - show_proc /proc/sys/net/ipv4/ip_forward - show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all - - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter rp_filter log_martians; do - show_proc $directory/$file - done - done - - if [ -n "$(ip rule ls)" ]; then - echo - echo "Routing Rules" - echo - ip rule ls - ip rule ls | while read rule; do - table=${rule##* } - echo - echo "Table $table:" - echo - ip route ls table $table - done - else - echo - echo "Routing Table" - echo - ip route ls - fi - - echo - echo "ARP" - echo - arp -na - - if qt which lsmod; then - echo - echo "Modules" - echo - lsmod | grep -E '^ip_|^ipt_' - fi - ;; - hits) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - clear_term - echo "Shorewall-$version Hits at $HOSTNAME - $(date)" - echo - - timeout=30 - - if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then - echo " HITS IP DATE" - echo " ---- --------------- ------" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS IP PORT" - echo " ---- --------------- -----" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ - t - s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS DATE" - echo " ---- ------" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS PORT SERVICE(S)" - echo " ---- ----- ----------" - grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ - while read count port ; do - # List all services defined for the given port - srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u) - srv=$(echo $srv | sed 's/ /,/g') - - if [ -n "$srv" ] ; then - printf '%7d %5d %s\n' $count $port $srv - else - printf '%7d %5d\n' $count $port - fi - done - fi - ;; - version) - echo $version - ;; - try) - [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" - [ $# -lt 2 -o $# -gt 3 ] && usage 1 - if ! $0 $debugging -c $2 restart; then - if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then - $0 start - fi - elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then - $0 start - elif [ $# -eq 3 ]; then - sleep $3 - $0 restart - fi - ;; - logwatch) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - logwatch $2 - elif [ $# -eq 1 ]; then - logwatch 30 - else - usage 1 - fi - ;; - drop) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - $IPTABLES -A dynamic -s $1 -j DROP || break 1 - echo "$1 Dropped" - done - mutex_off - ;; - reject) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - $IPTABLES -A dynamic -s $1 -j reject || break 1 - echo "$1 Rejected" - done - mutex_off - ;; - allow) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - done - mutex_off - ;; - save) - [ -n "$debugging" ] && set -x - - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - mutex_on - - if qt $IPTABLES -L shorewall -n; then - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall - - if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" - else - case $RESTOREFILE in - save|restore-base) - echo " ERROR: Reserved file name: $RESTOREFILE" - ;; - *) - if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then - echo " Dynamic Rules Saved" - if [ -f /var/lib/shorewall/restore-base ]; then - cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ - if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then - echo __EOF__ >> /var/lib/shorewall/restore-$$ - [ -f /var/lib/shorewall/restore-tail ] && \ - cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" - else - rm -f /var/lib/shorewall/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" - fi - else - echo " ERROR: /var/lib/shorewall/restore-base does not exist" - fi - else - echo "Error Saving the Dynamic Rules" - fi - ;; - esac - fi - else - echo "Shorewall isn't started" - fi - mutex_off - ;; - forget) - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - rm -f $RESTOREPATH - echo " $RESTOREPATH removed" - elif [ -f $RESTOREPATH ]; then - echo " $RESTOREPATH exists and is not a saved Shorewall configuration" - fi - ;; - ipcalc) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - address=${2%/*} - vlsm=${2#*/} - elif [ $# -eq 3 ]; then - address=$2 - vlsm=$(ip_vlsm $3) - else - usage 1 - fi - - [ -z "$vlsm" ] && exit 2 - [ "x$address" = "x$vlsm" ] && usage 2 - [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 - - address=$address/$vlsm - - echo " CIDR=$address" - temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" - temp=$(ip_network $address); echo " NETWORK=$temp" - temp=$(broadcastaddress $address); echo " BROADCAST=$temp" - ;; - - iprange) - [ -n "$debugging" ] && set -x - case $2 in - *.*.*.*-*.*.*.*) - ip_range $2 - ;; - *) - usage 1 - ;; - esac - ;; - restore) - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" - else - echo "File /var/lib/shorewall/$RESTOREFILE: file not found" - exit 2 - fi - ;; - call) - [ -n "$debugging" ] && set -x - # - # Undocumented way to call functions in /usr/share/shorewall/functions directly - # - shift; - $@ - ;; - help) - shift - [ $# -ne 1 ] && usage 1 - help $@ - ;; - *) - usage 1 - ;; - -esac diff --git a/Lrp2/usr/share/shorewall/action.AllowAuth b/Lrp2/usr/share/shorewall/action.AllowAuth deleted file mode 100644 index af54a9e9c..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth -# -# This action accepts Auth (identd) traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowDNS b/Lrp2/usr/share/shorewall/action.AllowDNS deleted file mode 100644 index 9887b9795..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowDNS +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS -# -# This action accepts DNS traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 53 -ACCEPT - - tcp 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowFTP b/Lrp2/usr/share/shorewall/action.AllowFTP deleted file mode 100644 index 0a0c9951b..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowFTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP -# -# This action accepts FTP traffic. See -# http://www.shorewall.net/FTP.html for additional considerations. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 21 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowICMPs b/Lrp2/usr/share/shorewall/action.AllowICMPs deleted file mode 100644 index 91e462913..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowICMPs +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs -# -# ACCEPT needed ICMP types -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -# -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded diff --git a/Lrp2/usr/share/shorewall/action.AllowIMAP b/Lrp2/usr/share/shorewall/action.AllowIMAP deleted file mode 100644 index 71e7b15d1..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowIMAP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP -# -# This action accepts IMAP traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 143 #Unsecure IMAP -ACCEPT - - tcp 993 #Secure IMAP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowNNTP b/Lrp2/usr/share/shorewall/action.AllowNNTP deleted file mode 100644 index a5d68b49e..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowNNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP -# -# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 119 -ACCEPT - - tcp 563 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowNTP b/Lrp2/usr/share/shorewall/action.AllowNTP deleted file mode 100644 index 936954769..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP -# -# This action accepts NTP traffic (ntpd). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT - - udp 123 -ACCEPT - - udp 1024: 123 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowPCA b/Lrp2/usr/share/shorewall/action.AllowPCA deleted file mode 100644 index 26b57bdca..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowPCA +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA -# -# This action accepts PCAnywere (tm) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 5632 -ACCEPT - - tcp 5631 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowPOP3 b/Lrp2/usr/share/shorewall/action.AllowPOP3 deleted file mode 100644 index 4634b9bbd..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowPOP3 +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3 -# -# This action accepts POP3 traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT - - tcp 110 #Unsecure POP3 -ACCEPT - - tcp 995 #Secure POP3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowPing b/Lrp2/usr/share/shorewall/action.AllowPing deleted file mode 100644 index 4ef4eeae1..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowPing -# -# This action accepts 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowRdate b/Lrp2/usr/share/shorewall/action.AllowRdate deleted file mode 100644 index 5c1d8054f..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowRdate +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate -# -# This action accepts remote time retrieval (rdate). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowSMB b/Lrp2/usr/share/shorewall/action.AllowSMB deleted file mode 100644 index b7f1e4412..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowSMB +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB -# -# Allow Microsoft SMB traffic. You need to invoke this action in -# both directions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 135,445 -ACCEPT - - udp 137:139 -ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowSMTP b/Lrp2/usr/share/shorewall/action.AllowSMTP deleted file mode 100644 index 2ad5f2597..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowSMTP +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP -# -# This action accepts SMTP (email) traffic. -# -# Note: This action allows traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the AllowPOP3 or AllowIMAP actions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 25 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowSNMP b/Lrp2/usr/share/shorewall/action.AllowSNMP deleted file mode 100644 index 33b1b4c0d..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowSNMP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP -# -# This action accepts SNMP traffic (including traps): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 161:162 -ACCEPT - - tcp 161 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowSSH b/Lrp2/usr/share/shorewall/action.AllowSSH deleted file mode 100644 index 71ae5adbf..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowSSH +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH -# -# This action accepts secure shell (SSH) traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 22 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowTelnet b/Lrp2/usr/share/shorewall/action.AllowTelnet deleted file mode 100644 index 3b06d098a..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowTelnet +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet -# -# This action accepts Telnet traffic. For traffic over the -# internet, telnet is inappropriate; use SSH instead -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 23 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowTrcrt b/Lrp2/usr/share/shorewall/action.AllowTrcrt deleted file mode 100644 index 9fbce93fa..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowTrcrt +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt -# -# This action accepts Traceroute (for up to 30 hops): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 33434:33524 #UDP Traceroute -ACCEPT - - icmp 8 #ICMP Traceroute -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowVNC b/Lrp2/usr/share/shorewall/action.AllowVNC deleted file mode 100644 index bf6a40aa9..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowVNC +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC -# -# This action accepts VNC traffic for VNC display's 0 - 9. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5900:5909 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowVNCL b/Lrp2/usr/share/shorewall/action.AllowVNCL deleted file mode 100644 index 2bcabd2a4..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowVNCL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL -# -# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5500 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.AllowWeb b/Lrp2/usr/share/shorewall/action.AllowWeb deleted file mode 100644 index f32049606..000000000 --- a/Lrp2/usr/share/shorewall/action.AllowWeb +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb -# -# This action accepts WWW traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 80 -ACCEPT - - tcp 443 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.Drop b/Lrp2/usr/share/shorewall/action.Drop deleted file mode 100644 index fc8188d18..000000000 --- a/Lrp2/usr/share/shorewall/action.Drop +++ /dev/null @@ -1,49 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.Drop -# -# The default DROP common rules -# -# This action is invoked before a DROP policy is enforced. The purpose of the action -# is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is DROP. -# Otherwise, you may experience problems establishing connections with -# servers that use auth. -# c) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! -###################################################################################### -#TARGET SOURCE DEST PROTO -# -# Reject 'auth' -# -RejectAuth -# -# Don't log broadcasts -# -dropBcast -# -# ACCEPT critical ICMP types -# -AllowICMPs - - icmp -# -# Drop packets that in the INVALID state -- these are usually ICMP packets and just -# confuse people when they appear in the log. -# -dropInvalid -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -DropSMB -DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. -# -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.DropDNSrep b/Lrp2/usr/share/shorewall/action.DropDNSrep deleted file mode 100644 index 760ac92e3..000000000 --- a/Lrp2/usr/share/shorewall/action.DropDNSrep +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep -# -# This action silently drops DNS UDP replies -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp - 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.DropPing b/Lrp2/usr/share/shorewall/action.DropPing deleted file mode 100644 index fb079bac6..000000000 --- a/Lrp2/usr/share/shorewall/action.DropPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropPing -# -# This action silently drops 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.DropSMB b/Lrp2/usr/share/shorewall/action.DropSMB deleted file mode 100644 index ac2218470..000000000 --- a/Lrp2/usr/share/shorewall/action.DropSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropSMB -# -# This action silently drops Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 135 -DROP - - udp 137:139 -DROP - - udp 445 -DROP - - tcp 135 -DROP - - tcp 139 -DROP - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.DropUPnP b/Lrp2/usr/share/shorewall/action.DropUPnP deleted file mode 100644 index 30a4865f8..000000000 --- a/Lrp2/usr/share/shorewall/action.DropUPnP +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP -# -# This action silently drops UPnP probes on UDP port 1900 -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 1900 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.Reject b/Lrp2/usr/share/shorewall/action.Reject deleted file mode 100644 index 9e116eb22..000000000 --- a/Lrp2/usr/share/shorewall/action.Reject +++ /dev/null @@ -1,46 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.Reject -# -# The default REJECT action common rules -# -# This action is invoked before a REJECT policy is enforced. The purpose of the action -# is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! -###################################################################################### -#TARGET SOURCE DEST PROTO -# -# Don't log 'auth' REJECT -# -RejectAuth -# -# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). -# -dropBcast -# -# ACCEPT critical ICMP types -# -AllowICMPs - - icmp -# -# Drop packets that in the INVALID state -- these are usually ICMP packets and just -# confuse people when they appear in the log (these ICMPs cannot be rejected). -# -dropInvalid -# -# Drop Microsoft noise so that it doesn't clutter up the lot. -# -RejectSMB -DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. -# -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.RejectAuth b/Lrp2/usr/share/shorewall/action.RejectAuth deleted file mode 100644 index a89ee4dfc..000000000 --- a/Lrp2/usr/share/shorewall/action.RejectAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth -# -# This action silently rejects Auth (tcp 113) traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.RejectSMB b/Lrp2/usr/share/shorewall/action.RejectSMB deleted file mode 100644 index 19cc5af2d..000000000 --- a/Lrp2/usr/share/shorewall/action.RejectSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB -# -# This action silently rejects Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - udp 135 -REJECT - - udp 137:139 -REJECT - - udp 445 -REJECT - - tcp 135 -REJECT - - tcp 139 -REJECT - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/action.template b/Lrp2/usr/share/shorewall/action.template deleted file mode 100644 index a5bbce819..000000000 --- a/Lrp2/usr/share/shorewall/action.template +++ /dev/null @@ -1,167 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/action.template -# -# This file is a template for files with names of the form -# /etc/shorewall/action. where is an -# ACTION defined in /etc/shorewall/actions. -# -# To define a new action: -# -# 1. Add the to /etc/shorewall/actions -# 2. Copy this file to /etc/shorewall/action. -# 3. Add the desired rules to that file. -# -# Please see http://shorewall.net/Actions.html for additional -# information. -# -# Columns are: -# -# -# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a -# previously-defined -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as p2pwall. -# CONTINUE -- Discontinue processing this action -# and return to the point where the -# action was invoked. -# -- An defined in -# /etc/shorewall/actions. The -# must appear in that file BEFORE the -# one being defined in this file. -# -# The TARGET may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# ACCEPT:debugging). This causes the packet to be -# logged at the specified level. -# -# The special log level 'none' does not result in logging -# but rather exempts the rule from being overridden by a -# non-forcing log level when the action is invoked. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. -# A comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# 192.168.2.2 Host 192.168.2.2 -# -# 155.186.235.0/24 Subnet 155.186.235.0/24 -# -# 10.0.0.4-10.0.0.9 Range of IP addresses; your -# kernel and iptables must have -# iprange match support. -# -# 192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2. -# ~00-A0-C9-15-39-78 Host with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# name. For example, eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., eth1:192.168.1.5). -# -# DEST Location of Server. Same as above with the exception that -# MAC addresses are not allowed. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or -# "all". -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this column: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/actions.std b/Lrp2/usr/share/shorewall/actions.std deleted file mode 100644 index 7dfb23fcc..000000000 --- a/Lrp2/usr/share/shorewall/actions.std +++ /dev/null @@ -1,55 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/actions.std -# -# Please see http://shorewall.net/Actions.html for additional -# information. -# -# Builtin Actions are: -# -# allowBcast #Silently Allow Broadcast/multicast -# dropBcast #Silently Drop Broadcast/multicast -# dropNotSyn #Silently Drop Non-syn TCP packets -# rejNotSyn #Silently Reject Non-syn TCP packets -# dropInvalid #Silently Drop packets that are in the INVALID -# #conntrack state. -# allowInvalid #Accept packets that are in the INVALID -# #conntrack state. -# allowoutUPnP #Allow traffic from local command 'upnpd' -# allowinUPnP #Allow UPnP inbound (to firewall) traffic -# forwardUPnP #Allow traffic that upnpd has redirected from -# #'upnp' interfaces. -# -#ACTION - -DropSMB #Silently Drops Microsoft SMB Traffic -RejectSMB #Silently Reject Microsoft SMB Traffic -DropUPnP #Silently Drop UPnP Probes -RejectAuth #Silently Reject Auth -DropPing #Silently Drop Ping -DropDNSrep #Silently Drop DNS Replies - -AllowPing #Accept Ping -AllowFTP #Accept FTP -AllowDNS #Accept DNS -AllowSSH #Accept SSH -AllowWeb #Allow Web Browsing -AllowSMB #Allow MS Networking -AllowAuth #Allow Auth (identd) -AllowSMTP #Allow SMTP (Email) -AllowPOP3 #Allow reading mail via POP3 -AllowICMPs #Allows critical ICMP types -AllowIMAP #Allow reading mail via IMAP -AllowTelnet #Allow Telnet Access (not recommended for use over the - #Internet) -AllowVNC #Allow VNC viewer->server, Displays 0-9 -AllowVNCL #Allow VNC server->viewer in listening mode -AllowNTP #Allow Network Time Protocol (ntpd) -AllowRdate #Allow remote time (rdate). -AllowNNTP #Allow network news (Usenet). -AllowTrcrt #Allows Traceroute (20 hops) -AllowSNMP #Allows SNMP (including traps) -AllowPCA #Allows PCAnywhere (tm) - -Drop:DROP #Common Action for DROP policy -Reject:REJECT #Common Action for REJECT policy -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/bogons b/Lrp2/usr/share/shorewall/bogons deleted file mode 100644 index abb025a80..000000000 --- a/Lrp2/usr/share/shorewall/bogons +++ /dev/null @@ -1,67 +0,0 @@ -# -# Shorewall 2.2-- Bogons File -# -# /etc/shorewall/bogons -# -# Lists the subnetworks that are blocked by the 'nobogons' interface option. -# -# The default list includes those those ip ADDRESSES listed -# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C -# reserved for use in documentation and examples. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNET The subnet (host addresses also allowed as are IP -# address ranges provided that your kernel and iptables -# include iprange match support). -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -############################################################################### -#SUBNET TARGET -0.0.0.0 RETURN # Stop the DHCP whining -255.255.255.255 RETURN # We need to allow limited broadcast -169.254.0.0/16 DROP # DHCP autoconfig -192.0.2.0/24 logdrop # Example addresses (RFC 3330) -# -# The following are generated with the help of the Python program found at: -# -# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ -# -# The program was contributed by Andy Wiggin -# - -0.0.0.0/7 logdrop # Reserved -2.0.0.0/8 logdrop # Reserved -5.0.0.0/8 logdrop # Reserved -7.0.0.0/8 logdrop # Reserved -23.0.0.0/8 logdrop # Reserved -27.0.0.0/8 logdrop # Reserved -31.0.0.0/8 logdrop # Reserved -36.0.0.0/7 logdrop # Reserved -39.0.0.0/8 logdrop # Reserved -42.0.0.0/8 logdrop # Reserved -77.0.0.0/8 logdrop # Reserved -78.0.0.0/7 logdrop # Reserved -92.0.0.0/6 logdrop # Reserved -96.0.0.0/4 logdrop # Reserved -112.0.0.0/5 logdrop # Reserved -120.0.0.0/6 logdrop # Reserved -127.0.0.0/8 logdrop # Reserved -173.0.0.0/8 logdrop # Reserved -174.0.0.0/7 logdrop # Reserved -176.0.0.0/5 logdrop # Reserved -184.0.0.0/6 logdrop # Reserved -197.0.0.0/8 logdrop # Reserved -223.0.0.0/8 logdrop # Reserved -240.0.0.0/4 logdrop # Reserved - -# -# End of generated entries -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/configpath b/Lrp2/usr/share/shorewall/configpath deleted file mode 100644 index f676bd1b0..000000000 --- a/Lrp2/usr/share/shorewall/configpath +++ /dev/null @@ -1,7 +0,0 @@ -# -# Shorewall version 2.0 - Default Config Path -# -# /usr/share/shorewall/configpath -# - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall \ No newline at end of file diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall deleted file mode 100755 index bec4a62a5..000000000 --- a/Lrp2/usr/share/shorewall/firewall +++ /dev/null @@ -1,7786 +0,0 @@ -#!/bin/sh -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and -# byte counts -# shorewall clear Remove all Shorewall chains -# and rules/policies. -# shorewall refresh . Rebuild the common chain -# shorewall check Verify the more heavily-used -# configuration files. -# -# Mutual exclusion -- These functions are jackets for the mutual exclusion -# routines in $FUNCTIONS. They invoke -# the corresponding function in that file if the user did -# not specify "nolock" on the runline. -# -my_mutex_on() { - [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } -} - -my_mutex_off() { - [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } -} - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Fatal error -- stops the firewall after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " Error: $@" >&2 - if [ $COMMAND = check ]; then - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - else - stop_firewall - fi - exit 2 -} - -# -# Fatal error during startup -- generate an error message and abend without -# altering the state of the firewall -# -startup_error() # $* = Error Message -{ - echo " Error: $@" >&2 - my_mutex_off - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - kill $$ - exit 2 -} - -# -# Send a message to STDOUT and the System Log -# -report () { # $* = message - echo "$@" - logger "$@" -} - -# -# Write the passed args to $RESTOREBASE -# -save_command() -{ - echo "$@" >> $RESTOREBASE -} - -# -# Write a progress_message command to $RESTOREBASE -# -save_progress_message() -{ - - echo >> $RESTOREBASE - echo "progress_message \"$@\"" >> $RESTOREBASE - echo >> $RESTOREBASE -} - -# -# Save the passed command in the restore script then run it -- returns the status of the command -# If the command involves file redirection then it must be enclosed in quotes as in: -# -# run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" -# -run_and_save_command() -{ - echo "$@" >> $RESTOREBASE - eval $* -} - -# -# Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die -# -ensure_and_save_command() -{ - if eval $* ; then - echo "$@" >> $RESTOREBASE - else - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Append a file in $STATEDIR to $RESTOREBASE -# -append_file() # $1 = File Name -{ - save_command "cat > $STATEDIR/$1 << __EOF__" - cat $STATEDIR/$1 >> $RESTOREBASE - save_command __EOF__ -} - -# -# Run iptables and if an error occurs, stop the firewall and quit -# -run_iptables() { - - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"$IPTABLES $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Version of 'run_iptables' that inserts white space after "!" in the arg list -# -run_iptables2() { - - case "$@" in - *!*) - run_iptables $(fix_bang $@) - ;; - *) - run_iptables $@ - ;; - esac - -} - -# -# Quietly run iptables -# -qt_iptables() { - - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - qt $IPTABLES $@ -} - -# -# Run ip and if an error occurs, stop the firewall and quit -# -run_ip() { - if ! ip $@ ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"ip $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Run tc and if an error occurs, stop the firewall and quit -# -run_tc() { - if ! tc $@ ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"tc $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Create a filter chain -# -# If the chain isn't one of the common chains then add a rule to the chain -# allowing packets that are part of an established connection. Create a -# variable exists_${1} and set its value to Yes to indicate that the chain now -# exists. -# -createchain() # $1 = chain name, $2 = If "yes", create default rules -{ - local c=$(chain_base $1) - - run_iptables -N $1 - - if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval exists_${c}=Yes -} - -createchain2() # $1 = chain name, $2 = If "yes", create default rules -{ - local c=$(chain_base $1) - - if $IPTABLES -N $1; then - - if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval exists_${c}=Yes - fi -} - -# -# Determine if a chain exists -# -# When we create a chain "chain", we create a variable named exists_chain and -# set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havechain() # $1 = name of chain -{ - local c=$(chain_base $1) - - eval test \"\$exists_${c}\" = Yes -} - -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt $IPTABLES -L $1 -n -} - -# -# Query NetFilter about the existence of a mangle chain -# -mangle_chain_exists() # $1 = chain name -{ - qt $IPTABLES -t mangle -L $1 -n -} - -# -# Ensure that a chain exists (create it if it doesn't) -# -ensurechain() # $1 = chain name -{ - havechain $1 || createchain $1 yes -} - -ensurechain1() # $1 = chain name -{ - havechain $1 || createchain $1 no -} - -# -# Add a rule to a chain creating the chain if necessary -# -addrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables -A $@ -} - -addrule2() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables2 -A $@ -} - -# -# Create a nat chain -# -# Create a variable exists_nat_${1} and set its value to Yes to indicate that -# the chain now exists. -# -createnatchain() # $1 = chain name -{ - run_iptables -t nat -N $1 - - eval exists_nat_${1}=Yes -} - -# -# Determine if a nat chain exists -# -# When we create a chain "chain", we create a variable named exists_nat_chain -# and set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havenatchain() # $1 = name of chain -{ - eval test \"\$exists_nat_${1}\" = Yes -} - -# -# Ensure that a nat chain exists (create it if it doesn't) -# -ensurenatchain() # $1 = chain name -{ - havenatchain $1 || createnatchain $1 -} - -# -# Add a rule to a nat chain creating the chain if necessary -# -addnatrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurenatchain $1 - run_iptables2 -t nat -A $@ -} - -# -# Delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established and related connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Flush one of the Mangle table chains -# -flushmangle() # $1 = name of chain -{ - run_iptables -t mangle -F $1 -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne=$1 - local z - local interface - - for interface in $ALL_INTERFACES; do - eval z=\$$(chain_base $interface)_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo $(chain_base $1)_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo $(chain_base $1)_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo $(chain_base $1)_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo $(chain_base $1)_mac -} - -# -# Functions for creating dynamic zone rules -# -dynamic_fwd() # $1 = interface -{ - echo $(chain_base $1)_dynf -} - -dynamic_in() # $1 = interface -{ - echo $(chain_base $1)_dyni -} - -dynamic_out() # $1 = interface -{ - echo $(chain_base $1)_dyno -} - -dynamic_chains() #$1 = interface -{ - local c=$(chain_base $1) - - echo ${c}_dyni ${c}_dynf ${c}_dyno -} - -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to a zone or from an interface -# -snat_chain() # $1 = zone or interface -{ - echo $(chain_base $1)_snat -} - -# -# ECN Chain to an interface -# -ecn_chain() # $1 = interface -{ - echo $(chain_base $1)_ecn -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c=$(chain_base $1) - - echo ${c}_fwd ${c}_in -} - -# -# Horrible hack to work around an iptables limitation -# -iprange_echo() -{ - if [ -f $TMP_DIR/iprange ]; then - echo $@ - else - echo "-m iprange $@" - > $TMP_DIR/iprange - fi -} - - -# -# Source IP range -# -source_ip_range() # $1 = Address or Address Range -{ - case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --src-range ${1#!}" - ;; - *) - iprange_echo "--src-range $1" - ;; - esac - ;; - *) - echo "-s $1" - ;; - esac -} - -# -# Destination IP range -# -dest_ip_range() # $1 = Address or Address Range -{ - case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --dst-range ${1#!}" - ;; - *) - iprange_echo "--dst-range $1" - ;; - esac - ;; - *) - echo "-d $1" - ;; - esac -} - -both_ip_ranges() # $1 = Source address or range, $2 = dest address or range -{ - local prefix= match= - - case $1 in - *.*.*.*-*.*.*.*) - prefix="-m iprange" - match="--src-range $1" - ;; - *) - match="-s $1" - ;; - esac - - case $2 in - *.*.*.*-*.*.*.*) - prefix="-m iprange" - match="$match --dst-range $2" - ;; - *) - match="$match -d $2" - ;; - esac - - echo "$prefix $match" -} - -# -# Horrible hack to work around an iptables limitation -# -physdev_echo() -{ - if [ -f $TMP_DIR/physdev ]; then - echo $@ - else - echo -m physdev $@ - > $TMP_DIR/physdev - fi -} - -# -# We allow hosts to be specified by IP address or by physdev. These two functions -# are used to produce the proper match in a netfilter rule. -# -match_source_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" - ;; - *.*.*.*) - echo $(source_ip_range $1) - ;; - *) - physdev_echo "--physdev-in $1" - ;; - esac - else - echo $(source_ip_range $1) - fi -} - -match_dest_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" - ;; - *.*.*.*) - echo $(dest_ip_range $1) - ;; - *) - physdev_echo "--physdev-out $1" - ;; - esac - else - echo $(dest_ip_range $1) - fi -} - -# -# Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in /etc/shorewall/interfaces then a normal interface match is -# generated (-i or -o); otherwise, a physdev match is generated. -#------------------------------------------------------------------------------------- -# -# loosely match the passed interface with those in /etc/shorewall/interfaces. -# -known_interface() # $1 = interface name -{ - local iface - - for iface in $ALL_INTERFACES ; do - if if_match $iface $1 ; then - return 0 - fi - done - - return 1 -} - -match_source_dev() -{ - if [ -n "$BRIDGING" ]; then - list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1 - else - echo -i $1 - fi -} - -match_dest_dev() -{ - if [ -n "$BRIDGING" ]; then - list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1 - else - echo -o $1 - fi -} - -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && list_search $1 $all_ports ; } -} - -# -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - eval local is_ipsec=\$${1}_is_ipsec - eval local hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - -# -# Jacket for ip_range() that takes care of iprange match -# - -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts interface address addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo $interface:$address - done - fi - done < $TMP_DIR/hosts -} - -# -# Check for duplicate zone definitions -# -check_duplicate_zones() { - local localzones= - - for zone in $zones; do - list_search $zone $localzones && startup_error "Zone $zone is defined more than once" - localzones="$localzones $zone" - done -} -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $zones; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Determine the defined hosts in each zone and generate report -# -determine_hosts() { - - for zone in $zones; do - hosts=$(find_hosts $zone) - hosts=$(echo $hosts) # Remove extra trash - - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if interface_has_option $interface detectnets; then - networks=$(get_routed_networks $interface) - else - networks=0.0.0.0/0 - fi - - for networks in $networks; do - if [ -z "$hosts" ]; then - hosts=$interface:$networks - else - hosts="$hosts $interface:$networks" - fi - - if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\" - fi - done - done - - interfaces= - - for host in $hosts; do - interface=${host%:*} - if list_search $interface $interfaces; then - list_search $interface:0.0.0.0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - list_search $interface:0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - eval ${zone}_is_complex=Yes - else - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_interfaces="\$interfaces" - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - eval display=\$${zone}_display - display_list "$display Zone:" $hosts - else - error_message "Warning: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $zones $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $zones -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - local wildcard - local found_obsolete_option= - local z interface networks options r iface option - - while read z interface networks options; do - expandv z interface networks options - r="$z $interface $networks $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - list_search $interface $ALL_INTERFACES && \ - startup_error "Duplicate Interface $interface" - - wildcard= - - case $interface in - *:*|+) - startup_error "Invalid Interface Name: $interface" - ;; - *+) - wildcard=Yes - ;; - esac - - ALL_INTERFACES="$ALL_INTERFACES $interface" - options=$(separate_list $options) - iface=$(chain_base $interface) - - eval ${iface}_broadcast="$networks" - eval ${iface}_zone="$z" - eval ${iface}_options=\"$options\" - - for option in $options; do - case $option in - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) - ;; - detectnets) - [ -n "$wildcard" ] && \ - startup_error "The \"detectnets\" option may not be used with a wild-card interface" - ;; - routeback) - [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - - [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" - - done < $TMP_DIR/interfaces -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - local z hosts options r interface host option port ports - - check_bridge_port() - { - list_search $1 $ports || ports="$ports $1" - list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" - list_search $1 $all_ports || all_ports="$all_ports $1" - } - - while read z hosts options; do - expandv z hosts options - r="$z $hosts $options" - validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - - case $hosts in - *:*) - - interface=${hosts%%:*} - iface=$(chain_base $interface) - - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - hosts=${hosts#*:} - ;; - *) - fatal_error "Invalid HOST(S) column contents: $hosts" - ;; - esac - - eval ports=\$${iface}_ports - eval zports=\$${z}_ports - - for host in $(separate_list $hosts); do - if [ -n "$BRIDGING" ]; then - case $host in - *:*) - known_interface ${host%:*} && \ - startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - check_bridge_port ${host%%:*} - ;; - *.*.*.*) - ;; - *) - known_interface $host && \ - startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - check_bridge_port $host - ;; - esac - fi - - for option in $(separate_list $options) ; do - case $option in - maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) - ;; - ipsec) - [ -n "$POLICY_MATCH" ] || \ - startup_error "Your kernel and/or iptables does not support policy match: ipsec" - eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" - eval ${z}_is_complex=Yes - ;; - routeback) - [ -z "$ports" ] && \ - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - - if [ -n "$ports" ]; then - eval ${iface}_ports=\"$ports\" - eval ${z}_ports=\"$zports\" - fi - - done < $TMP_DIR/hosts - - [ -n "$all_ports" ] && echo " Bridge ports are: $all_ports" -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - -# -# validate the policy file -# -validate_policy() -{ - local clientwild - local serverwild - local zone - local zone1 - local pc - local chain - local policy - local loglevel - local synparams - - print_policy() # $1 = source zone, $2 = destination zone - { - [ $COMMAND != check ] || \ - [ $1 = $2 ] || \ - [ $1 = all ] || \ - [ $2 = all ] || \ - progress_message " Policy for $1 to $2 is $policy using chain $chain" - } - - all_policy_chains= - - strip_file policy - - while read client server policy loglevel synparams; do - expandv client server policy loglevel synparams - - clientwild= - serverwild= - - case "$client" in - all|ALL) - clientwild=Yes - ;; - *) - if ! validate_zone $client; then - startup_error "Undefined zone $client" - fi - esac - - case "$server" in - all|ALL) - serverwild=Yes - ;; - *) - if ! validate_zone $server; then - startup_error "Undefined zone $server" - fi - esac - - case $policy in - ACCEPT|REJECT|DROP|CONTINUE|QUEUE) - ;; - NONE) - [ "$client" = "$FW" -o "$server" = "$FW" ] && \ - startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" - - [ -n "$clientwild" -o -n "$serverwild" ] && \ - startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" - ;; - *) - startup_error "Invalid policy $policy" - ;; - esac - - chain=${client}2${server} - - if is_policy_chain $chain ; then - startup_error "Duplicate policy $policy" - fi - - [ "x$loglevel" = "x-" ] && loglevel= - - [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" - - eval ${chain}_is_policy=Yes - eval ${chain}_policy=$policy - eval ${chain}_loglevel=$loglevel - eval ${chain}_synparams=$synparams - - if [ -n "${clientwild}" ]; then - if [ -n "${serverwild}" ]; then - for zone in $zones $FW all; do - for zone1 in $zones $FW all; do - eval pc=\$${zone}2${zone1}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${zone1}_policychain=$chain - eval ${zone}2${zone1}_policy=$policy - print_policy $zone $zone1 - fi - done - done - else - for zone in $zones $FW all; do - eval pc=\$${zone}2${server}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${server}_policychain=$chain - eval ${zone}2${server}_policy=$policy - print_policy $zone $server - fi - done - fi - elif [ -n "$serverwild" ]; then - for zone in $zones $FW all; do - eval pc=\$${client}2${zone}_policychain - - if [ -z "$pc" ]; then - eval ${client}2${zone}_policychain=$chain - eval ${client}2${zone}_policy=$policy - print_policy $client $zone - fi - done - else - eval ${chain}_policychain=${chain} - print_policy $client $server - fi - - done < $TMP_DIR/policy -} - -# -# Find broadcast addresses -# -find_broadcasts() { - for interface in $ALL_INTERFACES; do - eval bcast=\$$(chain_base $interface)_broadcast - if [ "x$bcast" = "xdetect" ]; then - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u - elif [ "x${bcast}" != "x-" ]; then - echo $(separate_list $bcast) - fi - done -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore hosts interface address addresses options ipsec= list - - while read ignore hosts options; do - expandv options - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - -# -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - . $user_exit - fi -} - -# -# Add a logging rule. -# -log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level=$1 - local chain=$2 - local displayChain=$3 - local disposition=$4 - local rulenum= - local limit="${5:-$LOGLIMIT}" - local tag=${6:+$6 } - local command=${7:--A} - local prefix - local base=$(chain_base $displayChain) - - shift;shift;shift;shift;shift;shift;shift - - if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then - displayChain=$tag - tag= - fi - - if [ -n "$LOGRULENUMBERS" ]; then - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="$(echo $prefix | truncate 29)" - error_message "Warning: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed" - stop_firewall - exit 2 - fi - fi - ;; - *) - if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed" - stop_firewall - exit 2 - fi - fi - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level=$1 - local chain=$2 - local disposition=$3 - - shift;shift;shift - - log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - -# -# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING -# -setup_forwarding() { - - save_progress_message "Restoring IP Forwarding..." - - case "$IP_FORWARDING" in - [Oo][Nn]) - run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" - echo "IP Forwarding Disabled!" - ;; - esac -} - -# -# Disable IPV6 -# -disable_ipv6() { - local foo="$(ip -f inet6 addr ls 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt which ip6tables; then - save_progress_message "Disabling IPV6..." - ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -disable_ipv6_1() { - local foo="$(ip -f inet6 addr ls 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt which ip6tables; then - progress_message "Disabling IPV6..." - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -# -# Process the routestopped file either adding or deleting rules -# - -process_routestopped() # $1 = command -{ - local hosts= interface host host1 options networks - - while read interface host options; do - expandv interface host options - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "Warning: Duplicate routestopped option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - *) - error_message "Warning: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - $IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - done -} - -# -# Stop the Firewall -# -stop_firewall() { - # - # Turn off trace unless we were tracing "stop" or "clear" - # - - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - case $COMMAND in - stop|clear) - ;; - check) - kill $$ - exit 2 - ;; - *) - set +x - - [ -z "$RESTOREFILE" ] && RESTOREFILE=restore - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH - echo "Shorewall restored from $RESTOREPATH" - my_mutex_off - kill $$ - exit 2 - fi - ;; - esac - - stopping="Yes" - - terminator= - - deletechain shorewall - - run_user_exit stop - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$NAT_ENABLED" ] && delete_nat - delete_proxy_arp - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$DISABLE_IPV6" ] && disable_ipv6_1 - - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - deleteallchains - else - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - - hosts= - - [ -f $TMP_DIR/routestopped ] || strip_file routestopped - - process_routestopped -A - - $IPTABLES -A INPUT -i lo -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -o lo -j ACCEPT - - for interface in $(find_interfaces_by_option dhcp); do - $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT - # - # This might be a bridge - # - $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT - done - - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Disabled!" - ;; - esac - - run_user_exit stopped - - logger "Shorewall Stopped" - - rm -rf $TMP_DIR - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - my_mutex_off - kill $$ - ;; - esac -} - -# -# Remove all rules and remove all user-defined chains -# -clear_firewall() { - stop_firewall - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - if qt which ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - - run_user_exit clear - - logger "Shorewall Cleared" -} - -# -# Set up ipsec tunnels -# -setup_tunnels() # $1 = name of tunnels file -{ - local inchain - local outchain - - - setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones - { - local kind=$2 noah= - - case $kind in - *:*) - noah=${kind#*:} - [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" - kind=${kind%:*} - ;; - esac - - [ $kind = IPSEC ] && kind=ipsec - - options="-m state --state NEW -j ACCEPT" - addrule2 $inchain -p 50 $(source_ip_range $1) -j ACCEPT - addrule2 $outchain -p 50 $(dest_ip_range $1) -j ACCEPT - - if [ -z "$noah" ]; then - run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT - run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT - fi - - run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options - - if [ $kind = ipsec ]; then - run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options - else - run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options - run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 4500 $options - fi - - for z in $(separate_list $3); do - if validate_zone $z; then - addrule ${FW}2${z} -p udp --dport 500 $options - if [ $kind = ipsec ]; then - addrule ${z}2${FW} -p udp --dport 500 $options - else - addrule ${z}2${FW} -p udp --dport 500 $options - addrule ${z}2${FW} -p udp --dport 4500 $options - fi - else - fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\"" - fi - done - - progress_message " IPSEC tunnel to $gateway defined." - } - - setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol - { - addrule2 $inchain -p $3 $(source_ip_range $2) -j ACCEPT - addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT - - progress_message " $1 tunnel to $2 defined." - } - - setup_pptp_client() # $1 = gateway - { - addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT - addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT - addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT - - progress_message " PPTP tunnel to $1 defined." - } - - setup_pptp_server() # $1 = gateway - { - addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT - addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT - addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT - - progress_message " PPTP server defined." - } - - setup_one_openvpn() # $1 = gateway, $2 = kind[:port] - { - local protocol=udp - local p=1194 - - case $2 in - *:*:*) - protocol=${2%:*} - protocol=${protocol#*:} - p=${2##*:} - ;; - *:*) - p=${2#*:} - ;; - esac - - addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT - addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT - - progress_message " OPENVPN tunnel to $1:$protocol:$p defined." - } - - setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone - { - local protocol - local p= - - case $2 in - *:*:*) - p=${2##*:} - protocol=${2%:*} - protocol=${protocol#*:} - ;; - *:*) - protocol=${2#*:} - ;; - *) - protocol=udp - p=5000 - ;; - esac - - p=${p:+--dport $p} - - addrule2 $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT - addrule2 $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT - - for z in $(separate_list $3); do - if validate_zone $z; then - addrule ${FW}2${z} -p $protocol $p -j ACCEPT - addrule ${z}2${FW} -p $protocol $p -j ACCEPT - else - error_message "Warning: Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" may encounter problems" - fi - done - - progress_message " GENERIC tunnel to $1:$p defined." - } - - strip_file tunnels $1 - - while read kind z gateway z1; do - expandv kind z gateway z1 - tunnel="$(echo $kind $z $gateway $z1)" - if validate_zone $z; then - inchain=${z}2${FW} - outchain=${FW}2${z} - gateway=${gateway:-0.0.0.0/0} - case $kind in - ipsec|IPSEC|ipsec:*|IPSEC:*) - setup_one_ipsec $gateway $kind $z1 - ;; - ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*) - setup_one_ipsec $gateway $kind $z1 - ;; - ipip|IPIP) - setup_one_other IPIP $gateway 4 - ;; - gre|GRE) - setup_one_other GRE $gateway 47 - ;; - 6to4|6TO4) - setup_one_other 6to4 $gateway 41 - ;; - pptpclient|PPTPCLIENT) - setup_pptp_client $gateway - ;; - pptpserver|PPTPSERVER) - setup_pptp_server $gateway - ;; - openvpn|OPENVPN|openvpn:*|OPENVPN:*) - setup_one_openvpn $gateway $kind - ;; - generic:*|GENERIC:*) - setup_one_generic $gateway $kind $z1 - ;; - *) - error_message "Tunnels of type $kind are not supported:" \ - "Tunnel \"$tunnel\" Ignored" - ;; - esac - else - error_message "Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" Ignored" - fi - done < $TMP_DIR/tunnels -} - -# -# Process the ipsec file -# -setup_ipsec() { - local zone - # - # Add a --set-mss rule to the passed chain - # - set_mss1() # $1 = chain, $2 = MSS - { - eval local policy=\$${1}_policy - - if [ "$policy" != NONE ]; then - case $COMMAND in - start|restart) - ensurechain $1 - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 - ;; - esac - fi - } - # - # Set up rules to set MSS to and/or from zone "$zone" - # - set_mss() # $1 = MSS value, $2 = _in, _out or "" - { - if [ $COMMAND != check ]; then - for z in $zones; do - case $2 in - _in) - set_mss1 ${zone}2${z} $1 - ;; - _out) - set_mss1 ${z}2${zone} $1 - ;; - *) - set_mss1 ${z}2${zone} $1 - set_mss1 ${zone}2${z} $1 - ;; - esac - done - fi - } - - do_options() # $1 = _in, _out or "" - $2 = option list - { - local option opts newoptions= val - - [ x${2} = x- ] && return - - opts=$(separate_list $2) - - for option in $opts; do - val=${option#*=} - - case $option in - mss=[0-9]*) set_mss $val $1 ;; - strict) newoptions="$newoptions --strict" ;; - next) newoptions="$newoptions --next" ;; - reqid=*) newoptions="$newoptions --reqid $val" ;; - spi=*) newoptions="$newoptions --spi $val" ;; - proto=*) newoptions="$newoptions --proto $val" ;; - mode=*) newoptions="$newoptions --mode $val" ;; - tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; - tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; - reqid!=*) newoptions="$newoptions ! --reqid $val" ;; - spi!=*) newoptions="$newoptions ! --spi $val" ;; - proto!=*) newoptions="$newoptions ! --proto $val" ;; - mode!=*) newoptions="$newoptions ! --mode $val" ;; - tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; - tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; - *) fatal_error "Invalid option \"$option\" for zone $zone" ;; - esac - done - - if [ -n "$newoptions" ]; then - eval ${zone}_is_complex=Yes - eval ${zone}_ipsec${1}_options=\"${newoptions# }\" - fi - } - - strip_file ipsec $1 - - while read zone ipsec options in_options out_options mss; do - expandv zone ipsec options in_options out_options mss - - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - - case $ipsec in - -|No|no) - ;; - Yes|yes) - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - ;; - *) - fatal_error "Invalid IPSEC column value: $ipsec" - ;; - esac - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options - - done < $TMP_DIR/ipsec -} - -# -# Setup Proxy ARP -# -setup_proxy_arp() { - - local setlist= resetlist= - - print_error() { - error_message "Invalid value for HAVEROUTE - ($haveroute)" - error_message "Entry \"$address $interface $external $haveroute\" ignored" - } - - print_error1() { - error_message "Invalid value for PERSISTENT - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored" - } - - print_warning() { - error_message "PERSISTENT setting ignored - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\"" - } - - setup_one_proxy_arp() { - - case $haveroute in - [Nn][Oo]) - haveroute= - ;; - [Yy][Ee][Ss]) - ;; - *) - if [ -n "$haveroute" ]; then - print_error - return - fi - ;; - esac - - case $persistent in - [Nn][Oo]) - persistent= - ;; - [Yy][Ee][Ss]) - [ -z "$haveroute" ] || print_warning - ;; - *) - if [ -n "$persistent" ]; then - print_error1 - return - fi - ;; - esac - - if [ -z "$haveroute" ]; then - ensure_and_save_command ip route replace $address dev $interface - [ -n "$persistent" ] && haveroute=yes - fi - - ensure_and_save_command arp -i $external -Ds $address $external pub - - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp - - progress_message " Host $address connected to $interface added to ARP on $external" - } - - > ${STATEDIR}/proxyarp - - save_progress_message "Restoring Proxy ARP..." - - while read address interface external haveroute persistent; do - expandv address interface external haveroute persistent - list_search $interface $setlist || setlist="$setlist $interface" - list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external" - setup_one_proxy_arp - done < $TMP_DIR/proxyarp - - for interface in $resetlist; do - list_search $interface $setlist || \ - run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done - - for interface in $setlist; do - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done - - interfaces=$(find_interfaces_by_option proxyarp) - - for interface in $interfaces; do - if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - progress_message " Enabled proxy ARP on $interface" - save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - else - error_message "Warning: Unable to enable proxy ARP on $interface" - fi - done -} - -# -# Set up MAC Verification -# -setup_mac_lists() { - local interface - local mac - local addresses - local address - local chain - local chain1 - local macpart - local blob - local hosts - local ipsec - local policy= - # - # Generate the list of interfaces having MAC verification - # - maclist_interfaces= - - for hosts in $maclist_hosts; do - hosts=${hosts#*^} - interface=${hosts%%:*} - if ! list_search $interface $maclist_interfaces; then\ - if [ -z "$maclist_interfaces" ]; then - maclist_interfaces=$interface - else - maclist_interfaces="$maclist_interfaces $interface" - fi - fi - done - - progress_message "Setting up MAC Verification on $maclist_interfaces..." - # - # Create chains. - # - for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - createchain $chain no - - if [ -n "$MACLIST_TTL" ]; then - chain1=$(macrecent_target $interface) - createchain $chain1 no - run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN - run_iptables -A $chain -j $chain1 - run_iptables -A $chain -m recent --update --name $chain -j RETURN - run_iptables -A $chain -m recent --set --name $chain - fi - done - # - # Process the maclist file producing the verification rules - # - while read interface mac addresses; do - expandv interface mac addresses - - physdev_part= - - if [ -n "$BRIDGING" ]; then - case $interface in - *:*) - physdev_part="-m physdev --physdev-in ${interface#*:}" - interface=${interface%:*} - ;; - esac - fi - - [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - - if ! havechain $chain ; then - fatal_error "No hosts on $interface have the maclist option specified" - fi - - macpart=$(mac_match $mac) - - if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart $physdev_part -j RETURN - else - for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN - done - fi - done < $TMP_DIR/maclist - # - # Must take care of our own broadcasts and multicasts then terminate the verification - # chains - # - for interface in $maclist_interfaces; do - [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) - - blob=$(ip link show $interface 2> /dev/null) - - [ -z "$blob" ] && \ - fatal_error "Interface $interface must be up before Shorewall can start" - - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do - address=${address%/*} - if [ -n "$broadcast" ]; then - run_iptables -A $chain -s $address -d $broadcast -j RETURN - fi - - run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN - run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN - done - - if [ -n "$MACLIST_LOG_LEVEL" ]; then - log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION - fi - - run_iptables -A $chain -j $maclist_target - done - # - # Generate jumps from the input and forward chains - # - for hosts in $maclist_hosts; do - ipsec=${hosts%^*} - hosts=${hosts#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${hosts%%:*} - hosts=${hosts#*:} - for chain in $(first_chains $interface) ; do - run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ - $policy -j $(mac_chain $interface) - done - done -} - -# -# Set up SYN flood protection -# -setup_syn_flood_chain () - # $1 = policy chain - # $2 = synparams - # $3 = loglevel -{ - local chain=@$1 - local limit=$2 - local limit_burst= - - case $limit in - *:*) - limit_burst="--limit-burst ${limit#*:}" - limit=${limit%:*} - ;; - esac - - run_iptables -N $chain - run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN - [ -n "$3" ] && \ - log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" "" - run_iptables -A $chain -j DROP -} - -# -# Enable SYN flood protection on a chain -# -# Insert a jump rule to the protection chain from the first chain. Inserted -# as the second rule and restrict the jump to SYN packets -# -enable_syn_flood_protection() # $1 = chain, $2 = protection chain -{ - run_iptables -I $1 2 -p tcp --syn -j @$2 - progress_message " Enabled SYN flood protection" -} - -# -# Delete existing Proxy ARP -# -delete_proxy_arp() { - if [ -f ${STATEDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "$haveroute" ] && qt ip route del $address dev $interface - done < ${STATEDIR}/proxyarp - - rm -f ${STATEDIR}/proxyarp - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp - - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done -} - -# -# Setup Static Network Address Translation (NAT) -# -setup_nat() { - local external= interface= internal= allints= localnat= policyin= policyout= - - validate_one() #1 = Variable Name, $2 = Column name, $3 = value - { - case $3 in - Yes|yes) - ;; - No|no) - eval ${1}= - ;; - *) - [ -n "$3" ] && \ - fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\"" - ;; - esac - } - - do_one_nat() { - local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*} - - if [ -n "$add_ip_aliases" ]; then - case $interface in - *:) - interface=${interface%:} - add_ip_aliases= - ;; - *) - [ -n "$RETAIN_ALIASES" ] || run_and_save_command qt ip addr del $external dev $iface - ;; - esac - else - interface=${interface%:} - fi - - validate_one allints "ALL INTERFACES" $allints - validate_one localnat "LOCAL" $localnat - - if [ -n "$allints" ]; then - addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal - addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external - else - addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external - fi - - [ -n "$localnat" ] && \ - run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal - - if [ -n "$add_ip_aliases" ]; then - list_search $external $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $interface" - fi - } - # - # At this point, we're just interested in the network translation - # - > ${STATEDIR}/nat - - if [ -n "$POLICY_MATCH" ]; then - policyin="-m policy --pol none --dir in" - policyout="-m policy --pol none --dir out" - fi - - [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring one-to-one NAT..." - - while read external interface internal allints localnat; do - expandv external interface internal allints localnat - - do_one_nat - - progress_message " Host $internal NAT $external on $interface" - done < $TMP_DIR/nat -} - -# -# Delete existing Static NAT -# -delete_nat() { - run_iptables -t nat -F - run_iptables -t nat -X - - if [ -f ${STATEDIR}/nat ]; then - while read external interface; do - qt ip addr del $external dev $interface - done < ${STATEDIR}/nat - - rm -f {$STATEDIR}/nat - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat -} - -# -# Setup Network Mapping (NETMAP) -# -setup_netmap() { - - while read type net1 interface net2 ; do - expandv type net1 interface net2 - - list_search $interface $ALL_INTERFACES || \ - fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" - - case $type in - DNAT) - addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 - ;; - SNAT) - addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 - ;; - *) - fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" - ;; - esac - - progress_message " Network $net1 on $interface mapped to $net2 ($type)" - - done < $TMP_DIR/netmap -} - -# -# Setup ECN disabling rules -# -setup_ecn() # $1 = file name -{ - local interfaces="" - local hosts= - local h - - strip_file ecn $1 - - echo "Processing $1..." - - while read interface host; do - expandv interface host - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface $interface" - list_search $interface $interfaces || \ - interfaces="$interfaces $interface" - [ "x$host" = "x-" ] && host= - for h in $(separate_list ${host:-0.0.0.0/0}); do - hosts="$hosts $interface:$h" - done - done < $TMP_DIR/ecn - - if [ -n "$interfaces" ]; then - progress_message "Setting up ECN control on${interfaces}..." - - for interface in $interfaces; do - chain=$(ecn_chain $interface) - if mangle_chain_exists $chain; then - flushmangle $chain - else - run_iptables -t mangle -N $chain - run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain - run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain - fi - done - - for host in $hosts; do - interface=${host%:*} - h=${host#*:} - run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove - progress_message " ECN Disabled to $h through $interface" - done - fi -} - -# -# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the -# default marking chain -# -process_tc_rule() -{ - chain=$MARKING_CHAIN target="MARK --set-mark" marktest= - - verify_designator() { - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - chain=$1 - mark="${mark%:*}" - } - - add_a_tc_rule() { - r= - - if [ "x$source" != "x-" ]; then - case $source in - *.*.*) - r="$(source_ip_range $source) " - ;; - ~*) - r="$(mac_match $source) " - ;; - $FW:*) - chain=tcout - r="$(source_ip_range ${source%:*}) " - ;; - $FW) - chain=tcout - ;; - *) - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev) $source " - ;; - esac - fi - - if [ "x${user:--}" != "x-" ]; then - - [ "$chain" != tcout ] && \ - fatal_error "Invalid use of a user/group: rule \"$rule\"" - - case "$user" in - *:*) - r="$r-m owner" - temp="${user%:*}" - [ -n "$temp" ] && r="$r --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && r="$r --gid-owner $temp " - ;; - *) - r="$r-m owner --uid-owner $user " - ;; - esac - fi - - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - - if [ "x$dest" != "x-" ]; then - case $dest in - *.*.*) - r="${r}$(dest_ip_range $dest) " - ;; - *) - verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" - r="${r}$(match_dest_dev $dest) " - ;; - esac - fi - - if [ "x$proto" = xipp2p ]; then - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-p tcp -m ipp2p --${port} " - else - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}--dport $port " - fi - - [ "x$sport" = "x-" ] || r="${r}--sport $sport " - - case $chain in - tcpost) - run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark - ;; - *) - run_iptables2 -t mangle -A $chain $r -j $target $mark - ;; - esac - - } - - if [ "$mark" != "${mark%:*}" ]; then - case "${mark#*:}" in - p|P) - verify_designator tcpre - ;; - cp|CP) - verify_designator tcpre - target="CONNMARK --set-mark" - ;; - f|F) - verify_designator tcfor - ;; - cf|CF) - verify_designator tcfor - target="CONNMARK --set-mark" - ;; - c|C) - target="CONNMARK --set-mark" - mark=${mark%:*} - ;; - *) - chain=tcpost - ;; - esac - fi - - case $mark in - SAVE) - target="CONNMARK --save-mark" - mark= - ;; - SAVE/*) - target="CONNMARK --save-mark --mask" - mark=${mark#*/} - ;; - RESTORE) - target="CONNMARK --restore-mark" - mark= - ;; - RESTORE/*) - target="CONNMARK --restore-mark --mask" - mark=${mark#*/} - ;; - CONTINUE) - target=RETURN - mark= - ;; - esac - - case $testval in - -) - ;; - !*:C) - marktest="connmark ! " - testval=${testval%:*} - testval=${testval#!} - ;; - *:C) - marktest="connmark " - testval=${testval%:*} - ;; - !*) - marktest="mark ! " - testval=${testval#!} - ;; - *) - [ -n "$testval" ] && marktest="mark " - ;; - esac - - for source in $(separate_list ${sources:=-}); do - for dest in $(separate_list ${dests:=-}); do - for port in $(separate_list ${ports:=-}); do - for sport in $(separate_list ${sports:=-}); do - add_a_tc_rule - done - done - done - done - - progress_message " TC Rule \"$rule\" added" -} - -# -# Setup queuing and classes -# -setup_tc1() { - # - # Create the TC mangle chains - # - - run_iptables -t mangle -N tcpre - run_iptables -t mangle -N tcfor - run_iptables -t mangle -N tcout - run_iptables -t mangle -N tcpost - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports user testval; do - expandv mark sources dests proto ports sports user testval - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval") - process_tc_rule - done < $TMP_DIR/tcrules - # - # Link to the TC mangle chains from the main chains - # - - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A PREROUTING -j tcpre - run_iptables -t mangle -A OUTPUT -j tcout - run_iptables -t mangle -A POSTROUTING -j tcpost - - f=$(find_file tcstart) - - if [ -f $f ]; then - - run_user_exit tcstart - - save_progress_message "Restoring Traffic Control..." - save_command . $(find_file tcstart) - fi -} - -setup_tc() { - - echo "Setting up Traffic Control Rules..." - - setup_tc1 -} - -# -# Clear Traffic Shaping -# -delete_tc() -{ - - clear_one_tc() { - run_and_save_command "tc qdisc del dev $1 root 2> /dev/null" - run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" - - } - - save_progress_message "Clearing Traffic Control/QOS" - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -delete_tc1() -{ - - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Process a record from the accounting file -# -process_accounting_rule() { - rule= - rule2= - jumpchain= - - accounting_error() { - error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user - } - - accounting_interface_error() { - error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user - } - - accounting_interface_verify() { - verify_interface $1 || accounting_interface_error $1 - } - - jump_to_chain() { - if ! havechain $jumpchain; then - if ! createchain2 $jumpchain No; then - accounting_error - return 2 - fi - fi - - rule="$rule -j $jumpchain" - } - - case $source in - *:*) - accounting_interface_verify ${source%:*} - rule="-s ${source#*:} $(match_source_dev ${source%:*})" - ;; - *.*.*.*) - rule="-s $source" - ;; - -|all|any) - ;; - *) - if [ -n "$source" ]; then - accounting_interface_verify $source - rule="$(match_source_dev $source)" - fi - ;; - esac - - [ -n "$dest" ] && case $dest in - *:*) - accounting_interface_verify ${dest%:*} - rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" - ;; - *.*.*.*) - rule="$rule $(dest_ip_range $dest)" - ;; - -|all|any) - ;; - *) - accounting_interface_verify $dest - rule="$rule $(match_dest_dev $dest)" - ;; - esac - - [ -n "$proto" ] && case $proto in - -|any|all) - ;; - ipp2p) - rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" - port= - ;; - *) - rule="$rule -p $proto" - ;; - esac - - [ -n "$port" ] && case $port in - -|any|all) - ;; - *) - rule="$rule --dport $port" - ;; - esac - - [ -n "$sport" ] && case $sport in - -|any|all) - ;; - *) - rule="$rule --sport $sport" - ;; - esac - - [ -n "$user" ] && case $user in - -|any|all) - ;; - *:*) - [ "$chain" != OUTPUT ] && \ - fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner" - temp="${user%:*}" - [ -n "$temp" ] && rule="$rule --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && rule="$rule --gid-owner $temp " - ;; - *) - [ "$chain" != OUTPUT ] && \ - fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner --uid-owner $user " - ;; - esac - - case $action in - COUNT) - ;; - DONE) - rule="$rule -j RETURN" - ;; - *:COUNT) - rule2="$rule" - jumpchain=${action%:*} - jump_to_chain || return - ;; - JUMP:*) - jumpchain=${action#*:} - jump_to_chain || return - ;; - *) - jumpchain=$action - jump_to_chain || return - ;; - esac - - [ "x$chain" = "x-" ] && chain=accounting - [ -z "$chain" ] && chain=accounting - - ensurechain1 $chain - - if $IPTABLES -A $chain $(fix_bang $rule) ; then - [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 - progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added - else - accounting_error - fi -} - -# -# Set up Accounting -# -setup_accounting() # $1 = Name of accounting file -{ - - echo "Setting up Accounting..." - - strip_file accounting $1 - - while read action chain source dest proto port sport user ; do - expandv action chain source dest proto port sport user - process_accounting_rule - done < $TMP_DIR/accounting - - if havechain accounting; then - for chain in INPUT FORWARD OUTPUT; do - run_iptables -A $chain -j accounting - done - fi - -} - -# -# Check the configuration -# -check_config() { - - disclaimer() { - echo - echo "Notice: The 'check' command is provided to catch" - echo " obvious errors in a Shorewall configuration." - echo " It is not designed to catch all possible errors" - echo " so please don't submit problem reports about" - echo " error conditions that 'check' doesn't find" - echo - } - - - report_capabilities - - echo "Verifying Configuration..." - - verify_os_version - - if [ -n "$BRIDGING" ]; then - [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" - fi - - [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= - - if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" - fi - - echo "Determining Zones..." - - determine_zones - check_duplicate_zones - - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" - - display_list "Zones:" $zones - - ipsecfile=$(find_file ipsec) - - [ -f $ipsecfile ] && \ - echo "Validating ipsec file..." && \ - setup_ipsec $ipsecfile - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - echo "Validating policy file..." - - validate_policy - - echo "Pre-validating Actions..." - - process_actions1 - - echo "Validating rules file..." - - rules=$(find_file rules) - strip_file rules $rules - process_rules - - echo "Validating Actions..." - - process_actions2 - process_actions3 - - rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - echo "Configuration Validated" - - disclaimer - -} - -# -# Refresh queuing and classes -# -refresh_tc() { - - echo "Refreshing Traffic Control Rules..." - - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - - if mangle_chain_exists $chain; then - # - # Flush the TC mangle chains - # - run_iptables -t mangle -F $chain - - run_iptables -t mangle -F tcout - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=$(echo "$mark $sources $dests $proto $ports $sports") - process_tc_rule - done < $TMP_DIR/tcrules - - run_user_exit tcstart - else - setup_tc1 - fi - -} - -# -# Add one Filter Rule from an action -- Helper function for the action file processor -# -# The caller has established the following variables: -# COMMAND = current command. If 'check', we're executing a 'check' -# which only goes through the motions. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# action = The chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup = owner match clause -# logtag = Log tag -# -add_an_action() -{ - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - action_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - action_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" - ;; - *.*.*) - cli="-s $client" - ;; - ~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - action_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - action_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - servport=$serverport - multiport= - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - LOG) - [ -z "$loglevel" ] && fatal_error "LOG requires log level" - ;; - esac - - if [ $COMMAND != check ]; then - if [ -n "${serv}" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(firewall_ip_range $serv1); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) - fi - - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target - done - done - else - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) - fi - - run_iptables2 -A $chain $proto $multiport $cli $dest_interface $sports \ - $dports $ratelimit $userandgroup -j $target - fi - fi -} - -# -# Process a record from an action file for the 'start', 'restart' or 'check' commands -# -process_action() # $1 = chain (Chain to add the rules to) - # $2 = action (The action name for logging purposes) - # $3 = target (The (possibly modified) contents of the TARGET column) - # $4 = clients - # $5 = servers - # $6 = protocol - # $7 = ports - # $8 = cports - # $9 = ratelimit - # $10 = userspec -{ - local chain="$1" - local action="$2" - local target="$3" - local clients="$4" - local servers="$5" - local protocol="$6" - local ports="$7" - local cports="$8" - local ratelimit="$9" - local userspec="${10}" - local userandgroup= - local logtag= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - -) - ratelimit= - ;; - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - [ "x$userspec" = "x-" ] && userspec= - - if [ -n "$userspec" ]; then - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - userandgroup="-m owner" - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" - ;; - *) - userandgroup="-m owner --uid-owner $userspec" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - case $loglevel in - none*) - loglevel= - logtag= - [ $target = LOG ] && return - ;; - esac - - loglevel=${loglevel%\!} - fi - - logtarget="$target" - - case $target in - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - *) - ;; - esac - - # Generate Netfilter rule(s) - - [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_an_action - done - done - done - done - fi - # - # Report Result - # - if [ $COMMAND = check ]; then - progress_message " Rule \"$rule\" checked." - else - progress_message " Rule \"$rule\" added." - fi -} - -# -# Create and record a log action chain -- Log action chains have names -# that are formed from the action name by prepending a "%" and appending -# a 1- or 2-digit sequence number. In the functions that follow, -# the CHAIN, LEVEL and TAG variable serves as arguments to the user's -# exit. We call the exit corresponding to the name of the action but we -# set CHAIN to the name of the iptables chain where rules are to be added. -# Similarly, LEVEL and TAG contain the log level and log tag respectively. -# -# For each , we maintain two variables: -# -# _actchain - The action chain number. -# _chains - List of ( level[:tag] , chainname ) pairs -# -# The maximum length of a chain name is 30 characters -- since the log -# action chain name is 2-3 characters longer than the base chain name, -# this function truncates the original chain name where necessary before -# it adds the leading "%" and trailing sequence number. - -createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] -{ - local actchain= action=$1 level=$2 - - eval actchain=\${${action}_actchain} - - case ${#action} in - 29|30) - CHAIN=$(echo $action | truncate 28) # %...n makes 30 - ;; - *) - CHAIN=${action} - ;; - esac - - [ "$COMMAND" != check ] && \ - while havechain %${CHAIN}${actchain}; do - actchain=$(($actchain + 1)) - [ $actchain -eq 10 -a ${#CHAIN} -eq 28 ] && CHAIN=$(echo $CHAIN | truncate 27) # %...nn makes 30 - done - - CHAIN=%${CHAIN}${actchain} - - eval ${action}_actchain=$(($actchain + 1)) - - if [ $COMMAND != check ]; then - createchain $CHAIN No - LEVEL=${level%:*} - if [ "$LEVEL" != "$level" ]; then - TAG=${level#*:} - else - TAG= - fi - run_user_exit $1 - fi - - eval ${action}_chains=\"\$${action}_chains $level $CHAIN\" - -} - -# -# Create an action chain and run it's associated user exit -# - -createactionchain() # $1 = Action, including log level and tag if any -{ - case $1 in - *:*:*) - set -- $(split $1) - createlogactionchain $1 $2:$3 - ;; - *:*) - set -- $(split $1) - createlogactionchain $1 $2 - ;; - *) - CHAIN=$1 - if [ $COMMAND != check ]; then - LEVEL= - TAG= - createchain $CHAIN no - run_user_exit $CHAIN - fi - ;; - esac -} - -# -# Find the chain that handles the passed action. If the chain cannot be found, -# a fatal error is generated and the function does not return. -# -find_logactionchain() # $1 = Action, including log level and tag if any -{ - local fullaction=$1 action=${1%%:*} level= chains= - - case $fullaction in - *:*) - level=${fullaction#*:} - ;; - *) - if [ $COMMAND != check ]; then - havechain $action || fatal_error "Fatal error in find_logactionchain" - fi - - echo $action - return - ;; - esac - - eval chains="\$${action}_chains" - - set -- $chains - - while [ $# -gt 0 ]; do - [ "$1" = "$level" ] && { echo $2 ; return ; } - shift;shift - done - - fatal_error "Fatal error in find_logactionchain" - -} - -# -# This function determines the logging for a subordinate action or a rule within a subordinate action -# -merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called -{ - local superior=$1 subordinate=$2 - - set -- $(split $1) - - case $superior in - *:*:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!' - return - ;; - *'!') - echo ${subordinate%%:*}:$2:$3 - return - ;; - *) - case $subordinate in - *:*) - echo $subordinate - return - ;; - *) - echo ${subordinate%%:*}:$2:$3 - return - ;; - esac - ;; - esac - ;; - *:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!' - return - ;; - *'!') - echo ${subordinate%%:*}:$2 - return - ;; - *) - case $subordinate in - *:*) - echo $subordinate - return - ;; - *) - echo ${subordinate%%:*}:$2 - return - ;; - esac - ;; - esac - ;; - *) - echo $subordinate - ;; - esac -} - -# -# The next three functions implement the three phases of action processing. -# -# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std -# and /etc/shorewall/actions are scanned (in that order) and for each action: -# -# a) The related action definition file is located and scanned. -# b) Forward and unresolved action references are trapped as errors. -# c) A dependency graph is created. For each , the variable 'requiredby_' lists the -# action[:level[:tag]] of each action invoked by . -# d) All actions are listed in the global variable ACTIONS. -# e) Common actions are recorded (in variables of the name _common) and are added to the global -# USEDACTIONS -# -# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an -# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name -# %n is used where the name is truncated on the right where necessary to ensure that the total -# length of the chain name does not exceed 30 characters. -# -# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of -# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created. -# -# The final phase (process_actions3) is to traverse the USEDACTIONS list populating each chain appropriately -# by reading the action definition files and creating rules. Note that a given action definition file is -# processed once for each unique [:level[:tag]] applied to an invocation of the action. -# -process_actions1() { - - ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" - - USEDACTIONS= - - strip_file actions - - strip_file actions.std /usr/share/shorewall/actions.std - - for inputfile in actions.std actions; do - while read xaction rest; do - [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" - - case $xaction in - *:*) - temp=${xaction#*:} - [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp" - xaction=${xaction%:*} - case $temp in - ACCEPT|REJECT|DROP|QUEUE) - eval ${temp}_common=$xaction - if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then - USEDACTIONS="$USEDACTIONS $xaction" - fi - ;; - *) - startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE" - ;; - esac - esac - - [ -z "$xaction" ] && continue - - [ "$xaction" = "$(chain_base $xaction)" ] || startup_error "Invalid Action Name: $xaction" - - if ! list_search $xaction $ACTIONS; then - f=action.$xaction - fn=$(find_file $f) - - eval requiredby_${action}= - - if [ -f $fn ]; then - echo " Pre-processing $fn..." - strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do - expandv xtarget - temp="${xtarget%%:*}" - case "$temp" in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) - ;; - *) - if list_search $temp $ACTIONS; then - eval requiredby_${xaction}=\"\$requiredby_${xaction} $xtarget\" - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - startup_error "Invalid TARGET in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/$f - else - startup_error "Missing Action File: $f" - fi - - ACTIONS="$ACTIONS $xaction" - fi - done < $TMP_DIR/$inputfile - done -} - -process_actions2() { - - local interfaces="$(find_interfaces_by_option upnp)" - - if [ -n "$interfaces" ]; then - if ! list_search forwardUPnP $USEDACTIONS; then - error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" - USEDACTIONS="$USEDACTIONS forwardUPnP" - fi - fi - - progress_message " Generating Transitive Closure of Used-action List..." - - changed=Yes - - while [ -n "$changed" ]; do - changed= - for xaction in $USEDACTIONS; do - - eval required=\"\$requiredby_${xaction%%:*}\" - - for xaction1 in $required; do - # - # Generate the action that will be passed to process_action by merging the - # logging specified when the action was invoked with the logging in the - # invocation of the subordinate action (usually no logging) - # - xaction2=$(merge_levels $xaction $xaction1) - - if ! list_search $xaction2 $USEDACTIONS; then - # - # We haven't seen this one before -- create and record a chain to handle it - # - USEDACTIONS="$USEDACTIONS $xaction2" - createactionchain $xaction2 - changed=Yes - fi - done - done - done -} - -process_actions3() { - - for xaction in $USEDACTIONS; do - # - # Find the chain associated with this action:level:tag - # - xchain=$(find_logactionchain $xaction) - # - # Split the action:level:tag - # - set -- $(split $xaction) - - xaction1=$1 - xlevel=$2 - xtag=$3 - # - # Handle Builtin actions - # - case $xaction1 in - dropBcast) - if [ "$COMMAND" != check ]; then - if [ -n "$PKTTYPE" ]; then - case $xlevel in - none'!') - ;; - *) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast - fi - ;; - esac - - run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP - else - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address - ;; - esac - - run_iptables -A $xchain -d $address -j DROP - done - fi - fi - ;; - allowBcast) - if [ "$COMMAND" != check ]; then - if [ -n "$PKTTYPE" ]; then - case $xlevel in - none'!') - ;; - *) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast - fi - ;; - esac - - run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT - run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT - else - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address - ;; - esac - - run_iptables -A $xchain -d $address -j ACCEPT - done - fi - fi - ;; - dropNonSyn) - error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\"" - - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j DROP - fi - ;; - dropNotSyn) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j DROP - fi - ;; - rejNotSyn) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset - fi - ;; - dropInvalid) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID - run_iptables -A $xchain -m state --state INVALID -j DROP - fi - ;; - allowInvalid) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID - run_iptables -A $xchain -m state --state INVALID -j ACCEPT - fi - ;; - forwardUPnP) - ;; - allowinUPnP) - if [ "$COMMAND" != check ]; then - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 - log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 - fi - - run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT - run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT - fi - ;; - allowoutUPnP) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd - run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT - fi - ;; - *) - # - # Not a builtin - # - f=action.$xaction1 - - echo "Processing $(find_file $f) for Chain $xchain..." - - while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do - expandv xtarget - # - # Generate the target:level:tag to pass to process_action() - # - xaction2=$(merge_levels $xaction $xtarget) - - case ${xaction2%%:*} in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) - # - # Builtin target -- Nothing to do - # - ;; - *) - # - # Not a builtin target -- Replace the target from the file - # -- with the one generated above - xtarget=$xaction2 - # - # And locate the chain for that action:level:tag - # - xaction2=$(find_logactionchain $xtarget) - ;; - esac - - expandv xclients xservers xprotocol xports xcports xratelimit xuserspec - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec - - done < $TMP_DIR/$f - ;; - esac - done -} - -# -# Add a NAT rule - Helper function for the rules file processor -# -# The caller has established the following variables: -# COMMAND = The current command -- if 'check', we just go through -# the motions. -# cli = Source IP, interface or MAC Specification -# serv = Destination IP Specification -# servport = Port the server is listening on -# dest_interface = Destination Interface Specification -# proto = Protocol Specification -# addr = Original Destination Address -# dports = Destination Port Specification. 'dports' may be changed -# by this function -# cport = Source Port Specification -# multiport = String to invoke multiport match if appropriate -# ratelimit = Optional rate limiting clause -# userandgroup = -m owner match to limit the rule to a particular user and/or group -# logtag = Log tag -# -add_nat_rule() { - local chain - local excludedests= - - # Be sure we can NAT - - if [ -z "$NAT_ENABLED" ]; then - fatal_error "Rule \"$rule\" requires NAT which is disabled" - fi - - # Parse SNAT address if any - - if [ "$addr" != "${addr%:*}" ]; then - fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead" - fi - - # Set original destination address - - case $addr in - all) - addr= - ;; - detect) - addr= - if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then - eval interfaces=\$${source}_interfaces - for interface in $interfaces; do - addr=${addr:+$addr,}$(find_first_interface_address $interface) - done - fi - ;; - !*) - if [ $(list_count $addr) -gt 1 ]; then - excludedests="$(separate_list ${addr#\!})" - addr= - fi - ;; - esac - - addr=${addr:-0.0.0.0/0} - - # Select target - - if [ "$logtarget" = SAME ]; then - [ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules" - serv1= - for srv in $(separate_list $serv); do - serv1="$serv1 --to ${srv}" - done - target1="SAME $serv1" - elif [ -n "$serv" ]; then - servport="${servport:+:$servport}" - serv1= - for srv in $(separate_list $serv); do - serv1="$serv1 --to-destination ${srv}${servport}" - done - target1="DNAT $serv1" - else - target1="REDIRECT --to-port $servport" - fi - - if [ $source = $FW ]; then - [ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\"" - fi - - # Generate nat table rules - - if [ $COMMAND != check ]; then - if [ "$source" = "$FW" ]; then - if [ -n "$excludedests" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - - for adr in $(separate_list $addr); do - run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain - done - - for adr in $excludedests; do - addnatrule $chain $(dest_ip_range $adr) -j RETURN - done - - if [ -n "$loglevel" ]; then - log_rule $loglevel $chain $logtarget -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \ - $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) - fi - - run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1 - done - fi - else - chain=$(dnat_chain $source) - - if [ -n "${excludezones}${excludedests}" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - - for adr in $(separate_list $addr); do - addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain - done - - for z in $(separate_list $excludezones); do - eval hosts=\$${z}_hosts - for host in $hosts; do - addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN - done - done - - for adr in $excludedests; do - addnatrule $chain $(dest_ip_range $adr) -j RETURN - done - - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - ensurenatchain $chain - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ - $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) - fi - - addnatrule $chain $proto $ratelimit $cli $sports \ - -d $adr $multiport $dports -j $target1 - done - fi - fi - fi - - # Replace destination port by the new destination port - - if [ -n "$servport" ]; then - if [ -z "$multiport" ]; then - dports="--dport ${servport#*:}" - else - dports="--dports ${servport#*:}" - fi - fi - - [ "x$addr" = "x0.0.0.0/0" ] && addr= - ratelimit= -} - -# -# Add one Filter Rule -- Helper function for the rules file processor -# -# The caller has established the following variables: -# COMMAND = current command. If 'check', we're executing a 'check' -# which only goes through the motions. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# servport = Port the server listens on -# chain = The canonical chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup= -m owner clause -# userspec = User name -# logtag = Log tag -# -add_a_rule() -{ - local natrule= - - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - rule_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - rule_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" - ;; - *.*.*) - cli="$(source_ip_range $client)" - ;; - ~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - rule_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget" - rule_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - addr=$address - servport=$serverport - multiport= - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - all|ALL) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" - proto= - ;; - ipp2p) - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=tcp - do_ports - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - ACCEPT|DROP|REJECT|CONTINUE) - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - ;; - REDIRECT) - [ -n "$serv" ] && \ - fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - natrule=Yes - ;; - DNAT|SAME) - [ -n "$serv" ] || \ - fatal_error "$logtarget rules require a server address; rule: \"$rule\"" - natrule=Yes - ;; - LOG) - [ -z "$loglevel" ] && \ - fatal_error "LOG requires log level" - ;; - esac - - if [ -n "${serv}${servport}" ]; then - if [ $COMMAND != check ]; then - - # A specific server or server port given - - if [ -n "$natrule" ]; then - add_nat_rule - elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\"" - fi - - if [ -z "$dnat_only" ]; then - if [ -n "$serv" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(firewall_ip_range $serv1); do - if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then - for adr in $(separate_list $addr); do - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ - $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) - fi - - run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ - $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target - done - else - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target - fi - done - done - else - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target - fi - fi - fi - else - - # Destination is a simple zone - - [ -n "$addr" ] && fatal_error \ - "An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT, SAME or REDIRECT: \"$rule\"" - - if [ $COMMAND != check ]; then - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) - fi - - if [ "$logtarget" != LOG ]; then - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $userandgroup -j $target - fi - fi - fi -} - -# -# Process a record from the rules file for the 'start', 'restart' or 'check' commands -# -process_rule() # $1 = target - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address - # $8 = ratelimit - # $9 = userspec -{ - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local address="$7" - local ratelimit="$8" - local userspec="$9" - local userandgroup= - local logtag= - local nonat= - - # Function Body - isolate rate limit - - [ "x$ratelimit" = "x-" ] && ratelimit= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - if [ "$loglevel" = none ]; then - [ "$target" = LOG ] && return - loglevel= - logtag= - fi - - loglevel=${loglevel%\!} - fi - # - # Save the original target in 'logtarget' for logging rules - # - logtarget=${target%-} - # - # Targets ending in "-" only apply to the nat table - # - [ $target = $logtarget ] && dnat_only= || dnat_only=Yes - - # Tranform the rule: - # - # - parse the user specification - # - set 'target' to the filter table target. - # - make $FW the destination for REDIRECT - # - remove '-' suffix from logtargets while setting 'dnat_only' - # - clear 'address' if it has been set to '-' - - [ "x$userspec" = x- ] && userspec= - [ "x$address" = "x-" ] && address= - - if [ -n "$userspec" ]; then - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - userandgroup="-m owner" - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" - ;; - *) - userandgroup="-m owner --uid-owner $userspec" - ;; - esac - fi - - case $target in - ACCEPT+|NONAT) - nonat=Yes - target=ACCEPT - ;; - ACCEPT|LOG) - ;; - DROP) - [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" - ;; - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - DNAT*|SAME*) - target=ACCEPT - address=${address:=detect} - ;; - REDIRECT*) - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="$FW::$servers" - fi - ;; - esac - - # Parse and validate source - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - fatal_error "Empty source zone or qualifier: rule \"$rule\"" - fi - - if [ "$clientzone" = "${clientzone%!*}" ]; then - excludezones= - else - excludezones="${clientzone#*!}" - clientzone="${clientzone%!*}" - - case $logtarget in - DNAT|REDIRECT|SAME) - ;; - *) - fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT" - ;; - esac - fi - - validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" - - # Parse and validate destination - - source=$clientzone - - if [ $source = $FW ]; then - source_hosts= - elif [ -n "$userspec" ]; then - fatal_error "Invalid use of a user-qualification: rule \"$rule\"" - else - eval source_hosts=\"\$${source}_hosts\" - fi - - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - fatal_error "Empty destination zone or server port: rule \"$rule\"" - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - fatal_error "Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - - if ! validate_zone $serverzone; then - fatal_error "Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - # Ensure that this rule doesn't apply to a NONE policy pair of zones - - chain=${source}2${dest} - - eval policy=\$${chain}_policy - - [ -z "$policy" ] && \ - fatal_error "No policy defined from zone $source to zone $dest" - - [ $policy = NONE ] && \ - fatal_error "Rules may not override a NONE policy: rule \"$rule\"" - - # Create the canonical chain if it doesn't already exist - - [ $COMMAND = check ] || ensurechain $chain - - # Generate Netfilter rule(s) - - protocol=${protocol:=all} - - case $logtarget in - DNAT*|SAME) - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - server=${servers:=-} - add_a_rule - done - done - done - fi - ;; - *) - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_a_rule - done - done - done - done - fi - ;; - esac - # - # Report Result - # - if [ $COMMAND = check ]; then - progress_message " Rule \"$rule\" checked." - else - progress_message " Rule \"$rule\" added." - fi -} - -# -# Process the rules file for the 'start', 'restart' or 'check' command. -# -process_rules() -{ - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() { - local yclients yservers ysourcezone ydestzone ypolicy - - for yclients in $xclients; do - for yservers in $xservers; do - ysourcezone=${yclients%%:*} - ydestzone=${yservers%%:*} - if [ "${ysourcezone}" != "${ydestzone}" ] ; then - eval ypolicy=\$${ysourcezone}2${ydestzone}_policy - if [ "$ypolicy" != NONE ] ; then - rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec - fi - fi - done - done - } - - do_it() { - expandv xprotocol xports xcports xaddress xratelimit xuserspec - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - return - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - return - fi - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec - } - - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - expandv xtarget xclients xservers - - if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - progress_message " Rule \"$rule\" ignored." - continue - fi - - case "${xtarget%%:*}" in - ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) - do_it - ;; - *) - if list_search ${xtarget%%:*} $ACTIONS; then - if ! list_search $xtarget $USEDACTIONS; then - createactionchain $xtarget - USEDACTIONS="$USEDACTIONS $xtarget" - fi - - xtarget=$(find_logactionchain $xtarget) - do_it - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - fatal_error "Invalid Action in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/rules -} - -# -# Process a record from the tos file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# src dst protocol sport dport tos -# -# and has loaded a space-separated list of their values in "rule". -# -process_tos_rule() { - # - # Parse the contents of the 'src' variable - # - if [ "$src" = "${src%:*}" ]; then - srczone="$src" - src= - else - srczone="${src%:*}" - src="${src#*:}" - fi - - source= - # - # Validate the source zone - # - if validate_zone $srczone; then - source=$srczone - elif [ "$srczone" = "all" ]; then - source="all" - else - error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$src" ] && case "$src" in - *.*.*) - # - # IP Address or networks - # - src="$(source_ip_range $src)" - ;; - ~*) - src=$(mac_match $src) - ;; - *) - # - # Assume that this is a device name - # - if ! verify_interface $src ; then - error_message "Warning: Unknown Interface in rule \"$rule\" ignored" - return - fi - - src="$(match_source_dev $src)" - ;; - esac - - # - # Parse the contents of the 'dst' variable - # - if [ "$dst" = "${dst%:*}" ]; then - dstzone="$dst" - dst= - else - dstzone="${dst%:*}" - dst="${dst#*:}" - fi - - dest= - # - # Validate the destination zone - # - if validate_zone $dstzone; then - dest=$dstzone - elif [ "$dstzone" = "all" ]; then - dest="all" - else - error_message \ - "Warning: Undefined Destination Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$dst" ] && case "$dst" in - *.*.*) - # - # IP Address or networks - # - ;; - *) - # - # Assume that this is a device name - # - error_message \ - "Warning: Invalid Destination - rule \"$rule\" ignored" - return - ;; - esac - - # - # Setup PROTOCOL and PORT variables - # - sports="" - dports="" - - case $protocol in - tcp|udp|TCP|UDP|6|17) - [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ - sports="--sport $sport" - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--dport $dport" - ;; - icmp|ICMP|0) - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--icmp-type $dport" - ;; - all|ALL) - protocol= - ;; - *) - ;; - esac - - protocol="${protocol:+-p $protocol}" - - tos="-j TOS --set-tos $tos" - - case "$dstzone" in - all|ALL) - dst=0.0.0.0/0 - ;; - *) - [ -z "$dst" ] && eval dst=\$${dstzone}_hosts - ;; - esac - - for dest in $dst; do - dest="$(dest_ip_range $dest)" - - case $srczone in - $FW) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - ;; - all|ALL) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - run_iptables2 -t mangle -A pretos \ - $protocol $dest $dports $sports $tos - ;; - *) - if [ -n "$src" ]; then - run_iptables2 -t mangle -A pretos $src \ - $protocol $dest $dports $sports $tos - else - eval interfaces=\$${srczone}_interfaces - - for interface in $interfaces; do - run_iptables2 -t mangle -A pretos -i $interface \ - $protocol $dest $dports $sports $tos - done - fi - ;; - esac - done - - progress_message " Rule \"$rule\" added." -} - -# -# Process the tos file -# -process_tos() # $1 = name of tos file -{ - echo "Processing $1..." - - run_iptables -t mangle -N pretos - run_iptables -t mangle -N outtos - - strip_file tos $1 - - while read src dst protocol sport dport tos; do - expandv src dst protocol sport dport tos - rule="$(echo $src $dst $protocol $sport $dport $tos)" - process_tos_rule - done < $TMP_DIR/tos - - run_iptables -t mangle -A PREROUTING -j pretos - run_iptables -t mangle -A OUTPUT -j outtos -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Add policy rule ( and possibly logging rule) to the passed chain -# -policy_rules() # $1 = chain to add rules to - # $2 = policy - # $3 = loglevel -{ - local target="$2" - - case "$target" in - ACCEPT) - [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common - ;; - DROP) - [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common - ;; - REJECT) - [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common - target=reject - ;; - QUEUE) - [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common - ;; - CONTINUE) - target= - ;; - *) - fatal_error "Invalid policy ($policy) for $1" - ;; - esac - - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 - fi - - [ -n "$target" ] && run_iptables -A $1 -j $target -} - -# -# Generate default policy & log level rules for the passed client & server -# zones -# -# This function is only called when the canonical chain for this client/server -# pair is known to exist. If the default policy for this pair specifies the -# same chain then we add the policy (and logging) rule to the canonical chain; -# otherwise add a rule to the canonical chain to jump to the appropriate -# policy chain. -# -default_policy() # $1 = client $2 = server -{ - local chain="${1}2${2}" - local policy= - local loglevel= - local chain1 - - jump_to_policy_chain() { - # - # Add a jump to from the canonical chain to the policy chain. On return, - # $chain is set to the name of the policy chain - # - run_iptables -A $chain -j $chain1 - chain=$chain1 - } - - apply_default() - { - # - # Generate policy file column values from the policy chain - # - eval policy=\$${chain1}_policy - eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams - # - # Add the appropriate rules to the canonical chain ($chain) to enforce - # the specified policy - - if [ "$chain" = "$chain1" ]; then - # - # The policy chain is the canonical chain; add policy rule to it - # The syn flood jump has already been added if required. - # - policy_rules $chain $policy $loglevel - else - # - # The policy chain is different from the canonical chain -- approach - # depends on the policy - # - case $policy in - ACCEPT|QUEUE) - if [ -n "$synparams" ]; then - # - # To avoid double-counting SYN packets, enforce the policy - # in this chain. - # - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - else - # - # No problem with double-counting so just jump to the - # policy chain. - # - jump_to_policy_chain - fi - ;; - CONTINUE) - # - # Silly to jump to the policy chain -- add any logging - # rules and enable SYN flood protection if requested - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - ;; - *) - # - # DROP or REJECT policy -- enforce in the policy chain and - # enable SYN flood protection if requested. - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - jump_to_policy_chain - ;; - esac - fi - - progress_message " Policy $policy for $1 to $2 using chain $chain" - } - - eval chain1=\$${1}2${2}_policychain - - if [ -n "$chain1" ]; then - apply_default $1 $2 - else - fatal_error "No default policy for zone $1 to zone $2" - fi -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone -{ - local policy= - local loglevel= - local policychain= - - run_user_exit $1 - - eval policychain=\$${2}2${3}_policychain - - if [ -n "$policychain" ]; then - eval policy=\$${policychain}_policy - eval loglevel=\$${policychain}_loglevel - - policy_rules $1 $policy $loglevel - else - policy_rules $1 DROP INFO - fi -} - -# -# Find the appropriate chain to pass packets from a source zone to a -# destination zone -# -# If the canonical chain for this zone pair exists, echo it's name; otherwise -# locate and echo the name of the appropriate policy chain -# -rules_chain() # $1 = source zone, $2 = destination zone -{ - local chain=${1}2${2} - - havechain $chain && { echo $chain; return; } - - [ "$1" = "$2" ] && { echo ACCEPT; return; } - - eval chain=\$${chain}_policychain - - [ -n "$chain" ] && { echo $chain; return; } - - fatal_error "No policy defined for zone $1 to zone $2" -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - if [ "x$address" = xdefault ]; then - error_message "Warning: default route ignored on interface $1" - else - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - fi - done -} - -# -# Set up Source NAT (including masquerading) -# -setup_masq() -{ - do_ipsec_options() { - local options="$(separate_list $ipsec)" option - policy="-m policy --pol ipsec --dir out" - - for option in $options; do - case $option in - [Yy]es) ;; - strict) policy="$policy --strict" ;; - next) policy="$policy --next" ;; - reqid=*) policy="$policy --reqid ${option#*=}" ;; - spi=*) policy="$policy --spi ${option#*=}" ;; - proto=*) policy="$policy --proto ${option#*=}" ;; - mode=*) policy="$policy --mode ${option#*=}" ;; - tunnel-src=*) policy="$policy --tunnel-src ${option#*=}" ;; - tunnel-dst=*) policy="$policy --tunnel-dst ${option#*=}" ;; - reqid!=*) policy="$policy ! --reqid ${option#*=}" ;; - spi!=*) policy="$policy ! --spi ${option#*=}" ;; - proto!=*) policy="$policy ! --proto ${option#*=}" ;; - mode!=*) policy="$policy ! --mode ${option#*=}" ;; - tunnel-src!=*) policy="$policy ! --tunnel-src ${option#*=}" ;; - tunnel-dst!=*) policy="$policy ! --tunnel-dst ${option#*=}" ;; - *) fatal_error "Invalid IPSEC option \"$option\"" ;; - esac - done - } - - setup_one() { - local add_snat_aliases=$ADD_SNAT_ALIASES pre_nat= policy= destnets= - - [ "x$ipsec" = x- ] && ipsec= - - case $ipsec in - Yes|yes) - [ -n "$POLICY_MATCH" ] || \ - fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables" - policy="-m policy --pol ipsec --dir out" - ;; - No|no) - [ -n "$POLICY_MATCH" ] || \ - fatal_error "IPSEC=No requires policy match support in your kernel and iptables" - policy="-m policy --pol none --dir out" - ;; - *) - if [ -n "$ipsec" ]; then - do_ipsec_options - elif [ -n "$POLICY_MATCH" ]; then - policy="-m policy --pol none --dir out" - fi - ;; - esac - - case $fullinterface in - +*) - pre_nat=Yes - fullinterface=${fullinterface#+} - ;; - esac - - case $fullinterface in - *::*) - add_snat_aliases= - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:*:*) - # Both alias name and networks - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:) - add_snat_aliases= - fullinterface=${fullinterface%:} - ;; - *:*) - # Alias name OR networks - case ${fullinterface#*:} in - *.*) - # It's a networks - destnets="${fullinterface#*:}" - fullinterface="${fullinterface%:*}" - ;; - *) - #it's an alias name - ;; - esac - ;; - *) - ;; - esac - - interface=${fullinterface%:*} - - if ! list_search $interface $ALL_INTERFACES; then - fatal_error "Unknown interface $interface" - fi - - if [ "$networks" = "${networks%!*}" ]; then - nomasq= - else - nomasq="${networks#*!}" - networks="${networks%!*}" - fi - - - source="$networks" - - case $source in - *.*.*) - ;; - *) - networks=$(get_routed_networks $networks) - [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" - networks="$networks" - ;; - esac - - [ "x$addresses" = x- ] && addresses= - - - - if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then - for address in $(separate_list $addresses); do - address=${address%:)} - if [ -n "$address" ]; then - for addr in $(ip_range_explicit ${address%:*}) ; do - if ! list_search $addr $aliases_to_add; then - [ -n "$RETAIN_ALIASES" ] || save_command qt ip addr del $addr dev $interface - aliases_to_add="$aliases_to_add $addr $fullinterface" - case $fullinterface in - *:*) - fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) - ;; - esac - fi - done - fi - done - fi - - [ "x$proto" = x- ] && proto= - [ "x$ports" = x- ] && ports= - - if [ -n "$proto" ]; then - - displayproto="($proto)" - - case $proto in - tcp|TCP|udp|UDP|6|17) - if [ -n "$ports" ]; then - displayproto="($proto $ports)" - - listcount=$(list_count $ports) - - if [ $listcount -gt 1 ]; then - case $ports in - *:*) - if [ -n "$XMULTIPORT" ]; then - if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then - ports="-m multiport --dports $ports" - else - fatal_error "More than 15 entries in port list ($ports)" - fi - else - fatal_error "Port Range not allowed in list ($ports)" - fi - ;; - *) - if [ -n "$MULTIPORT" ]; then - [ $listcount -le 15 ] || fatal_error "More than 15 entries in port list ($ports)" - ports="-m multiport --dports $ports" - else - fatal_error "Port Ranges require multiport match support in your kernel ($ports)" - fi - ;; - esac - else - ports="--dport $ports" - fi - fi - ;; - *) - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - ;; - esac - - proto="-p $proto" - else - displayproto="(all)" - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - fi - - destination=${destnets:=0.0.0.0/0} - - [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) - - case $destnets in - !*) - newchain=masq${masq_seq} - createnatchain $newchain - destnets=${destnets#!} - - for destnet in $(separate_list $destnets); do - addnatrule $newchain $(dest_ip_range $destnet) -j RETURN - done - - if [ -n "$networks" ]; then - for s in $networks; do - addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain - done - networks= - else - addnatrule $chain -j $newchain - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - destnets=0.0.0.0/0 - proto= - ports= - policy= - - if [ -n "$nomasq" ]; then - for addr in $(separate_list $nomasq); do - addnatrule $chain $(source_ip_range $addr) -j RETURN - done - source="$source except $nomasq" - fi - ;; - *) - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain - - if [ -n "$networks" ]; then - for s in $networks; do - for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports -j $newchain - done - done - else - for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain - done - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - networks= - destnets=0.0.0.0/0 - proto= - ports= - policy= - - for addr in $(separate_list $nomasq); do - addnatrule $chain $(source_ip_range $addr) -j RETURN - done - - source="$source except $nomasq" - fi - ;; - esac - - addrlist= - target=MASQUERADE - - if [ -n "$addresses" ]; then - case "$addresses" in - SAME:nodst:*) - target="SAME --nodst" - addresses=${addresses#SAME:nodst:} - for address in $(separate_list $addresses); do - addrlist="$addrlist --to $address"; - done - ;; - SAME:*) - target="SAME" - addresses=${addresses#SAME:} - for address in $(separate_list $addresses); do - addrlist="$addrlist --to $address"; - done - ;; - *) - for address in $(separate_list $addresses); do - case $address in - *.*.*.*) - target=SNAT - addrlist="$addrlist --to-source $address" - ;; - *) - addrlist="$addrlist --to-ports ${address#:}" - ;; - esac - done - ;; - esac - fi - - if [ -n "$networks" ]; then - for network in $networks; do - for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist - done - - if [ -n "$addresses" ]; then - progress_message " To $destination $displayproto from $network through ${interface} using $addresses" - else - progress_message " To $destination $displayproto from $network through ${interface}" - fi - done - else - for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist - done - - if [ -n "$addresses" ]; then - progress_message " To $destination $displayproto from $source through ${interface} using $addresses" - else - progress_message " To $destination $displayproto from $source through ${interface}" - fi - fi - - } - - strip_file masq $1 - - if [ -n "$NAT_ENABLED" ]; then - echo "Masqueraded Networks and Hosts:" - [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring Masquerading/SNAT..." - fi - - while read fullinterface networks addresses proto ports ipsec; do - expandv fullinterface networks addresses proto ports ipsec - [ -n "$NAT_ENABLED" ] && setup_one || \ - error_message "Warning: NAT disabled; masq rule ignored" - done < $TMP_DIR/masq -} - -# -# Add a record to the blacklst chain -# -# $source = address match -# $proto = protocol selector -# $dport = destination port selector -# -add_blacklist_rule() { - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) - fi - - run_iptables2 -A blacklst $source $proto $dport -j $disposition -} - -# -# Process a record from the blacklist file -# -# $networks = address/networks -# $protocol = Protocol Number/Name -# $port = Port Number/Name -# -process_blacklist_rec() { - local source - local addr - local proto - local dport - - for addr in $(separate_list $networks); do - case $addr in - ~*) - addr=$(echo $addr | sed 's/~//;s/-/:/g') - source="--match mac --mac-source $addr" - ;; - *) - source="$(source_ip_range $addr)" - ;; - esac - - if [ -n "$protocol" ]; then - proto=" -p $protocol " - - case $protocol in - tcp|TCP|6|udp|UDP|17) - if [ -n "$ports" ]; then - if [ -n "$MULTIPORT" -a \ - "$ports" != "${ports%,*}" -a \ - "$ports" = "${ports%:*}" -a \ - $(list_count $ports) -le 15 ] - then - dport="-m multiport --dports $ports" - add_blacklist_rule - else - for dport in $(separate_list $ports); do - dport="--dport $dport" - add_blacklist_rule - done - fi - else - add_blacklist_rule - fi - ;; - icmp|ICMP|0) - if [ -n "$ports" ]; then - for dport in $(separate_list $ports); do - dport="--icmp-type $dport" - add_blacklist_rule - done - else - add_blacklist_rule - fi - ;; - *) - add_blacklist_rule - ;; - esac - else - add_blacklist_rule - fi - - if [ -n "$ports" ]; then - addr="$addr $protocol $ports" - elif [ -n "$protocol" ]; then - addr="$addr $protocol" - fi - - progress_message " $addr added to Black List" - done -} - -# -# Setup the Black List -# -setup_blacklist() { - local hosts="$(find_hosts_by_option blacklist)" - local f=$(find_file blacklist) - local disposition=$BLACKLIST_DISPOSITION - local ipsec policy - - if [ -n "$hosts" -a -f $f ]; then - echo "Setting up Blacklisting..." - - strip_file blacklist $f - - createchain blacklst no - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst - done - - [ $network = 0/0.0.0.0 ] && network= || network=":$network" - - progress_message " Blacklisting enabled on ${interface}${network}" - done - - [ "$disposition" = REJECT ] && disposition=reject - - if [ -z "$DELAYBLACKLISTLOAD" ]; then - while read networks protocol ports; do - expandv networks protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - fi - fi -} - -# -# Refresh the Black List -# -refresh_blacklist() { - local f=$(find_file blacklist) - local disposition=$BLACKLIST_DISPOSITION - - if qt $IPTABLES -L blacklst -n ; then - echo "Loading Black List..." - - strip_file blacklist $f - - [ "$disposition" = REJECT ] && disposition=reject - - run_iptables -F blacklst - - while read networks protocol ports; do - expandv networks protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - fi -} - -# -# Verify that kernel has netfilter support -# -verify_os_version() { - - osversion=$(uname -r) - - case $osversion in - 2.4.*|2.5.*|2.6.*) - ;; - *) - startup_error "Shorewall version $version does not work with kernel version $osversion" - ;; - esac - - [ $COMMAND = start -a -n "$(lsmod 2> /dev/null | grep '^ipchains')" ] && \ - startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8" -} - -# -# Add IP Aliases -# -add_ip_aliases() -{ - local addresses external interface inet cidr rest val - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - if [ -n "$RETAIN_ALIASES" ]; then - run_ip addr add ${external}${val} dev $interface $label - save_command qt ip addr add ${external}${val} dev $interface $label - else - ensure_and_save_command ip addr add ${external}${val} dev $interface $label - fi - - echo "$external $interface" >> ${STATEDIR}/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - set -- $aliases_to_add - - save_progress_message "Restoring IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift;shift - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - -# -# Load kernel modules required for Shorewall -# -load_kernel_modules() -{ - save_modules_dir=$MODULESDIR - - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - modules=$(find_file modules) - - if [ -f $modules -a -d $MODULESDIR ]; then - progress_message "Loading Modules..." - . $modules - fi - - MODULESDIR=$save_modules_dir -} - -save_load_kernel_modules() -{ - - modules=$(find_file modules) - - save_progress_message "Loading kernel modules..." - save_command "reload_kernel_modules <<__EOF__" - - while read command; do - case "$command" in - loadmodule*) - save_command $command - ;; - esac - done < $modules - - save_command __EOF__ - save_command "" - -} - -# Verify that the 'ip' program is installed - -verify_ip() { - qt ip link ls ||\ - startup_error "Shorewall $version requires the iproute package ('ip' utility)" -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - - qt $IPTABLES -N fooX1234 - qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes - qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes - - if [ -n "$PKTTYPE" ]; then - qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= - fi - - qt $IPTABLES -F fooX1234 - qt $IPTABLES -X fooX1234 -} - -report_capability() # $1 = Capability Description , $2 Capability Setting (if any) -{ - local setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting -} - -report_capabilities() { - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability "NAT" $NAT_ENABLED - report_capability "Packet Mangling" $MANGLE_ENABLED - report_capability "Multi-port Match" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT - report_capability "Connection Tracking Match" $CONNTRACK_MATCH - report_capability "Packet Type Match" $PKTTYPE - report_capability "Policy Match" $POLICY_MATCH - report_capability "Physdev Match" $PHYSDEV_MATCH - report_capability "IP range Match" $IPRANGE_MATCH - report_capability "Recent Match" $RECENT_MATCH - report_capability "Owner Match" $OWNER_MATCH -} - -# -# Perform Initialization -# - Delete all old rules -# - Delete all user chains -# - Set the POLICY on all standard chains and add a rule to allow packets -# that are part of established connections -# - Determine the zones -# -initialize_netfilter () { - - report_capabilities - - if [ -n "$BRIDGING" ]; then - [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" - fi - - [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= - - if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" - fi - - [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ - startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" - - echo "Determining Zones..." - - determine_zones - check_duplicate_zones - - [ -z "$zones" ] && startup_error "No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Validating Policy file..." - - validate_policy - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - run_user_exit init - - # - # Some files might be large so strip them while the firewall is still running - # (restart command). This reduces the length of time that the firewall isn't - # accepting new connections. - # - - strip_file rules - strip_file proxyarp - strip_file maclist - strip_file nat - strip_file netmap - - echo "Pre-processing Actions..." - process_actions1 - - terminator=fatal_error - - deletechain shorewall - - [ -n "$NAT_ENABLED" ] && delete_nat - - delete_proxy_arp - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$CLEAR_TC" ] && delete_tc - - echo "Deleting user chains..." - - exists_INPUT=Yes - exists_OUTPUT=Yes - exists_FORWARD=Yes - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - - run_user_exit continue - - f=$(find_file routestopped) - - echo "Processing $f ..." - - strip_file routestopped $f - - process_routestopped -A - - [ -n "$DISABLE_IPV6" ] && disable_ipv6 - - # - # Enable the Loopback interface for now - # - run_iptables -A INPUT -i lo -j ACCEPT - run_iptables -A OUTPUT -o lo -j ACCEPT - - # - # Allow DNS lookups during startup for FQDNs - # - - for chain in INPUT OUTPUT FORWARD; do - run_iptables -A $chain -p udp --dport 53 -j ACCEPT - [ -n "$DROPINVALID" ] && \ - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP - done - - if [ -n "$CLAMPMSS" ]; then - case $CLAMPMSS in - Yes) - option="--clamp-mss-to-pmtu" - ;; - *) - option="--set-mss $CLAMPMSS" - ;; - esac - - run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option - fi - - accounting_file=$(find_file accounting) - - [ -f $accounting_file ] && setup_accounting $accounting_file - - if [ -z "$NEWNOTSYN" ]; then - createchain newnotsyn no - - for host in $(find_hosts_by_option newnotsyn); do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags ACK ACK -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags RST RST -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags FIN FIN -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -j RETURN - done - - run_user_exit newnotsyn - - if [ -n "$LOGNEWNOTSYN" ]; then - log_rule $LOGNEWNOTSYN newnotsyn DROP - fi - - run_iptables -A newnotsyn -j DROP - fi - - createchain icmpdef no - createchain reject no - createchain dynamic no - createchain smurfs no - - if [ -f /var/lib/shorewall/save ]; then - echo "Restoring dynamic rules..." - - if [ -f /var/lib/shorewall/save ]; then - while read target ignore1 ignore2 address rest; do - case $target in - DROP|reject) - run_iptables -A dynamic -s $address -j $target - ;; - *) - ;; - esac - done < /var/lib/shorewall/save - fi - fi - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - echo "Creating Interface Chains..." - - for interface in $ALL_INTERFACES; do - createchain $(forward_chain $interface) no - run_iptables -A $(forward_chain $interface) $state -j dynamic - createchain $(input_chain $interface) no - run_iptables -A $(input_chain $interface) $state -j dynamic - done -} - -# -# Construct zone-independent rules -# -add_common_rules() { - local savelogparms="$LOGPARMS" - local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" - - drop_broadcasts() { - for address in $broadcasts ; do - run_iptables -A reject -d $address -j DROP - done - } - - # - # Populate the smurf chain - # - for address in $broadcasts ; do - [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address - run_iptables -A smurfs $(source_ip_range $address) -j DROP - done - # - # Reject Rules -- Don't respond to broadcasts with an ICMP - # - if [ -n "$PKTTYPE" ]; then - qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP - if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - drop_broadcasts - fi - else - drop_broadcasts - fi - # - # Don't feed the smurfs - # - for address in $broadcasts ; do - run_iptables -A reject -s $address -j DROP - done - - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset - run_iptables -A reject -p udp -j REJECT - # - # Not all versions of iptables support these so don't complain if they don't work - # - qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable - if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then - # - # In case the above doesn't work - # - run_iptables -A reject -j REJECT - fi - - # - # Create common action chains - # - for action in $USEDACTIONS; do - createactionchain $action - done - - run_user_exit initdone - - # - # Process Black List - # - setup_blacklist - - # - # SMURFS - # - hosts=$(find_hosts_by_option nosmurfs) - - if [ -n "$hosts" ]; then - - echo "Adding Anti-smurf Rules" - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs - done - done - fi - # - # DHCP - # - interfaces=$(find_interfaces_by_option dhcp) - - if [ -n "$interfaces" ]; then - - echo "Adding rules for DHCP" - - for interface in $interfaces; do - if [ -n "$BRIDGING" ]; then - eval is_bridge=\$$(chain_base $interface)_ports - [ -n "$is_bridge" ] && \ - $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT - fi - run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT - run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT - done - fi - # - # RFC 1918 - # - hosts="$(find_hosts_by_option norfc1918)" - - if [ -n "$hosts" ]; then - echo "Enabling RFC1918 Filtering" - - strip_file rfc1918 - - createchain norfc1918 no - - createchain rfc1918 no - - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP - - run_iptables -A rfc1918 -j DROP - - chain=norfc1918 - - if [ -n "$RFC1918_STRICT" ]; then - # - # We'll generate two chains - one for source and one for destination - # - chain=rfc1918d - createchain $chain no - elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then - # - # Mangling is enabled but conntrack match isn't available -- - # create a chain in the mangle table to filter RFC1918 destination - # addresses. This must be done in the mangle table before we apply - # any DNAT rules in the nat table - # - # Also add a chain to log and drop any RFC1918 packets that we find - # - run_iptables -t mangle -N man1918 - run_iptables -t mangle -N rfc1918 - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle - run_iptables -t mangle -A rfc1918 -j DROP - fi - - while read networks target; do - case $target in - logdrop) - target=rfc1918 - s_target=rfc1918 - ;; - DROP) - s_target=DROP - ;; - RETURN) - [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - for network in $(separate_list $networks); do - run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target - - if [ -n "$CONNTRACK_MATCH" ]; then - # - # We have connection tracking match -- match on the original destination - # - run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target - elif [ -n "$MANGLE_ENABLED" ]; then - # - # No connection tracking match but we have mangling -- add a rule to - # the mangle table - # - run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target - fi - done - done < $TMP_DIR/rfc1918 - - [ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - networks=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) $policy -j norfc1918 - done - - [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ - run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) -j man1918 - done - fi - # - # Bogons - # - hosts="$(find_hosts_by_option nobogons)" - - if [ -n "$hosts" ]; then - echo "Enabling Bogon Filtering" - - strip_file bogons - - createchain nobogons no - - createchain bogons no - - log_rule $BOGON_LOG_LEVEL bogons DROP - - run_iptables -A bogons -j DROP - - while read networks target; do - case $target in - logdrop) - target=bogons - ;; - DROP|RETURN) - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - run_iptables2 -A nobogons $(source_ip_range $networks) -j $target - - done < $TMP_DIR/bogons - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons - done - done - - fi - - hosts=$(find_hosts_by_option tcpflags) - - if [ -n "$hosts" ]; then - echo "Setting up TCP Flags checking..." - - createchain tcpflags no - - if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then - createchain logflags no - - savelogparms="$LOGPARMS" - - [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ] || LOGPARMS="$LOGPARMS --log-ip-options" - - log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION - - LOGPARMS="$savelogparms" - - case $TCP_FLAGS_DISPOSITION in - REJECT) - run_iptables -A logflags -j REJECT --reject-with tcp-reset - ;; - *) - run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION - ;; - esac - - disposition="-j logflags" - else - disposition="-j $TCP_FLAGS_DISPOSITION" - fi - - run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition - run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition - # - # There are a lot of probes to ports 80, 3128 and 8080 that use a source - # port of 0. This catches them even if they are directed at an IP that - # hosts a web server. - # - run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -p tcp $(match_source_hosts $network) $policy -j tcpflags - done - done - fi - # - # ARP Filtering - # - save_progress_message "Restoring ARP filtering..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter" - done - - interfaces=$(find_interfaces_by_option arp_filter) - - if [ -n "$interfaces" ]; then - echo "Setting up ARP Filtering..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/arp_filter - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set ARP filtering on $interface" - fi - done - fi - # - # Route Filtering - # - interfaces="$(find_interfaces_by_option routefilter)" - - if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then - echo "Setting up Kernel Route Filtering..." - - save_progress_message "Restoring Route Filtering..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/rp_filter ] && echo 0 > $f/rp_filter" - done - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/rp_filter - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set route filtering on $interface" - fi - done - - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - - if [ -n "$ROUTE_FILTER" ]; then - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - fi - - run_and_save_command ip route flush cache - fi - - # - # Martian Logging - # - interfaces="$(find_interfaces_by_option logmartians)" - - if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then - echo "Setting up Martian Logging..." - - save_progress_message "Restoring Martian Logging..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/log_martians ] && echo 0 > $f/log_martians" - done - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/log_martians - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set Martian logging on $interface" - fi - done - - if [ -n "$LOG_MARTIANS" ]; then - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians" - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" - fi - - fi - - # - # Source Routing - # - save_progress_message "Restoring Accept Source Routing..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/accept_source_route ] && echo 0 > $f/accept_source_route" - done - - interfaces=$(find_interfaces_by_option sourceroute) - - if [ -n "$interfaces" ]; then - echo "Setting up Accept Source Routing..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/accept_source_route - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set Accept Source Routing on $interface" - fi - done - fi - - if [ -n "$DYNAMIC_ZONES" ]; then - echo "Setting up Dynamic Zone Chains..." - - for interface in $ALL_INTERFACES; do - for chain in $(dynamic_chains $interface); do - createchain $chain no - done - - chain=$(dynamic_in $interface) - createnatchain $chain - - run_iptables -A $(input_chain $interface) -j $chain - run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) - done - fi - # - # UPnP - # - interfaces=$(find_interfaces_by_option upnp) - - if [ -n "$interfaces" ]; then - echo "Setting up UPnP..." - - createnatchain UPnP - - for interface in $interfaces; do - run_iptables -t nat -A PREROUTING -i $interface -j UPnP - done - fi - - setup_forwarding -} - -# -# Scan the policy file defining the necessary chains -# Add the appropriate policy rule(s) to the end of each canonical chain -# -apply_policy_rules() { - # - # Create policy chains - # - for chain in $all_policy_chains; do - eval policy=\$${chain}_policy - eval loglevel=\$${chain}_loglevel - eval synparams=\$${chain}_synparams - - [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel - - if havechain $chain; then - [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - else - # - # The chain doesn't exist. Create the chain and add policy - # rules - # - # We must include the ESTABLISHED and RELATED state - # rule here to account for replys and reverse - # related sessions associated with sessions going - # in the other direction - # - createchain $chain yes - - # - # If either client or server is 'all' then this MUST be - # a policy chain and we must apply the appropriate policy rules - # - # Otherwise, this is a canonical chain which will be handled in - # the for loop below - # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac - - [ -n "$synparams" ] && \ - [ $policy = ACCEPT -o $policy = CONTINUE ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - fi - - done - - # - # Add policy rules to canonical chains - # - for zone in $FW $zones; do - for zone1 in $FW $zones; do - chain=${zone}2${zone1} - if havechain $chain; then - run_user_exit $chain - default_policy $zone $zone1 - fi - done - done -} - -# -# Activate the rules -# -activate_rules() -{ - local PREROUTING_rule=1 - local POSTROUTING_rule=1 - # - # Jump to a NAT chain from one of the builtin nat chains - # - addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain ; then - run_iptables2 -t nat -A $sourcechain $@ -j $destchain - else - [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - } - - # - # Jump to a RULES chain from one of the builtin nat chains. These jumps are - # are inserted before jumps to one-to-one NAT chains. - # - addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain; then - eval run_iptables2 -t nat -I $sourcechain \ - \$${sourcechain}_rule $@ -j $destchain - eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) - else - [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - fi - } - - # - # Add jumps to early SNAT chains - # - for interface in $ALL_INTERFACES; do - addnatjump POSTROUTING $(snat_chain $interface) -o $interface - done - # - # Add jumps for dynamic nat chains - # - [ -n "$DYNAMIC_ZONES" ] && for interface in $ALL_INTERFACES ; do - addrulejump PREROUTING $(dynamic_in $interface) -i $interface - done - # - # Add jumps from the builtin chains to the nat chains - # - addnatjump PREROUTING nat_in - addnatjump POSTROUTING nat_out - - for interface in $ALL_INTERFACES; do - addnatjump PREROUTING $(input_chain $interface) -i $interface - addnatjump POSTROUTING $(output_chain $interface) -o $interface - done - - > ${STATEDIR}/chains - > ${STATEDIR}/zones - # - # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. - # - for zone in $zones; do - if eval test -n \"\$${zone}_is_complex\" ; then - frwd_chain=${zone}_frwd - createchain $frwd_chain No - - if [ -n "$POLICY_MATCH" ]; then - eval is_ipsec=\$${zone}_is_ipsec - - if [ -n "$is_ipsec" ]; then - eval source_hosts=\$${zone}_hosts - if [ -n "$DYNAMIC_ZONES" ]; then - createchain ${zone}_dyn No - run_iptables -A $frwd_chain -j ${zone}_dyn - fi - else - eval source_hosts=\$${zone}_ipsec_hosts - fi - - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain - done - fi - fi - done - - for zone in $zones; do - eval source_hosts=\$${zone}_hosts - - chain1=$(rules_chain $FW $zone) - chain2=$(rules_chain $zone $FW) - - eval complex=\$${zone}_is_complex - - [ -n "$complex" ] && frwd_chain=${zone}_frwd - - echo $zone $source_hosts >> ${STATEDIR}/zones - - if [ -n "$DYNAMIC_ZONES" ]; then - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains - fi - - need_broadcast= - - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 - - # - # Add jumps from the builtin chains for DNAT and SNAT rules - # - addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) - addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 - - if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain - fi - - case $networks in - *.*.*.*) - if [ "$networks" != 0.0.0.0/0 ]; then - if ! list_search $interface $need_broadcast ; then - interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" - fi - fi - ;; - esac - done - - for interface in $need_broadcast ; do - run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 - run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 - done - - for zone1 in $zones; do - - eval policy=\$${zone}2${zone1}_policy - - [ "$policy" = NONE ] && continue - - eval dest_hosts=\$${zone1}_hosts - - chain="$(rules_chain $zone $zone1)" - - [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - - if [ $zone = $zone1 ]; then - # - # Try not to generate superfluous intra-zone rules - # - eval routeback=\"\$${zone}_routeback\" - eval interfaces=\"\$${zone}_interfaces\" - eval ports="\$${zone}_ports" - - num_ifaces=$(list_count1 $interfaces) - # - # If the zone has a single interface then what matters is how many ports it has - # - [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) - # - # If we don't need to route back and if we have only one interface or one port to - # the zone then assume that hosts in the zone can communicate directly. - # - if [ $num_ifaces -lt 2 -a -z "$routeback" ] ; then - continue - fi - else - routeback= - num_ifaces=0 - fi - - if [ -n "$complex" ]; then - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - # - # Only generate an intrazone rule if the zone has more than one interface (port) or if - # routeback was specified for this host group - # - if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then - run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain - fi - done - else - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - chain1=$(forward_chain $interface) - - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - - if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain - fi - done - done - fi - done - done - - for interface in $ALL_INTERFACES ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) - run_iptables -A INPUT -i $interface -j $(input_chain $interface) - addnatjump POSTROUTING $(masq_chain $interface) -o $interface - # - # Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev. - # To accomodate this feature/bug, we effectively set 'routeback' on bridge ports. - # - eval ports=\$$(chain_base $interface)_ports - for port in $ports; do - run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT - done - done - - chain=${FW}2${FW} - - if havechain $chain; then - # - # There is a fw->fw chain. Send loopback output through that chain - # - run_ip link ls | grep LOOPBACK | while read ordinal interface rest ; do - run_iptables -A OUTPUT -o ${interface%:*} -j $chain - done - # - # And delete the unconditional ACCEPT rule - # - run_iptables -D OUTPUT -o lo -j ACCEPT - fi - - complete_standard_chain INPUT all $FW - complete_standard_chain OUTPUT $FW all - complete_standard_chain FORWARD all all - # - # Remove rules added to keep the firewall alive during [re]start" - # - for chain in INPUT OUTPUT FORWARD; do - run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT - run_iptables -D $chain -p udp --dport 53 -j ACCEPT - done - - process_routestopped -D - - if [ -n "$LOGALLNEW" ]; then - for table in mangle nat filter; do - case $table in - mangle) - chains="PREROUTING INPUT FORWARD POSTROUTING" - ;; - nat) - chains="PREROUTING POSTROUTING OUTPUT" - ;; - *) - chains="INPUT FORWARD OUTPUT" - ;; - esac - - for chain in $chains; do - log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table - done - done - fi -} - -# -# Check for disabled startup -# -check_disabled_startup() { - if [ -z "$STARTUP_ENABLED" ]; then - echo " Shorewall Startup is disabled -- to enable startup" - echo " after you have completed Shorewall configuration," - echo " change the setting of STARTUP_ENABLED to Yes in" - echo " /etc/shorewall/shorewall.conf" - - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2 - fi -} - -# -# Start/Restart the Firewall -# -define_firewall() # $1 = Command (Start or Restart) -{ - check_disabled_startup - - echo "${1}ing Shorewall..." - - verify_os_version - verify_ip - - [ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; } - - RESTOREBASE=$(mktempfile /var/lib/shorewall) - - [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall" - - echo '#bin/sh' >> $RESTOREBASE - save_command "#" - save_command "# Restore base file generated by Shorewall $version - $(date)" - save_command "#" - save_command ". /usr/share/shorewall/functions" - - f=$(find_file params) - - [ -f $f ] && \ - save_command ". $f" - - save_command "#" - save_command "MODULESDIR=\"$MODULESDIR\"" - save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" - - save_load_kernel_modules - - echo "Initializing..."; initialize_netfilter - echo "Configuring Proxy ARP"; setup_proxy_arp - echo "Setting up NAT..."; setup_nat - echo "Setting up NETMAP..."; setup_netmap - echo "Adding Common Rules"; add_common_rules - - tunnels=$(find_file tunnels) - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels - - ipsecfile=$(find_file ipsec) - [ -f $ipsecfile ] && \ - echo "Processing $ipsecfile..." && setup_ipsec $ipsecfile - - maclist_hosts=$(find_hosts_by_option maclist) - [ -n "$maclist_hosts" ] && setup_mac_lists - - echo "Processing $(find_file rules)..."; process_rules - echo "Processing Actions..."; process_actions2 - process_actions3 - echo "Processing $(find_file policy)..."; apply_policy_rules - - masq=$(find_file masq) - [ -f $masq ] && setup_masq $masq - - tos=$(find_file tos) - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos - - ecn=$(find_file ecn) - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - - [ -n "$TC_ENABLED" ] && setup_tc - - echo "Activating Rules..."; activate_rules - - [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && add_ip_aliases - - for file in chains nat proxyarp zones; do - append_file $file - done - - save_progress_message "Restoring Netfilter Configuration..." - - save_command 'iptables-restore << __EOF__' - - # 'shorewall save' appends the iptables-save output and '__EOF__' - - mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$ - - > $RESTOREBASE - - save_command "#" - save_command "# Restore tail file generated by Shorewall $version - $(date)" - save_command "#" - save_command "date > $STATEDIR/restarted" - - run_user_exit start - - [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist - - createchain shorewall no - - date > $STATEDIR/restarted - - report "Shorewall ${1}ed" - - rm -rf $TMP_DIR - - mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base - mv -f $RESTOREBASE /var/lib/shorewall/restore-tail - - run_user_exit started -} - -# -# Refresh the firewall -# -refresh_firewall() -{ - echo "Refreshing Shorewall..." - - echo "Determining Zones and Interfaces..." - - determine_zones - - validate_interfaces_file - - [ -z "$zones" ] && startup_error "No Zones Defined" - - determine_interfaces - - run_user_exit refresh - - # - # Blacklist - # - refresh_blacklist - - ecn=$(find_file ecn) - - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - # - # Refresh Traffic Control - # - [ -n "$TC_ENABLED" ] && refresh_tc - - report "Shorewall Refreshed" - - rm -rf $TMP_DIR -} - -# -# Add a host or networks to a zone -# -add_to_zone() # $1...${n-1} = [:] $n = zone -{ - local interface host zone z h z1 z2 chain - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - nat_chain_exists() # $1 = chain name - { - qt $IPTABLES -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - error_message "Can't add $newhost to zone $zone" - fi - } - - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Check for duplicates and create a new zone state file - # - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - for h in $hosts; do - for host in $hostlist; do - if [ "$h" = "$host" ]; then - rm -f ${STATEDIR}/zones_$$ - startup_error "$host already in zone $zone" - fi - done - done - - [ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts $hostlist" - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - - terminator=fatal_error - # - # Create a new Zone state file - # - for newhost in $hostlist; do - # - # Isolate interface and host parts - # - interface=${newhost%%:*} - host=${newhost#*:} - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $newhost ; then - do_iptables -A $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - do_iptables -A ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - do_iptables -A $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - fi - fi - done - fi - fi - done < ${STATEDIR}/chains - - progress_message "$newhost added to zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - local interface host zone z h z1 z2 chain delhost - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Delete the passed hosts from the zone state file - # - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for host in $hostlist; do - found= - for h in $temp; do - if [ "$h" = "$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || error_message "Warning: $1 does not appear to be in zone $2" - done - - for h in $temp; do - found= - for host in $hostlist; do - if [ "$h" = "$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || hosts="$hosts $h" - done - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - - terminator=fatal_error - - for delhost in $hostlist; do - interface=${delhost%%:*} - host=${delhost#*:} - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $delhost ; then - qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" - - for h in $dest_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - fi - fi - done - fi - fi - done < ${STATEDIR}/chains - - progress_message "$delhost removed from zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - # Make sure umask is sane - umask 177 - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - terminator=startup_error - # - # Clear all configuration variables - # - version= - IPTABLES= - FW= - SUBSYSLOCK= - STATEDIR= - ALLOWRELATED=Yes - LOGRATE= - LOGBURST= - LOGPARMS= - LOGLIMIT= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - TC_ENABLED= - BLACKLIST_DISPOSITION= - BLACKLIST_LOGLEVEL= - CLAMPMSS= - ROUTE_FILTER= - LOG_MARTIANS= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - NEWNOTSYN= - LOGNEWNOTSYN= - FORWARDPING= - MACLIST_DISPOSITION= - MACLIST_LOG_LEVEL= - TCP_FLAGS_DISPOSITION= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - BOGON_LOG_LEVEL= - MARK_IN_FORWARD_CHAIN= - SHARED_DIR=/usr/share/shorewall - FUNCTIONS= - VERSION_FILE= - LOGFORMAT= - LOGRULENUMBERS= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - MODULE_SUFFIX= - ACTIONS= - USEDACTIONS= - SMURF_LOG_LEVEL= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - RETAIN_ALIASES= - DELAYBLACKLISTLOAD= - LOGTAGONLY= - LOGALLNEW= - DROPINVALID= - RFC1918_STRICT= - MACLIST_TTL= - - RESTOREBASE= - TMP_DIR= - ALL_INTERFACES= - - stopping= - have_mutex= - masq_seq=1 - nonat_seq=1 - aliases_to_add= - - FUNCTIONS=$SHARED_DIR/functions - - if [ -f $FUNCTIONS ]; then - [ -n "$QUIET" ] || echo "Loading $FUNCTIONS..." - . $FUNCTIONS - else - startup_error "$FUNCTIONS does not exist!" - fi - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - startup_error "Can't create a temporary directory" - - trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - - ensure_config_path - - VERSION_FILE=$SHARED_DIR/version - - [ -f $VERSION_FILE ] && version=$(cat $VERSION_FILE) - - run_user_exit params - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - [ -n "$QUIET" ] || echo "Processing $config..." - . $config - else - echo " ERROR: Cannot read $config (Hint: Are you root?)" - exit 2 - fi - else - echo "$config does not exist!" >&2 - exit 2 - fi - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine - # capabilities when module autoloading isn't enabled. - # - - [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" - load_kernel_modules - - if [ -z "$IPTABLES" ]; then - IPTABLES=$(which iptables 2> /dev/null) - - [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" - else - [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" - fi - - PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) # Used in determine_capabilities - - determine_capabilities - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - [ -z "$FW" ] && FW=fw - - ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" - [ -n "$ALLOWRELATED" ] || \ - startup_error "ALLOWRELATED=No is not supported" - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - TC_ENABLED="$(added_param_value_yes TC_ENABLED $TC_ENABLED)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$TC_ENABLED" -a -z "$MANGLE_ENABLED" ]; then - startup_error "Traffic Control requires Mangle" - fi - - [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP - - case "$CLAMPMSS" in - [0-9]*) - ;; - *) - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ;; - esac - - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) - LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) - [ -n "$FORWARDPING" ] && \ - startup_error "FORWARDPING=Yes is no longer supported" - - NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN) - - maclist_target=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - DROP) - maclist_target=DROP - ;; - ACCEPT) - maclist_target=RETURN - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info - [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre - if [ -n "$TC_ENABLED" ]; then - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - else - CLEAR_TC= - fi - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" - else - LOGFORMAT="Shorewall:%s:%s:" - fi - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) - RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) - DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) - LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) - RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts - # - # Check out the user's shell - # - [ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange -} - -# -# Give Usage Information -# -usage() { - echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear|{add|delete} [:hosts] zone}}" - exit 1 -} - -# -# E X E C U T I O N B E G I N S H E R E -# -# -# Start trace if first arg is "debug" -# -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } - -nolock= - -[ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } - -trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 - -COMMAND="$1" - -case "$COMMAND" in - stop) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - # - # Don't want to do a 'stop' when startup is disabled - # - check_disabled_startup - echo -n "Stopping Shorewall..." - stop_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - start) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt $IPTABLES -L shorewall -n ; then - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - echo "Shorewall Already Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 0; - fi - define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; - - restart) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt $IPTABLES -L shorewall -n ; then - define_firewall "Restart" - else - echo "Shorewall Not Currently Running" - define_firewall "Start" - fi - - [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; - - status) - [ $# -ne 1 ] && usage - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - $IPTABLES -L -n -v - ;; - - reset) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - $IPTABLES -Z - $IPTABLES -t nat -Z - $IPTABLES -t mangle -Z - report "Shorewall Counters Reset" - date > $STATEDIR/restarted - my_mutex_off - ;; - - refresh) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - refresh_firewall; - my_mutex_off - ;; - - clear) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - echo -n "Clearing Shorewall..." - clear_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - check) - [ $# -ne 1 ] && usage - do_initialize - check_config - ;; - - add) - [ $# -lt 3 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - shift - add_to_zone $@ - my_mutex_off - ;; - - delete) - [ $# -lt 3 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - shift - delete_from_zone $@ - my_mutex_off - ;; - - call) - # - # Undocumented way to call functions in /usr/share/shorewall/firewall directly - # - shift; - do_initialize - EMPTY= - $@ - ;; - capabilities) - do_initialize - report_capabilities - ;; - *) - usage - ;; - -esac diff --git a/Lrp2/usr/share/shorewall/functions b/Lrp2/usr/share/shorewall/functions deleted file mode 100644 index f2db68cc0..000000000 --- a/Lrp2/usr/share/shorewall/functions +++ /dev/null @@ -1,811 +0,0 @@ -#!/bin/sh -# -# Shorewall 2.2 -- /usr/share/shorewall/functions - -# Function to truncate a string -- It uses 'cut -b -' -# rather than ${v:first:last} because light-weight shells like ash and -# dash do not support that form of expansion. -# - -truncate() # $1 = length -{ - cut -b -${1} -} - -# -# Split a colon-separated list into a space-separated list -# -split() { - local ifs=$IFS - IFS=: - set -- $1 - echo $* - IFS=$ifs -} - -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# Functions to count list elements -# - - - - - - - - - - - - - - - - -# Whitespace-separated list -# -list_count1() { - echo $# -} -# -# Comma-separated list -# -list_count() { - list_count1 $(separate_list $1) -} - -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - [ -n "$QUIET" ] || echo "$@" -} - -# -# Suppress all output for a command -# -qt() -{ - "$@" >/dev/null 2>&1 -} - -# -# Perform variable substitution on the passed argument and echo the result -# -expand() # $@ = contents of variable which may be the name of another variable -{ - eval echo \"$@\" -} - -# -# Perform variable substitition on the values of the passed list of variables -# -expandv() # $* = list of variable names -{ - local varval - - while [ $# -gt 0 ]; do - eval varval=\$${1} - eval $1=\"$varval\" - shift - done -} - -# -# Replace all leading "!" with "! " in the passed argument list -# - -fix_bang() { - local i; - - for i in $@; do - case $i in - !*) - echo "! ${i#!}" - ;; - *) - echo $i - ;; - esac - done -} - -# -# Set default config path -# -ensure_config_path() { - local F=/usr/share/shorewall/configpath - if [ -z "$CONFIG_PATH" ]; then - [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } - . $F - fi -} - -# -# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall -# -find_file() -{ - local saveifs= directory - - case $1 in - /*) - echo $1 - ;; - *) - if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then - echo $SHOREWALL_DIR/$1 - else - saveifs=$IFS - IFS=: - for directory in $CONFIG_PATH; do - if [ -f $directory/$1 ]; then - echo $directory/$1 - IFS=$saveifs - return - fi - done - - IFS=$saveifs - - echo /etc/shorewall/$1 - fi - ;; - esac -} - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - local part - local newlist - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - # The 'terminator' function will be set by the 'firewall' script to - # either 'startup_error' or 'fatal_error' depending on the command and - # command phase - # - case "$@" in - *,|,*|*,,*|*[[:space:]]*) - [ -n "$terminator" ] && \ - $terminator "Invalid comma-separated list \"$@\"" - echo "Warning -- invalid comma-separated list \"$@\"" >&2 - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# Load a Kernel Module -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename=$1 - local modulefile - local suffix - moduleloader=modprobe - - if ! qt which modprobe; then - moduleloader=insmod - fi - - if [ -z "$(lsmod | grep $modulename)" ]; then - shift - - for suffix in $MODULE_SUFFIX ; do - modulefile=$MODULESDIR/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - - return - fi - done - fi -} - -# -# Reload the Modules -# -reload_kernel_modules() { - - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - while read command; do - eval $command - done - -} - -# -# Find the zones -# -find_zones() # $1 = name of the zone file -{ - while read zone display comments; do - [ -n "$zone" ] && case "$zone" in - [0-9*]) - echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2 - ;; - \#*) - ;; - $FW|all|none) - echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2 - ;; - *) - echo $zone - ;; - esac - done < $1 -} - -find_display() # $1 = zone, $2 = name of the zone file -{ - grep ^$1 $2 | while read z display comments; do - [ "x$1" = "x$z" ] && echo $display - done -} -# -# This function assumes that the TMP_DIR variable is set and that -# its value named an existing directory. -# -determine_zones() -{ - local zonefile=$(find_file zones) - - multi_display=Multi-zone - strip_file zones $zonefile - zones=$(find_zones $TMP_DIR/zones) - newzones= - - for zone in $zones; do - dsply=$(find_display $zone $TMP_DIR/zones) - [ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2 - eval ${zone}_display=\$dsply - newzones="$newzones $zone" - done - - zones=${newzones# } -} - -# -# The following functions may be used by apps that wish to ensure that -# the state of Shorewall isn't changing -# -# This function loads the STATEDIR variable (directory where Shorewall is to -# store state files). If your application supports alternate Shorewall -# configurations then the name of the alternate configuration directory should -# be in $SHOREWALL_DIR at the time of the call. -# -# If the shorewall.conf file does not exist, this function does not return -# -get_statedir() -{ - MUTEX_TIMEOUT= - - local config=$(find_file shorewall.conf) - - if [ -f $config ]; then - . $config - else - echo "/etc/shorewall/shorewall.conf does not exist!" >&2 - exit 2 - fi - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -} - -# -# Call this function to assert MUTEX with Shorewall. If you invoke the -# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" -# -# This function uses the lockfile utility from procmail if it exists. -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the -# behavior of lockfile. -# -mutex_on() -{ - local try=0 - local lockf=$STATEDIR/lock - - MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} - - if [ $MUTEX_TIMEOUT -gt 0 ]; then - - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - if qt which lockfile; then - lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} - else - while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do - sleep 1 - try=$((${try} + 1)) - done - - if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then - # Create the lockfile - echo $$ > ${lockf} - else - echo "Giving up on lock file ${lockf}" >&2 - fi - fi - fi -} - -# -# Call this function to release MUTEX -# -mutex_off() -{ - rm -f $STATEDIR/lock -} - -# -# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: -# -# None - No mktemp -# BSD - BSD mktemp (Mandrake) -# STD - mktemp.org mktemp -# -find_mktemp() { - local mktemp=`which mktemp 2> /dev/null` - - if [ -n "$mktemp" ]; then - if qt mktemp -V ; then - MKTEMP=STD - else - MKTEMP=BSD - fi - else - MKTEMP=None - fi -} - -# -# create a temporary file. If a directory name is passed, the file will be created in -# that directory. Otherwise, it will be created in a temporary directory. -# -mktempfile() { - - [ -z "$MKTEMP" ] && find_mktemp - - if [ $# -gt 0 ]; then - case "$MKTEMP" in - BSD) - mktemp $1/shorewall.XXXXXX - ;; - STD) - mktemp -p $1 shorewall.XXXXXX - ;; - None) - > $1/shorewall-$$ && echo $1/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempfile" >&2 - ;; - esac - else - case "$MKTEMP" in - BSD) - mktemp /tmp/shorewall.XXXXXX - ;; - STD) - mktemp -t shorewall.XXXXXX - ;; - None) - rm -f /tmp/shorewall-$$ - > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempfile" >&2 - ;; - esac - fi -} - -# -# create a temporary directory -# -mktempdir() { - - [ -z "$MKTEMP" ] && find_mktemp - - case "$MKTEMP" in - STD) - mktemp -td shorewall.XXXXXX - ;; - None|BSD) - # - # Not all versions of the BSD mktemp support the -d option under Linux - # - mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempdir" >&2 - ;; - esac -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 - fi - else - echo "$first $rest" - fi - done < $1 - else - [ -n "$terminator" ] && $terminator "No such file: $1" - echo "Warning -- No such file: $1" - fi -} - -# -# Function for including one file into another -# -INCLUDE() { - . $(find_file $(expand $@)) -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) -{ - local fname - - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi -} - -# -# Note: The following set of IP address manipulation functions have anomalous -# behavior when the shell only supports 32-bit signed arithmatic and -# the IP address is 128.0.0.0 or 128.0.0.1. -# -# -# So that emacs doesn't get lost, we use $LEFTSHIFT rather than << -# -LEFTSHIFT='<<' - -# -# Convert an IP address in dot quad format to an integer -# -decodeaddr() { - local x - local temp=0 - local ifs=$IFS - - IFS=. - - for x in $1; do - temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) - done - - echo $temp - - IFS=$ifs -} - -# -# convert an integer to dot quad format -# -encodeaddr() { - addr=$1 - local x - local y=$(($addr & 255)) - - for x in 1 2 3 ; do - addr=$(($addr >> 8)) - y=$(($addr & 255)).$y - done - - echo $y -} - -# -# Enumerate the members of an IP range -- When using a shell supporting only -# 32-bit signed arithmetic, the range cannot span 128.0.0.0. -# -# Comes in two flavors: -# -# ip_range() - produces a mimimal list of network/host addresses that spans -# the range. -# -# ip_range_explicit() - explicitly enumerates the range. -# -ip_range() { - local first last l x y z vlsm - - case $1 in - !*) - # - # Let iptables complain if it's a range - # - echo $1 - return - ;; - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if [ $first -gt $last ]; then - fatal_error "Invalid IP address range: $1" - fi - - l=$(( $last + 1 )) - - while [ $first -le $last ]; do - vlsm= - x=31 - y=2 - z=1 - - while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do - vlsm=/$x - x=$(( $x - 1 )) - z=$y - y=$(( $y * 2 )) - done - - echo $(encodeaddr $first)$vlsm - first=$(($first + $z)) - done -} - -ip_range_explicit() { - local first last - - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if [ $first -gt $last ]; then - fatal_error "Invalid IP address range: $1" - fi - - while [ $first -le $last ]; do - echo $(encodeaddr $first) - first=$(($first + 1)) - done -} - -# -# Netmask from CIDR -# -ip_netmask() { - local vlsm=${1#*/} - - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) -} - -# -# Network address from CIDR -# -ip_network() { - local decodedaddr=$(decodeaddr ${1%/*}) - local netmask=$(ip_netmask $1) - - echo $(encodeaddr $(($decodedaddr & $netmask))) -} - -# -# The following hack is supplied to compensate for the fact that many of -# the popular light-weight Bourne shell derivatives don't support XOR ("^"). -# - -ip_broadcast() { - local x=$(( 32 - ${1#*/} )) - - [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) -} - -# -# Calculate broadcast address from CIDR -# -broadcastaddress() { - local decodedaddr=$(decodeaddr ${1%/*}) - local netmask=$(ip_netmask $1) - local broadcast=$(ip_broadcast $1) - - echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) -} - -# -# Test for network membership -# -in_network() # $1 = IP address, $2 = CIDR network -{ - local netmask=$(ip_netmask $2) - - test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask )) -} - -# -# Netmask to VLSM -# -ip_vlsm() { - local mask=$(decodeaddr $1) - local vlsm=0 - local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000 - - while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. - vlsm=$(($vlsm + 1)) - done - - if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff - echo "Invalid net mask: $1" >&2 - else - echo $vlsm - fi -} - - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c=${1%%+} - - while true; do - case $c in - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *%*) - c="${c%\%*}_${c##*%}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - -# -# Loosly Match the name of an interface -# - -if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Full interface name - may also end in "+" -{ - local pattern=${1%+} - - case $1 in - *+) - test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" - ;; - *) - test "x$1" = "x$2" - ;; - esac -} - -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route ls | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - -# -# Find the default route's interface -# -find_default_interface() { - ip route ls | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev="$(find_rt_interface $1)" - local first rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' -} diff --git a/Lrp2/usr/share/shorewall/help b/Lrp2/usr/share/shorewall/help deleted file mode 100755 index 1ec86f6c0..000000000 --- a/Lrp2/usr/share/shorewall/help +++ /dev/null @@ -1,331 +0,0 @@ -#!/bin/sh -# -# Shorewall help subsystem - V2.2 -# -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net) -# Steve Herber (herber@thing.com) -# -# This file should be placed in /usr/share/shorewall/help -# -# Shorewall documentation is available at http://shorewall.sourceforge.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -################################################################################## - -case $1 in - -add) - echo "add: add [:] ... - Adds a list of hosts or subnets to a dynamic zone usually used with VPN's. - - shorewall add interface:host-list ... zone - Adds the specified interface - (and host-list if included) to the specified zone. - - A host-list is a comma-separated list whose elements are: - - A host or network address - The name of a bridge port - The name of a bridge port followed by a colon (":") and a host or - network address. - - Example: - - shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 - from interface ipsec0 to the zone vpn1. - - See also \"help host\"" - ;; - -address|host) - echo "<$1>: - May be either a host IP address such as 192.168.1.4 or a network address in - CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange - match support then IP address ranges of the form - - are also permitted." - ;; - -allow) - echo "allow: allow
... - Re-enables receipt of packets from hosts previously blacklisted - by a drop or reject command. - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -check) - echo "check: check [ ] - Performs a cursory validation of the zones, interfaces, hosts, - rules and policy files. Use this if you are unsure of any edits - you have made to the shorewall configuration. See the try command - examples for a recommended way to make changes." - ;; - -clear) - echo "clear: clear - Clear will remove all rules and chains installed by Shoreline. - The firewall is then wide open and unprotected. Existing - connections are untouched. Clear is often used to see if the - firewall is causing connection problems." - ;; - -debug) - echo "debug: debug - If you include the keyword debug as the first argument to any - of these commands: - - start|stop|restart|reset|clear|refresh|check|add|delete - - then a shell trace of the command is produced. For example: - - shorewall debug start 2> /tmp/trace - - The above command would trace the 'start' command and - place the trace information in the file /tmp/trace. - - The word 'trace' is a synonym for 'debug'." - ;; - -delete) - echo "delete: delete [:] ... - Deletes a list of hosts or networks from a dynamic zone usually used with VPN's. - - shorewall delete interface[:host-list] ... zone - Deletes the specified - interfaces (and host list if included) from the specified zone. - - A host-list is a comma-separated list whose elements are: - - A host or network address - The name of a bridge port - The name of a bridge port followed by a colon (":") and a host or - network address. - - Example: - - shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address - 192.0.2.24 from interface ipsec0 from zone vpn1 - - See also \"help host\"" - ;; - -drop) - echo "$1: $1
... - Causes packets from the specified
to be ignored - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -forget) - echo "forget: forget [ ] - Deletes /var/lib/shorewall/. If no is given then - the file specified by RESTOREFILE in shorewall.conf is removed. - - See also \"help save\"" - ;; - -help) - echo "help: help [ | host | address ] - Display helpful information about the shorewall commands." - ;; - -hits) - echo "hits: hits - Produces several reports about the Shorewall packet log messages - in the current /var/log/messages file." - ;; - -ipcalc) - echo "ipcalc: ipcalc [ address mask | address/vlsm ] - Ipcalc displays the network address, broadcast address, - network in CIDR notation and netmask corresponding to the input[s]." - ;; - -iprange) - echo "iprange: iprange address1-address2 - Iprange decomposes the specified range of IP addresses into the - equivalent list of network/host addresses." - ;; - -logwatch) - echo "logwatch: logwatch [] - Monitors the LOGFILE, $LOGFILE, - and produces an audible alarm when new Shorewall messages are logged." - ;; - -monitor) - echo "monitor: monitor [] - - shorewall [-x] monitor [] - - Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -refresh) - echo "refresh: [ -q ] refresh - The rules involving the broadcast addresses of firewall interfaces, - the black list, traffic control rules and ECN control rules are recreated - to reflect any changes made. Existing connections are untouched - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" - ;; - -reject) - echo "$1: $1
... - Causes packets from the specified
to be rejected - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -reset) - echo "reset: reset - All the packet and byte counters in the firewall are reset." - ;; - -restart) - echo "restart: [ -q ] restart [ ] - Restart is the same as a shorewall stop && shorewall start. - Existing connections are maintained. - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" - ;; - -restore) - echo "restore: restore [ ] - Restore Shorewall to a state saved using the 'save' command - Existing connections are maintained. The names a restore file in - /var/lib/shorewall created using "shorewall save"; if no is given - then Shorewall will be restored from the file specified by the RESTOREFILE - option in shorewall.conf. - - See also \"help save\" and \"help forget\"" - ;; - -save) - echo "save: save [ ] - The dynamic data is stored in /var/lib/shorewall/save. The state of the - firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' - and 'shorewall -f start' commands. If is not given then the state is saved - in the file specified by the RESTOREFILE option in shorewall.conf. - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help restore\" and \"help forget\"" - ;; - -show) - echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos|zones] - - shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). - (iptables -L chain -n -v) - - shorewall [-x] show nat - produce a verbose report about the nat table. - (iptables -t nat -L -n -v) - - shorewall [-x] show tos - produce a verbose report about the mangle table. - (iptables -t mangle -L -n -v) - - shorewall show log - display the last 20 packet log entries. - - shorewall show connections - displays the IP connections currently - being tracked by the firewall. - - shorewall show tc - displays information about the traffic - control/shaping configuration. - - shorewall show zones - displays the contents of all zones. - - shorewall show capabilities - displays your kernel/iptables capabilities - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -start) - echo "start: [ -q ] [ -f ] start [ ] - Start shorewall. Existing connections through shorewall managed - interfaces are untouched. New connections will be allowed only - if they are allowed by the firewall rules or policies. - If \"-q\" is specified, less detail is displayed making it easier to spot warnings - If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option - in shorewall.conf will be restored if that saved configuration exists. In that - case, a may not be specified". - ;; - -stop) - echo "stop: stop - Stops the firewall. All existing connections, except those - listed in /etc/shorewall/routestopped, are taken down. - The only new traffic permitted through the firewall - is from systems listed in /etc/shorewall/routestopped." - ;; - -status) - echo "status: status - - shorewall [-x] status - - Produce a verbose report about the firewall. - - (iptables -L -n -) - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -trace) - echo "trace: trace - If you include the keyword trace as the first argument to any - of these commands: - - start|stop|restart|reset|clear|refresh|check|add|delete - - then a shell trace of the command is produced. For example: - - shorewall trace start 2> /tmp/trace - - The above command would trace the 'start' command and - place the trace information in the file /tmp/trace. - - The word 'debug' is a synonym for 'trace'." - ;; - -try) - echo "try: try [ ] - Restart shorewall using the specified configuration. If an error - occurs during the restart, then another shorewall restart is performed - using the default configuration. If a timeout is specified then - the restart is always performed after the timeout occurs and uses - the default configuration." - ;; - -version) - echo "version: version - Show the current shorewall version which is: $version" - ;; - -*) - echo "$1: $1 is not recognized by the help command" - ;; - -esac - -exit 0 # always ok - diff --git a/Lrp2/usr/share/shorewall/rfc1918 b/Lrp2/usr/share/shorewall/rfc1918 deleted file mode 100644 index f728b4491..000000000 --- a/Lrp2/usr/share/shorewall/rfc1918 +++ /dev/null @@ -1,45 +0,0 @@ -# -# Shorewall 2.2 -- RFC1918 File -# -# /etc/shorewall/rfc1918 -# -# Lists the subnetworks that are blocked by the 'norfc1918' interface option. -# -# The default list includes those IP addresses listed in RFC 1918. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNETS A comma-separated list of subnet addresses -# (host addresses also allowed as are IP -# address ranges provided that your kernel and iptables -# have iprange match support). -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -# By default, the RETURN target causes 'norfc1918' processing to cease for a -# packet if the packet's source IP address matches the rule. Thus, if you have: -# -# SUBNETS TARGET -# 192.168.1.0/24 RETURN -# -# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you -# also have: -# -# SUBNETS TARGET -# 10.0.0.0/8 logdrop -# -# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be -# logged and dropped since while the packet's source matches the RETURN rule, -# the packet's destination matches the 'logdrop' rule. -# -################################################################################ -#SUBNETS TARGET -172.16.0.0/12 logdrop # RFC 1918 -192.168.0.0/16 logdrop # RFC 1918 -10.0.0.0/8 logdrop # RFC 1918 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version deleted file mode 100644 index bda8fbec1..000000000 --- a/Lrp2/usr/share/shorewall/version +++ /dev/null @@ -1 +0,0 @@ -2.2.6 diff --git a/Lrp2/var/lib/lrpkg/shorwall.conf b/Lrp2/var/lib/lrpkg/shorwall.conf deleted file mode 100644 index cfb9243f1..000000000 --- a/Lrp2/var/lib/lrpkg/shorwall.conf +++ /dev/null @@ -1,27 +0,0 @@ -/etc/shorewall/params Params Assign parameter values -/etc/shorewall/zones Zones Partition the network into Zones -/etc/shorewall/interfaces Ifaces Shorewall Networking Interfaces -/etc/shorewall/ipsec Ipsec Define Zone IPSEC Properties -/etc/shorewall/hosts Hosts Define specific zones -/etc/shorewall/policy Policy Firewall high-level policy -/etc/shorewall/rules Rules Exceptions to policy -/etc/shorewall/maclist Maclist MAC Verification -/etc/shorewall/masq Masq Internal MASQ Server Configuration -/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration -/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop' -/etc/shorewall/nat Nat Static NAT Configuration -/etc/shorewall/tunnels Tunnels Tunnel Definition (ipsec) -/etc/shorewall/tcrules TCRules FWMark Rules -/etc/shorewall/shorewall.conf Config Shorewall Global Parameters -/etc/shorewall/modules Modules Netfilter modules to load -/etc/shorewall/tos TOS Type of Service policy -/etc/shorewall/blacklist Blacklist Blacklisted hosts -/etc/shorewall/ecn ECN Disable ECN to hosts and networks -/etc/shorewall/init Init Commands executed before [re]start -/etc/shorewall/start Start Commands executed after [re]start -/etc/shorewall/stop Stop Commands executed before stop -/etc/shorewall/stopped Stopped Commands executed after stop -/etc/shorewall/accounting Account Traffic Accounting Rules -/etc/shorewall/actions Actions Define user actions -/etc/shorewall/continue Continue Commands executed early in [re]start - diff --git a/Lrp2/var/lib/lrpkg/shorwall.exclude.list b/Lrp2/var/lib/lrpkg/shorwall.exclude.list deleted file mode 100644 index cca3782fb..000000000 --- a/Lrp2/var/lib/lrpkg/shorwall.exclude.list +++ /dev/null @@ -1 +0,0 @@ -var/lib/shorewall/* diff --git a/Lrp2/var/lib/lrpkg/shorwall.help b/Lrp2/var/lib/lrpkg/shorwall.help deleted file mode 100644 index 61523f806..000000000 --- a/Lrp2/var/lib/lrpkg/shorwall.help +++ /dev/null @@ -1,3 +0,0 @@ -Shoreline Firewall (Shorewall) -Homepage: http://www.shorewall.net -Requires: iptables.lrp diff --git a/Lrp2/var/lib/lrpkg/shorwall.list b/Lrp2/var/lib/lrpkg/shorwall.list deleted file mode 100644 index 04bd7a15b..000000000 --- a/Lrp2/var/lib/lrpkg/shorwall.list +++ /dev/null @@ -1,6 +0,0 @@ -etc/init.d/shorewall -etc/shorewall -sbin/shorewall -usr/share/shorewall -var/lib/shorewall -var/lib/lrpkg/shorwall.* diff --git a/Lrp2/var/lib/lrpkg/shorwall.version b/Lrp2/var/lib/lrpkg/shorwall.version deleted file mode 100644 index a14da2902..000000000 --- a/Lrp2/var/lib/lrpkg/shorwall.version +++ /dev/null @@ -1 +0,0 @@ -2.0.16 diff --git a/LrpN/etc/init.d/shorewall b/LrpN/etc/init.d/shorewall deleted file mode 100755 index dc6cdd5aa..000000000 --- a/LrpN/etc/init.d/shorewall +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh -RCDLINKS="2,S41 3,S41 6,K41" -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) -# -# On most distributions, this file should be called /etc/init.d/shorewall. -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# -#### BEGIN INIT INFO -# Provides: shorewall -# Required-Start: $network -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Description: starts and stops the shorewall firewall -### END INIT INFO - -# chkconfig: 2345 25 90 -# description: Packet filtering firewall -# - -################################################################################ -# Give Usage Information # -################################################################################ -usage() { - echo "Usage: $0 start|stop|restart|status" - exit 1 -} - -################################################################################ -# E X E C U T I O N B E G I N S H E R E # -################################################################################ -command="$1" - -case "$command" in - - stop|start|restart|status) - - exec /sbin/shorewall $@ - ;; - *) - - usage - ;; - -esac diff --git a/LrpN/etc/shorewall/accounting b/LrpN/etc/shorewall/accounting deleted file mode 100644 index d21c03326..000000000 --- a/LrpN/etc/shorewall/accounting +++ /dev/null @@ -1,96 +0,0 @@ -# -# Shorewall version 2.2 - Accounting File -# -# /etc/shorewall/accounting -# -# Accounting rules exist simply to count packets and bytes in categories -# that you define in this file. You may display these rules and their -# packet and byte counters using the "shorewall show accounting" command. -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -# -# Columns are: -# -# ACTION - What to do when a match is found. -# -# COUNT - Simply count the match and continue -# with the next rule -# DONE - Count the match and don't attempt -# to match any other accounting rules -# in the chain specified in the CHAIN -# column. -# [:COUNT] -# - Where is the name of -# a chain. Shorewall will create -# the chain automatically if it -# doesn't already exist. Causes -# a jump to that chain. If :COUNT -# is including, a counting rule -# matching this record will be -# added to -# -# CHAIN - The name of a chain. If specified as "-" the -# 'accounting' chain is assumed. This is the chain -# where the accounting rule is added. The chain will -# be created if it doesn't already exist. -# -# SOURCE - Packet Source -# -# The name of an interface, an address (host or net) or -# an interface name followed by ":" -# and a host or net address. -# -# DESTINATION - Packet Destination -# -# Format the same as the SOURCE column. -# -# PROTOCOL A protocol name (from /etc/protocols), a protocol -# number, or "ipp2p" -# -# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then -# this column must contain an ipp2p option ("iptables -m -# ipp2p --help") without the leading "--". If no option -# is given in this column, "ipp2p" is assumed. -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# SOURCE PORT Source Port number -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# USER/GROUP This column may only be non-empty if the CHAIN is -# OUTPUT. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -# In all of the above columns except ACTION and CHAIN, the values "-", -# "any" and "all" may be used as wildcards -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT PORT GROUP -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/actions b/LrpN/etc/shorewall/actions deleted file mode 100644 index 4ddb30e91..000000000 --- a/LrpN/etc/shorewall/actions +++ /dev/null @@ -1,29 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/actions -# -# This file allows you to define new ACTIONS for use in rules -# (/etc/shorewall/rules). You define the iptables rules to -# be performed in an ACTION in -# /etc/shorewall/action.. -# -# ACTION names should begin with an upper-case letter to -# distinguish them from Shorewall-generated chain names and -# they must need the requirements of a Netfilter chain. If -# you intend to log from the action then the name must be -# no longer than 11 character in length. Names must also -# meet the requirements for a Bourne Shell identifier (must -# begin with a letter and be composed of letters, digits and -# underscore characters). -# -# If you follow the action name with ":DROP", ":REJECT" or -# :ACCEPT then the action will be taken before a DROP, REJECT or -# ACCEPT policy respectively is enforced. If you specify ":DROP", -# ":REJECT" or ":ACCEPT" on more than one action then only the -# last such action will be taken. -# -# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by -# itself, the associated policy will have no common action. -# -#ACTION - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/LrpN/etc/shorewall/blacklist b/LrpN/etc/shorewall/blacklist deleted file mode 100644 index 4cb06756d..000000000 --- a/LrpN/etc/shorewall/blacklist +++ /dev/null @@ -1,45 +0,0 @@ -# -# Shorewall 2.2 -- Blacklist File -# -# /etc/shorewall/blacklist -# -# This file contains a list of IP addresses, MAC addresses and/or subnetworks. -# -# Columns are: -# -# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address -# range (if your kernel and iptables contain iprange -# match support). -# -# MAC addresses must be prefixed with "~" and use "-" -# as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# PROTOCOL - Optional. If specified, must be a protocol number -# or a protocol name from /etc/protocols. -# -# PORTS - Optional. May only be specified if the protocol -# is TCP (6) or UDP (17). A comma-separated list -# of port numbers or service names from /etc/services. -# -# When a packet arrives on an interface that has the 'blacklist' option -# specified in /etc/shorewall/interfaces, its source IP address is checked -# against this file and disposed of according to the BLACKLIST_DISPOSITION and -# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf -# -# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. -# -# Example: -# -# To block DNS queries from address 192.0.2.126: -# -# ADDRESS/SUBNET PROTOCOL PORT -# 192.0.2.126 udp 53 -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - diff --git a/LrpN/etc/shorewall/continue b/LrpN/etc/shorewall/continue deleted file mode 100644 index e608ca4ed..000000000 --- a/LrpN/etc/shorewall/continue +++ /dev/null @@ -1,6 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/continue -# -# Add commands below that you want to be executed after shorewall has -# cleared any existing Netfilter rules and has enabled existing connections. -# diff --git a/LrpN/etc/shorewall/ecn b/LrpN/etc/shorewall/ecn deleted file mode 100644 index e09e32540..000000000 --- a/LrpN/etc/shorewall/ecn +++ /dev/null @@ -1,20 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/ecn -# -# Use this file to list the destinations for which you want to -# disable ECN. -# -# This feature requires kernel 2.4.20 or later. If you run 2.4.20, -# you also need the patch found at http://www.shorewall.net/ecn/patch. -# That patch is included in kernels 2.4.21 and later. -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. If your kernel and iptables -# include iprange match support then IP address ranges -# are also permitted. -############################################################################## -#INTERFACE HOST(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/hosts b/LrpN/etc/shorewall/hosts deleted file mode 100644 index 1fbd5e51c..000000000 --- a/LrpN/etc/shorewall/hosts +++ /dev/null @@ -1,139 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/hosts -# -# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN -# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. -# -# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. -#------------------------------------------------------------------------------ -# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN -# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT -# ZONE AND INTERFACE IN THIS FILE. -#------------------------------------------------------------------------------ -# This file is used to define zones in terms of subnets and/or -# individual IP addresses. Most simple setups don't need to -# (should not) place anything in this file. -# -# The order of entries in this file is not significant in -# determining zone composition. Rather, the order that the zones -# are defined in /etc/shorewall/zones determines the order in -# which the records in this file are interpreted. -# -# ZONE - The name of a zone defined in /etc/shorewall/zones -# -# HOST(S) - The name of an interface defined in the -# /etc/shorewall/interfaces file followed by a colon (":") and -# a comma-separated list whose elements are either: -# -# a) The IP address of a host -# b) A subnetwork in the form -# / -# c) An IP address range of the form -. Your kernel and iptables must have iprange -# match support. -# d) A physical port name; only allowed when the -# interface names a bridge created by the -# brctl addbr command. This port must not -# be defined in /etc/shorewall/interfaces and may -# optionally followed by a colon (":") and a -# host or network IP or a range. -# See http://www.shorewall.net/Bridge.html for details. -# -# Examples: -# -# eth1:192.168.1.3 -# eth2:192.168.2.0/24 -# eth3:192.168.2.0/24,192.168.3.1 -# br0:eth4 -# br0:eth0:192.168.1.16/28 -# eth4:192.168.1.44-192.168.1.49 -# -# OPTIONS - A comma-separated list of options. Currently-defined -# options are: -# -# maclist - Connection requests from these hosts -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# routeback - Shorewall should set up the infrastructure -# to pass packets from this/these -# address(es) back to themselves. This is -# necessary if hosts in this group use the -# services of a transparent proxy that is -# a member of the group or if DNAT is used -# to send requests originating from this -# group to a server in the group. -# -# norfc1918 - This option only makes sense for ports -# on a bridge. -# -# The port should not accept -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# nobogons - This option only makes sense for ports -# on a bridge. -# -# This port should not accept -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see -# 'norfc1918' above). -# -# blacklist - This option only makes sense for ports -# on a bridge. -# -# Check packets arriving on this port -# against the /etc/shorewall/blacklist -# file. -# -# tcpflags - Packets arriving from these hosts are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# nosmurfs - This option only makes sense for ports -# on a bridge. -# -# Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from these hosts, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# ipsec - The zone is accessed via a -# kernel 2.6 ipsec SA. Note that if the -# zone named in the ZONE column is -# specified as an IPSEC zone in the -# /etc/shorewall/ipsec file then you do NOT -# need to specify the 'ipsec' option here. -# -#ZONE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/init b/LrpN/etc/shorewall/init deleted file mode 100644 index 7fb3988e1..000000000 --- a/LrpN/etc/shorewall/init +++ /dev/null @@ -1,6 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. -# diff --git a/LrpN/etc/shorewall/initdone b/LrpN/etc/shorewall/initdone deleted file mode 100644 index efd2be5d2..000000000 --- a/LrpN/etc/shorewall/initdone +++ /dev/null @@ -1,7 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/initdone -# -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. -# diff --git a/LrpN/etc/shorewall/interfaces b/LrpN/etc/shorewall/interfaces deleted file mode 100644 index 74080d3c3..000000000 --- a/LrpN/etc/shorewall/interfaces +++ /dev/null @@ -1,209 +0,0 @@ -# -# Shorewall 2.2 -- Interfaces File -# -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the short name -# of a zone defined in /etc/shorewall/zones. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you -# select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# nobogons - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see above). -# -# I PERSONALLY RECOMMEND AGAINST USING -# THE 'nobogons' OPTION. -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# logmartians - turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this interface -# are processed as if NEWNOTSYN=Yes had been -# specified in /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow filtering -# traffic arriving on this interface back -# out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# upnp - Incoming requests from this interface may -# be remapped via UPNP (upnpd). -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS -# -net eth0 detect dhcp,routefilter,norfc1918 -loc eth1 detect dhcp -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/ipsec b/LrpN/etc/shorewall/ipsec deleted file mode 100644 index b6692d8fd..000000000 --- a/LrpN/etc/shorewall/ipsec +++ /dev/null @@ -1,58 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/ipsec -# -# This file defines the attributes of zones with respect to -# IPSEC. To use this file, you must be running a 2.6 kernel and -# both your kernel and iptables must include Policy Match Support. -# -# The columns are: -# -# ZONE The name of a zone defined in /etc/shorewall/zones. The -# $FW zone may not be listed. -# -# IPSEC Yes -- Communication with all zone hosts is encrypted -# ONLY No -- Communication with some zone hosts is encrypted. -# Encrypted hosts are designated using the 'ipsec' -# option in /etc/shorewall/hosts. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -################################################################################### -#ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - diff --git a/LrpN/etc/shorewall/maclist b/LrpN/etc/shorewall/maclist deleted file mode 100644 index b200ddda2..000000000 --- a/LrpN/etc/shorewall/maclist +++ /dev/null @@ -1,23 +0,0 @@ -# -# Shorewall 2.2 - MAC list file -# -# /etc/shorewall/maclist -# -# Columns are: -# -# INTERFACE Network interface to a host. If the interface -# names a bridge, it may be optionally followed by -# a colon (":") and a physical port name (e.g., -# br0:eth4). -# -# MAC MAC address of the host -- you do not need to use -# the Shorewall format for MAC addresses here -# -# IP ADDRESSES Optional -- if specified, both the MAC and IP address -# must match. This column can contain a comma-separated -# list of host and/or subnet addresses. If your kernel -# and iptables have iprange match support then IP -# address ranges are also allowed. -############################################################################## -#INTERFACE MAC IP ADDRESSES (Optional) -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/masq b/LrpN/etc/shorewall/masq deleted file mode 100644 index 34e81d93d..000000000 --- a/LrpN/etc/shorewall/masq +++ /dev/null @@ -1,201 +0,0 @@ -# -# Shorewall 2.2 - Masquerade file -# -# /etc/shorewall/masq -# -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). -# -# Columns are: -# -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. -# -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: -# -# eth0: -# eth2::192.0.2.32/27 -# -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": -# -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 -# -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. -# -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. -# -# Example: eth1!192.168.1.4,192.168.32.0/27 -# -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 -# -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# You may also specify a range of up to 256 -# IP addresses if you want the SNAT address to -# be assigned from that range in a round-robin -# range by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 -# -# Finally, you may also specify a comma-separated -# list of ranges and/or addresses in this column. -# -# This column may not contain DNS Names. -# -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. -# -# Examples: -# -# 192.0.2.4:5000-6000 -# :4000-5000 -# -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. -# -# PROTO -- (Optional) If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. -# -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). -# -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be -# listed. -# -# IPSEC -- (Optional) If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. -# -# Comma-separated list of options from the following. -# Only packets that will be encrypted via an SA that -# matches these options will have their source address -# changed. -# -# Yes or yes -- must be the only option listed -# and matches all outbound traffic that will be -# encrypted. -# -# reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA. -# -# proto=ah|esp|ipcomp -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all -# rules. -# -# next Separates rules; can only be used -# with strict.. -# -# Example 1: -# -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. -# -# Your entry in the file can be either: -# -# eth0 eth1 -# -# or -# -# eth0 192.168.0.0/24 -# -# Example 2: -# -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: -# -# eth0 192.168.1.0/24 -# -# Example 3: -# -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: -# -# ipsec0:10.1.1.0/24 196.168.1.0/24 -# -# Example 4: -# -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. -# -# eth0:0 192.168.1.0/24 206.124.146.176 -# -# Example 5: -# -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. -# -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 -# -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! -# -############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC -eth0 eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/modules b/LrpN/etc/shorewall/modules deleted file mode 100644 index f658e3576..000000000 --- a/LrpN/etc/shorewall/modules +++ /dev/null @@ -1,21 +0,0 @@ -############################################################################## -# Shorewall 2.2 /etc/shorewall/modules -# -# This file loads the modules needed by the firewall. -# -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 before -# you load M2. -# - - loadmodule ip_tables - loadmodule iptable_filter - loadmodule ip_conntrack - loadmodule ip_conntrack_ftp - loadmodule ip_conntrack_tftp - loadmodule ip_conntrack_irc - loadmodule iptable_nat - loadmodule ip_nat_ftp - loadmodule ip_nat_tftp - loadmodule ip_nat_irc - diff --git a/LrpN/etc/shorewall/nat b/LrpN/etc/shorewall/nat deleted file mode 100644 index 76991ebdd..000000000 --- a/LrpN/etc/shorewall/nat +++ /dev/null @@ -1,45 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Network Address Translation Table -# -# /etc/shorewall/nat -# -# This file is used to define one-to-one Network Address Translation -# (NAT). -# -# WARNING: If all you want to do is simple port forwarding, do NOT use this -# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most -# cases, Proxy ARP is a better solution that one-to-one NAT. -# -# Columns must be separated by white space and are: -# -# EXTERNAL External IP Address - this should NOT be the primary -# IP address of the interface named in the next -# column and must not be a DNS Name. -# -# INTERFACE Interface that you want to EXTERNAL address to appear -# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may -# follow the interface name with ":" and a digit to -# indicate that you want Shorewall to add the alias -# with this name (e.g., "eth0:0"). That allows you to -# see the alias with ifconfig. THAT IS THE ONLY THING -# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT -# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. -# -# If you want to override ADD_IP_ALIASES=Yes for a -# particular entry, follow the interface name with -# ":" and no digit (e.g., "eth0:"). -# INTERNAL Internal Address (must not be a DNS Name). -# -# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. -# If No or no (or left empty) then NAT will be effective -# only through the interface named in the INTERFACE -# column -# -# LOCAL If Yes or yes, NAT will be effective from the firewall -# system -############################################################################## -#EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES -# -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/netmap b/LrpN/etc/shorewall/netmap deleted file mode 100644 index 8faac6fc1..000000000 --- a/LrpN/etc/shorewall/netmap +++ /dev/null @@ -1,38 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Network Mapping Table -# -# /etc/shorewall/netmap -# -# This file is used to map addresses in one network to corresponding -# addresses in a second network. -# -# WARNING: To use this file, your kernel and iptables must have -# NETMAP support included. -# -# Columns must be separated by white space and are: -# -# TYPE Must be DNAT or SNAT. -# -# If DNAT, traffic entering INTERFACE and addressed to -# NET1 has it's destination address rewritten to the -# corresponding address in NET2. -# -# If SNAT, traffic leaving INTERFACE with a source -# address in NET1 has it's source address rewritten to -# the corresponding address in NET2. -# -# NET1 Network in CIDR format (e.g., 192.168.1.0/24) -# -# INTERFACE The name of a network interface. The interface must -# be defined in /etc/shorewall/interfaces. -# -# NET2 Network in CIDR format -# -# See http://shorewall.net/netmap.html for an example and usage -# information. -# -############################################################################## -#TYPE NET1 INTERFACE NET2 -# -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/params b/LrpN/etc/shorewall/params deleted file mode 100644 index 24d1c94ae..000000000 --- a/LrpN/etc/shorewall/params +++ /dev/null @@ -1,25 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/params -# -# Assign any variables that you need here. -# -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs -# -# Example: -# -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 -# -# Example (/etc/shorewall/interfaces record): -# -# net $NET_IF $NET_BCAST $NET_OPTIONS -# -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter,norfc1918 -# -############################################################################## -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/LrpN/etc/shorewall/policy b/LrpN/etc/shorewall/policy deleted file mode 100644 index bb08500c0..000000000 --- a/LrpN/etc/shorewall/policy +++ /dev/null @@ -1,91 +0,0 @@ -# -# Shorewall 2.2 -- Policy File -# -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, send -# "port unreachable" ICMP. -# QUEUE - Send the request to a user-space -# application using the QUEUE target. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or destination -# zone in those rules is a superset of -# the SOURCE or DEST in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set up -# any infrastructure to handle such -# packets and you may not have any rules -# with this SOURCE and DEST in the -# /etc/shorewall/rules file. If such a -# packet _is_ received, the result is -# undefined. NONE may not be used if the -# SOURCE or DEST columns contain the -# firewall zone ($FW) or "all". -# -# If this column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in -# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) -# then that action will be invoked before the policy named in -# this column is inforced. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# As shipped, the default policies are: -# -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. -############################################################################### -#SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL -loc net ACCEPT -net all DROP ULOG -# If you want open access to the Internet from your Firewall -# remove the comment from the following line. -#fw net ACCEPT - -# -# THE FOLLOWING POLICY MUST BE LAST -# -all all REJECT ULOG -#LAST LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/proxyarp b/LrpN/etc/shorewall/proxyarp deleted file mode 100644 index c80c1b21c..000000000 --- a/LrpN/etc/shorewall/proxyarp +++ /dev/null @@ -1,44 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Proxy ARP -# -# /etc/shorewall/proxyarp -# -# This file is used to define Proxy ARP. -# -# Columns must be separated by white space and are: -# -# ADDRESS IP Address -# -# INTERFACE Local interface where system is connected. If the -# local interface is obvious from the subnetting, -# you may enter "-" in this column. -# -# EXTERNAL External Interface to be used to access this system -# -# HAVEROUTE If there is already a route from the firewall to -# the host whose address is given, enter "Yes" or "yes" -# in this column. Otherwise, entry "no", "No" or leave -# the column empty and Shorewall will add the route for -# you. If Shorewall adds the route,the route will be -# persistent if the PERSISTENT column contains Yes; -# otherwise, "shorewall stop" or "shorewall clear" will -# delete the route. -# -# PERSISTENT If HAVEROUTE is No or "no", then the value of this -# column determines if the route added by Shorewall -# persists after a "shorewall stop" or a "shorewall -# clear". If this column contains "Yes" or "yes" then -# the route persists; If the column is empty or contains -# "No"or "no" then the route is deleted at "shorewall -# stop" or "shorewall clear". -# -# Example: Host with IP 155.186.235.6 is connected to -# interface eth1 and we want hosts attached via eth0 -# to be able to access it using that address. -# -# #ADDRESS INTERFACE EXTERNAL -# 155.186.235.6 eth1 eth0 -############################################################################## -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/routestopped b/LrpN/etc/shorewall/routestopped deleted file mode 100644 index d59da15be..000000000 --- a/LrpN/etc/shorewall/routestopped +++ /dev/null @@ -1,36 +0,0 @@ -############################################################################## -# -# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped -# -# /etc/shorewall/routestopped -# -# This file is used to define the hosts that are accessible when the -# firewall is stopped or when it is in the process of being -# [re]started. -# -# Columns must be separated by white space and are: -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. -# -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of -# options. The currently-supported options are: -# -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. -# -# Example: -# -# INTERFACE HOST(S) OPTIONS -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 -# br0 - routeback -############################################################################## -#INTERFACE HOST(S) OPTIONS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/rules b/LrpN/etc/shorewall/rules deleted file mode 100755 index d2ac03837..000000000 --- a/LrpN/etc/shorewall/rules +++ /dev/null @@ -1,357 +0,0 @@ -# -# Shorewall version 2.2 - Rules File -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#-------------------------------------------------------------------------------# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# If the ACTION names an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std then: -# -# - If the log level is followed by "!' then all rules -# in the action are logged at the log level. -# -# - If the log level is not followed by "!" then only -# those rules in the action that do not specify -# logging are logged at the specified level. -# -# - The special log level 'none!' suppresses logging -# by the action. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, or "all" If the ACTION is DNAT or -# REDIRECT, sub-zones of the specified zone may be -# excluded from the rule by following the zone name with -# "!' and a comma-separated list of sub-zone names. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. -# -# Except when "all" is specified, clients may be further -# restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself or "all" -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. -# -# Except when "all" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then place -# "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or -# REDIRECT[-]) If included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 fw \ -# tcp 22 -#################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -# Accept DNS connections from the firewall to the network -# -ACCEPT fw net tcp 53 -ACCEPT fw net udp 53 -# Accept SSH connections from the local network for administration -# -ACCEPT loc fw tcp 22 -# Allow Ping To Firewall -# -ACCEPT loc fw icmp 8 -ACCEPT net fw icmp 8 -# -# Allow all ICMP types (including ping) From Firewall -# -ACCEPT fw loc icmp -ACCEPT fw net icmp -# -# Bering specific rules: -# allow loc to fw udp/53 for local/caching DNS servers to work -# allow loc to fw tcp/80 for weblet to work -ACCEPT loc fw udp 53 -ACCEPT loc fw tcp 80 -# uncomment to use dnsmasq's dhcpd in your LAN -#ACCEPT loc fw udp 67,68 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/shorewall.conf b/LrpN/etc/shorewall/shorewall.conf deleted file mode 100755 index 1424f33cd..000000000 --- a/LrpN/etc/shorewall/shorewall.conf +++ /dev/null @@ -1,829 +0,0 @@ -############################################################################## -# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to -# match your setup -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# This file should be placed in /etc/shorewall -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -############################################################################## -# S T A R T U P E N A B L E D -############################################################################## -# Once you have configured Shorewall, you may change the setting of -# this variable to 'Yes' - -STARTUP_ENABLED=No - -############################################################################## -# L O G G I N G -############################################################################## -# -# General note about log levels. Log levels are a method of describing -# to syslog (8) the importance of a message and a number of parameters -# in this file have log levels as their value. -# -# These levels are defined by syslog and are used to determine the destination -# of the messages through entries in /etc/syslog.conf (5). The syslog -# documentation refers to these as "priorities"; Netfilter calls them "levels" -# and Shorewall also uses that term. -# -# Valid levels are: -# -# 7 debug -# 6 info -# 5 notice -# 4 warning -# 3 err -# 2 crit -# 1 alert -# 0 emerg -# -# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall -# log messages are generated by NetFilter and are logged using facility -# 'kern' and the level that you specifify. If you are unsure of the level -# to choose, 6 (info) is a safe bet. You may specify levels by name or by -# number. -# -# If you have built your kernel with ULOG target support, you may also -# specify a log level of ULOG (must be all caps). Rather than log its -# messages to syslogd, Shorewall will direct netfilter to log the messages -# via the ULOG target which will send them to a process called 'ulogd'. -# ulogd is available with most Linux distributions (although it probably isn't -# installed by default). Ulogd is also available from -# http://www.gnumonks.org/projects/ulogd and can be configured to log all -# Shorewall message to their own log file -################################################################################ -# -# LOG FILE LOCATION -# -# This variable tells the /sbin/shorewall program where to look for Shorewall -# log messages. If not set or set to an empty string (e.g., LOGFILE="") then -# /var/log/messages is assumed. -# -# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see -# -# http://www.shorewall.net/shorewall_logging.html - -LOGFILE=/var/log/shorewall.log - -# -# LOG FORMAT -# -# Shell 'printf' Formatting template for the --log-prefix value in log messages -# generated by Shorewall to identify Shorewall log messages. The supplied -# template is expected to accept either two or three arguments; the first is -# the chain name, the second (optional) is the logging rule number within that -# chain and the third is the ACTION specifying the disposition of the packet -# being logged. You must use the %d formatting type for the rule number; if your -# template does not contain %d then the rule number will not be included. -# -# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: -# -# LOGFORMAT="fp=%s:%d a=%s " -# -# If not specified or specified as empty (LOGFORMAT="") then the value -# "Shorewall:%s:%s:" is assumed. -# -# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up -# to but not including the first '%') to find log messages in the 'show log', -# 'status' and 'hits' commands. This part should not be omitted (the -# LOGFORMAT should not begin with "%") and the leading part should be -# sufficiently unique for /sbin/shorewall to identify Shorewall messages. - -LOGFORMAT="Shorewall:%s:%s:" - -# -# LOG FORMAT Continued -# -# Using the default LOGFORMAT, chain names may not exceed 11 characters or -# truncation of the log prefix may occur. Longer chain names may be used with -# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is -# specified then the tag is included in the log prefix in place of the chain -# name. -# - -LOGTAGONLY=No - -# -# LOG RATE LIMITING -# -# The next two variables can be used to control the amount of log output -# generated. LOGRATE is expressed as a number followed by an optional -# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum -# rate at which a particular message will occur. LOGBURST determines the -# maximum initial burst size that will be logged. If set empty, the default -# value of 5 will be used. -# -# If BOTH variables are set empty then logging will not be rate-limited. -# -# Example: -# -# LOGRATE=10/minute -# LOGBURST=5 -# -# For each logging rule, the first time the rule is reached, the packet -# will be logged; in fact, since the burst is 5, the first five packets -# will be logged. After this, it will be 6 seconds (1 minute divided by -# the rate of 10) before a message will be logged from the rule, regardless -# of how many packets reach it. Also, every 6 seconds which passes without -# matching a packet, one of the bursts will be regained; if no packets hit -# the rule for 30 seconds, the burst will be fully recharged; back where -# we started. -# - -LOGRATE= -LOGBURST= - -# -# LOG ALL NEW -# -# This option should only be used when you are trying to analyze a problem. -# It causes all packets in the Netfilter NEW state to be logged as the -# first rule in each builtin chain. To use this option, set LOGALLNEW to -# the log level that you want these packets logged at (e.g., -# LOGALLNEW=debug). -# - -LOGALLNEW= - -# -# BLACKLIST LOG LEVEL -# -# Set this variable to the syslogd level that you want blacklist packets logged -# (beware of DOS attacks resulting from such logging). If not set, no logging -# of blacklist packets occurs. -# -# See the comment at the top of this section for a description of log levels -# -BLACKLIST_LOGLEVEL= - -# -# LOGGING 'New not SYN' rejects -# -# This variable only has an effect when NEWNOTSYN=No (see below). -# -# When a TCP packet that does not have the SYN flag set and the ACK and RST -# flags clear then unless the packet is part of an established connection, -# it will be rejected by the firewall. If you want these rejects logged, -# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. -# -# See the comment at the top of this section for a description of log levels -# -# Example: LOGNEWNOTSYN=debug - - -LOGNEWNOTSYN=ULOG - -# -# MAC List Log Level -# -# Specifies the logging level for connection requests that fail MAC -# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then -# such connection requests will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -MACLIST_LOG_LEVEL=ULOG - -# -# TCP FLAGS Log Level -# -# Specifies the logging level for packets that fail TCP Flags -# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then -# such packets will not be logged. -# -# See the comment at the top of this section for a description of log levels -# - -TCP_FLAGS_LOG_LEVEL=ULOG - -# -# RFC1918 Log Level -# -# Specifies the logging level for packets that fail RFC 1918 -# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then -# RFC1918_LOG_LEVEL=info is assumed. -# -# See the comment at the top of this section for a description of log levels -# - -RFC1918_LOG_LEVEL=ULOG - -# -# SMURF Log Level -# -# Specifies the logging level for smurf packets dropped by the -#'nosmurfs' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" -# ) then dropped smurfs are not logged. - -# -# See the comment at the top of this section for a description of log levels -# - -SMURF_LOG_LEVEL=ULOG - -# -# BOGON Log Level -# -# Specifies the logging level for bogon packets dropped by the -#'nobogons' interface option in /etc/shorewall/interfaces and in -# /etc/shorewall/hosts. If set to the empty value -# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop' -# in /usr/share/shorewall/bogons are logged at the 'info' level. -# -# See the comment at the top of this section for a description of log levels -# - -BOGON_LOG_LEVEL=ULOG - -# -# MARTIAN LOGGING -# -# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets -# that have impossible source IP addresses. This logging may be enabled -# on individual interfaces by using the 'logmartians' option in -# /etc/shorewall/interfaces. -# - -LOG_MARTIANS=No -################################################################################ -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -################################################################################ -# -# IPTABLES -# -# Full path to iptables executable Shorewall uses to build the firewall. If -# not specified or if specified with an empty value (e.g., IPTABLES="") then -# the iptables executable located via the PATH setting below is used. -# -IPTABLES= - -# -# PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. -# -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -# -# SHELL -# -# The firewall script is normally interpreted by /bin/sh. If you wish to change -# the shell used to interpret that script, specify the shell here. - -SHOREWALL_SHELL=/bin/sh - -# SUBSYSTEM LOCK FILE -# -# Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't -# use lock files, set this to "". -# - -SUBSYSLOCK=/var/run/shorewall - -# -# SHOREWALL TEMPORARY STATE DIRECTORY -# -# This is the directory where the firewall maintains state information while -# it is running -# - -STATEDIR=/var/state/shorewall - -# -# KERNEL MODULE DIRECTORY -# -# If your netfilter kernel modules are in a directory other than -# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that -# directory in this variable. Example: MODULESDIR=/etc/modules. - -MODULESDIR= - -# -# CONFIGURATION SEARCH PATH -# -# This option holds a list of directory names separated by colons -# (":"). Shorewall will search each directory in turn when looking for a -# configuration file. When processing a 'try' command or a command -# containing the "-c" option, Shorewall will automatically add the -# directory specified in the command to the front of this list. -# -# If not specified or specified as null ("CONFIG_PATH=""), -# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall - -# -# RESTORE SCRIPT -# -# This option determines the script to be run in the following cases: -# -# shorewall -f start -# shorewall restore -# shorewall save -# shorewall forget -# Failure of shorewall start or shorewall restart -# -# The value of the option must be the name of an executable file in the -# directory /var/lib/shorewall. If this option is not set or if it is -# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is -# assumed. - -RESTOREFILE= -################################################################################ -# F I R E W A L L O P T I O N S -################################################################################ - -# NAME OF THE FIREWALL ZONE -# -# Name of the firewall zone -- if not set or if set to an empty string, "fw" -# is assumed. -# -FW=fw - -# -# ENABLE IP FORWARDING -# -# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you -# say "Off" or "off", packet forwarding will be disabled. You would only want -# to disable packet forwarding if you are installing Shorewall on a -# standalone system or if you want all traffic through the Shorewall system -# to be handled by proxies. -# -# If you set this variable to "Keep" or "keep", Shorewall will neither -# enable nor disable packet forwarding. -# -IP_FORWARDING=On - -# -# AUTOMATICALLY ADD NAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each NAT external address that you give in /etc/shorewall/nat. If you say -# "No" or "no", you must add these aliases youself. -# -ADD_IP_ALIASES=Yes - -# -# AUTOMATICALLY ADD SNAT IP ADDRESSES -# -# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless -# you are sure that you need it -- most people don't!!! -# -ADD_SNAT_ALIASES=No - -# -# RETAIN EXISTING ALIASES/IP ADDRESSES -# -# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall -# will first delete the address then re-add it. This is to ensure that the -# address is added with the specified label. Unfortunately, this can cause -# problems if it results in the deletion of the last IP address on an -# interface because then all routes through the interface are automatically -# removed. -# -# You can cause Shorewall to retain existing addresses by setting -# RETAIN_ALIASES=Yes. -# -RETAIN_ALIASES=No - -# -# ENABLE TRAFFIC SHAPING -# -# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If -# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic -# shaping you must have iproute[2] installed (the "ip" and "tc" utilities). - -TC_ENABLED=No - -# -# Clear Traffic Shapping/Control -# -# If this option is set to 'No' then Shorewall won't clear the current -# traffic control rules during [re]start. This setting is intended -# for use by people that prefer to configure traffic shaping when -# the network interfaces come up rather than when the firewall -# is started. If that is what you want to do, set TC_ENABLED=Yes and -# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That -# way, your traffic shaping rules can still use the 'fwmark' -# classifier based on packet marking defined in /etc/shorewall/tcrules. -# -# If omitted, CLEAR_TC=Yes is assumed. - -CLEAR_TC=Yes - -# -# Mark Packets in the forward chain -# -# When processing the tcrules file, Shorewall normally marks packets in the -# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set -# this to "Yes". If not specified or if set to the empty value (e.g., -# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. -# -# Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. -# -# Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. - -MARK_IN_FORWARD_CHAIN=No - -# -# MSS CLAMPING -# -# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" -# option. This option is most commonly required when your internet -# interface is some variant of PPP (PPTP or PPPoE). Your kernel must -# have CONFIG_IP_NF_TARGET_TCPMSS set. -# -# [From the kernel help: -# -# This option adds a `TCPMSS' target, which allows you to alter the -# MSS value of TCP SYN packets, to control the maximum size for that -# connection (usually limiting it to your outgoing interface's MTU -# minus 40). -# -# This is used to overcome criminally braindead ISPs or servers which -# block ICMP Fragmentation Needed packets. The symptoms of this -# problem are that everything works fine from your Linux -# firewall/router, but machines behind it can never exchange large -# packets: -# 1) Web browsers connect, then hang with no data received. -# 2) Small mail works fine, but large emails hang. -# 3) ssh works fine, but scp hangs after initial handshaking. -# ] -# -# If left blank, or set to "No" or "no", the option is not enabled. -# -# You may also set this option to a numeric value in which case Shorewall will -# set up a rule to modify the MSS value in SYN packets to the value that -# you specify. -# -# Example: -# -# CLAMPMSS=1400 -# -CLAMPMSS=No - -# -# ROUTE FILTERING -# -# Set this variable to "Yes" or "yes" if you want kernel route filtering on all -# interfaces started while Shorewall is started (anti-spoofing measure). -# -# If this variable is not set or is set to the empty value, "No" is assumed. -# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering -# on individual interfaces using the 'routefilter' option in the -# /etc/shorewall/interfaces file. - -ROUTE_FILTER=No - -# DNAT IP ADDRESS DETECTION -# -# Normally when Shorewall encounters the following rule: -# -# DNAT net loc:192.168.1.3 tcp 80 -# -# it will forward TCP port 80 connections from the net to 192.168.1.3 -# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is -# convenient for two reasons: -# -# a) If the the network interface has a dynamic IP address, the -# firewall configuration will work even when the address -# changes. -# -# b) It saves having to configure the IP address in the rule -# while still allowing the firewall to be started before the -# internet interface is brought up. -# -# This default behavior can also have a negative effect. If the -# internet interface has more than one IP address then the above -# rule will forward connection requests on all of these addresses; -# that may not be what is desired. -# -# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply -# only if the original destination address is the primary IP address of -# one of the interfaces associated with the source zone. Note that this -# requires all interfaces to the source zone to be up when the firewall -# is [re]started. - -DETECT_DNAT_IPADDRS=No - -# -# MUTEX TIMEOUT -# -# The value of this variable determines the number of seconds that programs -# will wait for exclusive access to the Shorewall lock file. After the number -# of seconds corresponding to the value of this variable, programs will assume -# that the last program to hold the lock died without releasing the lock. -# -# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. -# -# An appropriate value for this parameter would be twice the length of time -# that it takes your firewall system to process a "shorewall restart" command. - -MUTEX_TIMEOUT=60 - -# -# NEWNOTSYN -# -# TCP connections are established using the familiar three-way "handshake": -# -# CLIENT SERVER -# -# SYN--------------------> -# <------------------SYN,ACK -# ACK--------------------> -# -# The first packet in that exchange (packet with the SYN flag on and the ACK -# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. -# A packet is said to be NEW if it is not part of or related to an already -# established connection. -# -# The NEWNOTSYN option determines the handling of non-SYN packets (those with -# SYN off or with ACK or RST on) that are not associated with an already -# established connection. -# -# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not -# part of an already established connection will be dropped by the -# firewall. The setting of LOGNEWNOTSYN above determines if these packets are -# logged before they are dropped. -# -# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be -# dropped but will pass through the normal rule/policy processing. -# -# Users with a High-availability setup with two firewall's and one acting -# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may -# also need to select NEWNOTSYN=Yes. -# -# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis -# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a -# network or host basis using the same option in /etc/shorewall/hosts. - -# -# I find that NEWNOTSYN=No tends to result in lots of "stuck" -# connections because any network timeout during TCP session tear down -# results in retries being dropped (Netfilter has removed the -# connection from the conntrack table but the end-points haven't -# completed shutting down the connection). I therefore have chosen -# NEWNOTSYN=Yes as the default value. - -NEWNOTSYN=Yes - -# -# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT -# -# Normally, when a "shorewall stop" command is issued or an error occurs during -# the execution of another shorewall command, Shorewall puts the firewall into -# a state where only traffic to/from the hosts listed in -# /etc/shorewall/routestopped is accepted. -# -# When performing remote administration on a Shorewall firewall, it is -# therefore recommended that the IP address of the computer being used for -# administration be added to the firewall's /etc/shorewall/routestopped file. -# -# Some administrators have a hard time remembering to do this with the result -# that they get to drive across town in the middle of the night to restart -# a remote firewall (or worse, they have to get someone out of bed to drive -# across town to restart a very remote firewall). -# -# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, -# when the firewall enters the 'stopped' state: -# -# All traffic that is part of or related to established connections is still -# allowed and all OUTPUT traffic is allowed. This is in addition to traffic -# to and from hosts listed in /etc/shorewall/routestopped. -# -# If this variable is not set or it is set to the null value then -# ADMINISABSENTMINDED=No is assumed. -# -ADMINISABSENTMINDED=Yes - -# -# BLACKLIST Behavior -# -# Shorewall offers two types of blacklisting: -# -# - static blacklisting through the /etc/shorewall/blacklist file together -# with the 'blacklist' interface option. -# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. -# -# The following variable determines whether the blacklist is checked for each -# packet or for each new connection. -# -# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection -# requests -# -# BLACKLISTNEWONLY=No Consult blacklists for all packets. -# -# If the BLACKLISTNEWONLY option is not set or is set to the empty value then -# BLACKLISTNEWONLY=No is assumed. -# -BLACKLISTNEWONLY=Yes - -# -# Users with a large blacklist find that "shorwall [re]start" takes a long -# time and that new connections are disabled during that time. By setting -# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections -# before loading the blacklist. - -DELAYBLACKLISTLOAD=No - -# MODULE NAME SUFFIX -# -# When loading a module named in /etc/shorewall/modules, Shorewall normally -# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names -# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a -# different naming convention then you can specify the suffix (extension) for -# module names in this variable. -# -# To see what suffix is used by your distribution: -# -# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter -# -# All of the file names listed should have the same suffix (extension). Set -# MODULE_SUFFIX to that suffix. -# -# Examples: -# -# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" -# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" -# - -MODULE_SUFFIX= - -# -# DISABLE IPV6 -# -# Distributions (notably SuSE) are beginning to ship with IPV6 -# enabled. If you are not using IPV6, you are at risk of being -# exploited by users who do. Setting DISABLE_IPV6=Yes will cause -# Shorewall to disable IPV6 traffic to/from and through your -# firewall system. This requires that you have ip6tables installed. -# Should be set to "No" for LEAF/LRP - -DISABLE_IPV6=No - -# -# BRIDGING -# -# If you wish to control traffic through a bridge (see http://bridge.sf.net), -# then set BRIDGING=Yes. Your kernel must have the physdev match option -# enabled; that option is available at the above URL for 2.4 kernels and -# is included as a standard part of the 2.6 series kernels. If not -# specified or specified as empty (BRIDGING="") then "No" is assumed. -# - -BRIDGING=No - -# -# DYNAMIC ZONES -# -# If you need to be able to add and delete hosts from zones dynamically then -# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No. - -DYNAMIC_ZONES=No - -# -# USE PKTTYPE MATCH -# -# Some users have reported problems with the PKTTYPE match extension not being -# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall -# will use IP addresses to detect broadcasts rather than pkttype. If not given -# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. - -PKTTYPE=Yes - -# -# DROP INVALID PACKETS -# -# Netfilter classifies packets relative to its connection tracking table into -# four states: -# -# NEW - thes packet initiates a new connection -# ESTABLISHED - thes packet is part of an established connection -# RELATED - thes packet is related to an established connection; it may -# establish a new connection -# INVALID - the packet does not related to the table in any sensible way. -# -# Recent 2.6 kernels include code that evaluates TCP packets based on TCP -# Window analysis. This can cause packets that were previously classified as -# NEW or ESTABLISHED to be classified as INVALID. -# -# The new kernel code can be disabled by including this command in your -# /etc/shorewall/init file: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal -# -# Additional kernel logging about INVALID TCP packets may be obtained by -# adding this command to /etc/shorewall/init: -# -# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid -# -# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID -# option allows INVALID packets to be passed through the normal rules chains by -# setting DROPINVALID=No. -# -# If not specified or if specified as empty (e.g., DROPINVALID="") then -# DROPINVALID=Yes is assumed. - -DROPINVALID=No - -# -# RFC 1918 BEHAVIOR -# -# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918' -# processing to cease for a packet if the packet's source IP address matches -# the rule. Thus, if you have: -# -# SUBNETS TARGET -# 192.168.1.0/24 RETURN -# -# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you -# also have: -# -# SUBNETS TARGET -# 10.0.0.0/8 logdrop -# -# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped -# since while the packet's source matches the RETURN rule, the packet's -# destination matches the 'logdrop' rule. -# -# If not specified or specified as empty (e.g., RFC1918_STRICT="") then -# RFC1918_STRICT=No is assumed. -# -# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support -# 'conntrack state' match. - -RFC1918_STRICT=No - -# -# MACLIST caching -# -# If your iptables and kernel support the "Recent Match" (see the output of -# "shorewall check" near the top), you can cache the results of a 'maclist' -# file lookup and thus reduce the overhead associated with MAC Verification -# (/etc/shorewall/maclist). -# -# When a new connection arrives from a 'maclist' interface, the packet passes -# through then list of entries for that interface in /etc/shorewall/maclist. If -# there is a match then the source IP address is added to the 'Recent' set for -# that interface. Subsequent connection attempts from that IP address occuring -# within $MACLIST_TTL seconds will be accepted without having to scan all of -# the entries. After $MACLIST_TTL from the first accepted connection request, -# the next connection request from that IP address will be checked against -# the entire list. -# -# If MACLIST_TTL is not specified or is specified as empty (e.g, -# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not -# be cached. - -MACLIST_TTL= - -################################################################################ -# P A C K E T D I S P O S I T I O N -################################################################################ -# -# BLACKLIST DISPOSITION -# -# Set this variable to the action that you want to perform on packets from -# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, -# DROP is assumed. -# - -BLACKLIST_DISPOSITION=DROP - -# -# MAC List Disposition -# -# This variable determines the disposition of connection requests arriving -# on interfaces that have the 'maclist' option and that are from a device -# that is not listed for that interface in /etc/shorewall/maclist. Valid -# values are ACCEPT, DROP and REJECT. If not specified or specified as -# empty (MACLIST_DISPOSITION="") then REJECT is assumed - -MACLIST_DISPOSITION=REJECT - -# -# TCP FLAGS Disposition -# -# This variable determins the disposition of packets having an invalid -# combination of TCP flags that are received on interfaces having the -# 'tcpflags' option specified in /etc/shorewall/interfaces or in -# /etc/shorewall/hosts. If not specified or specified as empty -# (TCP_FLAGS_DISPOSITION="") then DROP is assumed. - -TCP_FLAGS_DISPOSITION=DROP - -#LAST LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/start b/LrpN/etc/shorewall/start deleted file mode 100644 index 37077dfb6..000000000 --- a/LrpN/etc/shorewall/start +++ /dev/null @@ -1,10 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. -# -for file in /etc/shorewall/start.d/* ; do - run_user_exit $file -done - diff --git a/LrpN/etc/shorewall/stop b/LrpN/etc/shorewall/stop deleted file mode 100644 index ab48d5961..000000000 --- a/LrpN/etc/shorewall/stop +++ /dev/null @@ -1,10 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. -# -for file in /etc/shorewall/stop.d/* ; do - run_user_exit $file -done - diff --git a/LrpN/etc/shorewall/stopped b/LrpN/etc/shorewall/stopped deleted file mode 100644 index d31d023c7..000000000 --- a/LrpN/etc/shorewall/stopped +++ /dev/null @@ -1,6 +0,0 @@ -############################################################################ -# Shorewall 2.2 -- /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. -# diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules deleted file mode 100644 index 4c2009af0..000000000 --- a/LrpN/etc/shorewall/tcrules +++ /dev/null @@ -1,153 +0,0 @@ -# -# Shorewall version 2.2 - Traffic Control Rules File -# -# /etc/shorewall/tcrules -# -# Entries in this file cause packets to be marked as a means of -# classifying them for traffic control or policy routing. -# -# I M P O R T A N T ! ! ! ! -# -# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET -# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf -# -# Unlike rules in the /etc/shorewall/rules file, evaluation -# of rules in this file will continue after a match. So the -# final mark for each packet will be the one assigned by the -# LAST tcrule that matches. -# -# Columns are: -# -# -# MARK/ a) A mark value which is a integer in the range 1-255 -# CLASSIFY -# May optionally be followed by ":P" or ":F" -# where ":P" indicates that marking should occur in -# the PREROUTING chain and ":F" indicates that marking -# should occur in the FORWARD chain. If neither -# ":P" nor ":F" follow the mark value then the chain is -# determined by the setting of MARK_IN_FORWARD_CHAIN in -# /etc/shorewall/shorewall.conf. -# -# If your kernel and iptables include CONNMARK support -# then you can also mark the connection rather than -# the packet. -# -# The mark value may be optionally followed by "/" -# and a mask value (used to determine those bits of -# the connection mark to actually be set). The -# mark and optional mask are then followed by one of: -# -# C - Mark the connection in the chain determined -# by the setting of MARK_IN_FORWARD_CHAIN -# -# CF: Mark the connection in the FORWARD chain -# -# CP: Mark the connection in the PREROUTING chain. -# -# b) A classification of the form : where -# and are integers. Corresponds to -# the 'class' specification in these traffic shaping -# modules: -# -# - atm -# - cbq -# - dsmark -# - pfifo_fast -# - htb -# - prio -# -# Classify always occurs in the POSTROUTING chain. -# -# c) RESTORE[/mask] -- restore the packet's mark from the -# connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK support. -# As in a) above, may be followed by ":P" or ":F -# -# c) SAVE[/mask] -- save the packet's mark to the -# connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK support. -# As in a) above, may be followed by ":P" or ":F -# -# d) CONTINUE -- don't process any more marking rules in -# the table. As in a) above, may be followed by ":P" or -# ":F". -# -# SOURCE Source of the packet. A comma-separated list of -# interface names, IP addresses, MAC addresses -# and/or subnets. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. Use $FW if the packet originates on -# the firewall in which case the MARK column may NOT -# specify either ":P" or ":F" (marking always occurs -# in the OUTPUT chain). $FW may be optionally followed -# by ":" and a host/network address. -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. If your kernel and -# iptables include iprange match support, IP address -# ranges are also allowed. -# -# If the MARK column specificies a classification of -# the form : then this column may also -# contain an interface name. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no PORT is given, "ipp2p" is -# assumed. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following field is supplied. -# In that case, it is suggested that this field contain -# "-" -# -# SOURCE PORT(S) (Optional) Source port(s). If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# USER This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective user and/or group. -# -# It may contain : -# -# []:[] -# -# The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users -# -# TEST Defines a test on the existing packet or connection mark. -# The rule will match only if the test returns true. Tests -# have the format [!][/][:C] -# -# Where: -# -# ! Inverts the test (not equal) -# Value of the packet or connection mark. -# A mask to be applied to the mark before -# testing -# :C Designates a connection mark. If omitted, -# the packet mark's value is tested. -############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/tos b/LrpN/etc/shorewall/tos deleted file mode 100644 index 1a41a5d6c..000000000 --- a/LrpN/etc/shorewall/tos +++ /dev/null @@ -1,46 +0,0 @@ -# -# Shorewall 2.2 -- /etc/shorewall/tos -# -# This file defines rules for setting Type Of Service (TOS) -# -# Columns are: -# -# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address, a MAC address, a subnet -# specification or the name of an interface. -# -# Example: loc:192.168.2.3 -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address or a subnet specification -# -# Example: loc:192.168.2.3 -# -# PROTOCOL Protocol. -# -# SOURCE PORTS Source port or port range. If all ports, use "-". -# -# DEST PORTS Destination port or port range. If all ports, use "-" -# -# TOS Type of service. Must be one of the following: -# -# Minimize-Delay (16) -# Maximize-Throughput (8) -# Maximize-Reliability (4) -# Minimize-Cost (2) -# Normal-Service (0) -# -############################################################################## -#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS -#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/tunnels b/LrpN/etc/shorewall/tunnels deleted file mode 100644 index c764d63ba..000000000 --- a/LrpN/etc/shorewall/tunnels +++ /dev/null @@ -1,113 +0,0 @@ -# -# Shorewall 2.2 - /etc/shorewall/tunnels -# -# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. -# -# IPIP, GRE and OPENVPN tunnels must be configured on the -# firewall/gateway itself. IPSEC endpoints may be defined -# on the firewall/gateway or on an internal system. -# -# The columns are: -# -# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip" -# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or -# "generic" -# -# If the type is "ipsec" or "ipsecnat", it may be followed -# by ":noah" to indicate that the Authentication Header -# protocol (51) is not used by the tunnel. -# -# If type is "openvpn", it may optionally be followed -# by ":" and the port number used by the tunnel. if no -# ":" and port number are included, then the default port -# of 5000 will be used -# -# If type is "generic", it must be followed by ":" and -# a protocol name (from /etc/protocols) or a protocol -# number. If the protocol is "tcp" or "udp" (6 or 17), -# then it may optionally be followed by ":" and a -# port number. -# -# ZONE -- The zone of the physical interface through which -# tunnel traffic passes. This is normally your internet -# zone. -# -# GATEWAY -- The IP address of the remote tunnel gateway. If the -# remote getway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. May be -# specified as a network address and if your kernel and -# iptables include iprange match support then IP address -# ranges are also allowed. -# -# GATEWAY -# ZONES -- Optional. If the gateway system specified in the third -# column is a standalone host then this column should -# contain a comma-separated list of the names of the -# zones that the host might be in. This column only -# applies to IPSEC and generic tunnels. -# -# Example 1: -# -# IPSec tunnel. The remote gateway is 4.33.99.124 and -# the remote subnet is 192.168.9.0/24. The tunnel does -# not use the AH protocol -# -# ipsec:noah net 4.33.99.124 -# -# Example 2: -# -# Road Warrior (LapTop that may connect from anywhere) -# where the "gw" zone is used to represent the remote -# LapTop. -# -# ipsec net 0.0.0.0/0 gw -# -# Example 3: -# -# Host 4.33.99.124 is a standalone system connected -# via an ipsec tunnel to the firewall system. The host -# is in zone gw. -# -# ipsec net 4.33.99.124 gw -# -# Example 4: -# -# Road Warriors that may belong to zones vpn1, vpn2 or -# vpn3. The FreeS/Wan _updown script will add the -# host to the appropriate zone using the "shorewall add" -# command on connect and will remove the host from the -# zone at disconnect time. -# -# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 -# -# Example 5: -# -# You run the Linux PPTP client on your firewall and -# connect to server 192.0.2.221. -# -# pptpclient net 192.0.2.221 -# -# Example 6: -# -# You run a PPTP server on your firewall. -# -# pptpserver net -# -# Example 7: -# -# OPENVPN tunnel. The remote gateway is 4.33.99.124 and -# openvpn uses port 7777. -# -# openvpn:7777 net 4.33.99.124 -# -# Example 8: -# -# You have a tunnel that is not one of the supported types. -# Your tunnel uses UDP port 4444. The other end of the -# tunnel is 4.3.99.124. -# -# generic:udp:4444 net 4.3.99.124 -# -# TYPE ZONE GATEWAY GATEWAY -# ZONE -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/zones b/LrpN/etc/shorewall/zones deleted file mode 100755 index 74c828682..000000000 --- a/LrpN/etc/shorewall/zones +++ /dev/null @@ -1,19 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/zones -# -# This file determines your network zones. Columns are: -# -# ZONE Short name of the zone (5 Characters or less in length). -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone -# -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR -# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. -# -# See http://www.shorewall.net/Documentation.htm#Nested -# -#ZONE DISPLAY COMMENTS -net Net Internet -loc Local Local networks -#dmz DMZ Demilitarized zone -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall deleted file mode 100755 index 85079da45..000000000 --- a/LrpN/sbin/shorewall +++ /dev/null @@ -1,1315 +0,0 @@ -#!/bin/sh -# -# Shorewall Packet Filtering Firewall Control Program - V2.2 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# This file should be placed in /sbin/shorewall. -# -# Shorewall documentation is available at http://shorewall.sourceforge.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# The firewall uses configuration files in /etc/shorewall/ - skeleton -# files is included with the firewall. -# -# Commands are: -# -# shorewall add [:] zone Adds a host or subnet to a zone -# shorewall delete [:] zone Deletes a host or subnet from a zone -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status -# plus the last 20 "interesting" -# packets -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and -# byte counts -# shorewall clear Open the floodgates by -# removing all iptables rules -# and setting the three permanent -# chain policies to ACCEPT -# shorewall refresh Rebuild the common chain to -# compensate for a change of -# broadcast address on any "detect" -# interface. -# shorewall show [ ... ] Display the rules in each listed -# shorewall show log Print the last 20 log messages -# shorewall show connections Show the kernel's connection -# tracking table -# shorewall show nat Display the rules in the nat table -# shorewall show {mangle|tos} Display the rules in the mangle table -# shorewall show tc Display traffic control info -# shorewall show classifiers Display classifiers -# shorewall version Display the installed version id -# shorewall check Verify the more heavily-used -# configuration files. -# shorewall try [ ] Try a new configuration and if -# it doesn't work, revert to the -# standard one. If a timeout is supplied -# the command reverts back to the -# standard configuration after that many -# seconds have elapsed after successfully -# starting the new configuration. -# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall -# messages. -# shorewall drop
... Temporarily drop all packets from the -# listed address(es) -# shorewall reject
... Temporarily reject all packets from the -# listed address(es) -# shorewall allow
... Reenable address(es) previously -# disabled with "drop" or "reject" -# shorewall save [ ] Save the list of "rejected" and -# "dropped" addresses so that it will -# be automatically reinstated the -# next time that Shorewall starts. -# Save the current state so that 'shorewall -# restore' can be used. -# -# shorewall forget [ ] Discard the data saved by 'shorewall save' -# -# shorewall restore [ ] Restore the state of the firewall from -# previously saved information. -# -# shorewall ipaddr [
/ |
] -# -# Displays information about the network -# defined by the argument[s] -# -# shorewall iprange
-
Decomposes a range of IP addresses into -# a list of network/host addresses. -# -# Fatal Error -# -fatal_error() # $@ = Message -{ - echo " $@" >&2 - exit 2 -} - -# Display a chain if it exists -# - -showfirstchain() # $1 = name of chain -{ - awk \ - 'BEGIN {prnt=0; rslt=1; }; \ - /^$/ { next; };\ - /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ - /Chain '$1'/ { prnt=1; }; \ - { if (prnt == 1) print; };\ - END { exit rslt; }' $TMPFILE -} - -showchain() # $1 = name of chain -{ - if [ "$firstchain" = "Yes" ]; then - if showfirstchain $1; then - firstchain= - fi - else - awk \ - 'BEGIN {prnt=0;};\ - /^$|^ pkts/ { next; };\ - /^Chain/ {if ( prnt == 1 ) exit; };\ - /Chain '$1'/ { prnt=1; };\ - { if (prnt == 1) print; }' $TMPFILE - fi -} - -# -# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed. -# - -iptablesbug() -{ - if qt which awk ; then - awk 'BEGIN {sline=""; };\ - /^-j/ { print sline $0; next };\ - /-m policy.*-j/ { print $0; next };\ - /-m policy/ { sline=$0; next };\ - {print ; sline="" }' - else - echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2 - cat - fi -} - -# -# Validate the value of RESTOREFILE -# -validate_restorefile() # $* = label -{ - case $RESTOREFILE in - */*) - echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2 - exit 2 - ;; - esac -} - -# -# Set the configuration variables from shorewall.conf -# -get_config() { - - [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages - - if [ ! -f $LOGFILE ]; then - echo "LOGFILE ($LOGFILE) does not exist!" >&2 - exit 2 - fi - # - # See if we have a real version of "tail" -- use separate redirection so - # that ash (aka /bin/sh on LRP) doesn't crap - # - if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then - realtail="Yes" - else - realtail="" - fi - - [ -n "$FW" ] || FW=fw - - [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" - - [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" - - if [ -n "$IPTABLES" ]; then - if [ ! -e "$IPTABLES" ]; then - echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 - exit 2 - fi - else - IPTABLES=$(which iptables 2> /dev/null) - if [ -z "$IPTABLES" ] ; then - echo " ERROR: Can't find iptables executable" >&2 - exit 2 - fi - fi - - if [ -n "$SHOREWALL_SHELL" ]; then - if [ ! -e "$SHOREWALL_SHELL" ]; then - echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 - exit 2 - fi - fi - - [ -n "$RESTOREFILE" ] || RESTOREFILE=restore - - validate_restorefile RESTOREFILE - - export RESTOREFILE - -} - -# -# Clear descriptor 1 if it is a terminal -# -clear_term() { - [ -t 1 ] && clear -} - -# -# Display IPTABLES rules -- we used to store them in a variable but ash -# dies when trying to display large sets of rules -# -display_chains() -{ - trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 - - if [ "$haveawk" = "Yes" ]; then - # - # Send the output to a temporary file since ash craps if we try to store - # the output in a variable. - # - TMPFILE=$(mktempfile) - [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - - $IPTABLES -L $IPT_OPTIONS >> $TMPFILE - - clear_term - echo "$banner $(date)" - echo - echo "Standard Chains" - echo - firstchain="Yes" - showchain INPUT - showchain OUTPUT - showchain FORWARD - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Input Chains" - echo - - chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2) - - for chain in $chains; do - showchain $chain - done - - timed_read - - for zone in $zones; do - - if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - eval display=\$${zone}_display - echo "$display Chains" - echo - for zone1 in $FW $zones; do - showchain ${zone}2$zone1 - showchain @${zone}2$zone1 - [ "$zone" != "$zone1" ] && \ - showchain ${zone1}2${zone} && \ - showchain @${zone1}2${zone} - done - - timed_read - fi - done - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Policy Chains" - echo - showchain common - showchain badpkt - showchain icmpdef - showchain rfc1918 - showchain blacklst - showchain reject - showchain newnotsyn - for zone in $zones all; do - showchain ${zone}2all - showchain @${zone}2all - [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } - done - - timed_read - - clear_term - echo "$banner $(date)" - echo - firstchain=Yes - echo "Dynamic Chain" - echo - showchain dynamic - timed_read - - qt rm -f $TMPFILE - else - $IPTABLES -L -n -v - timed_read - fi - trap - 1 2 3 4 5 6 9 - -} - -# -# Delay $timeout seconds -- if we're running on a recent bash2 then allow -# to terminate the delay -# -timed_read () -{ - read -t $timeout foo 2> /dev/null - - test $? -eq 2 && sleep $timeout -} - -# -# Display the last $1 packets logged -# -packet_log() # $1 = number of messages -{ - local options - - [ -n "$realtail" ] && options="-n$1" - - grep "${LOGFORMAT}" $LOGFILE | \ - sed s/" kernel:"// | \ - sed s/" $host $LOGFORMAT"/" "/ | \ - sed 's/MAC=.* SRC=/SRC=/' | \ - tail $options -} - -# -# Show traffic control information -# -show_tc() { - - show_one_tc() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s -d qdisc show dev $device - tc -s -d class show dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_tc ${interface%:} - ;; - *) - ;; - esac - done - -} - -# -# Show classifier information -# -show_classifiers() { - - show_one_classifier() { - local device=${1%@*} - qdisc=$(tc qdisc list dev $device) - - if [ -n "$qdisc" ]; then - echo Device $device: - tc -s filter ls dev $device - echo - fi - } - - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_classifier ${interface%:} - ;; - *) - ;; - esac - done - -} -# -# Monitor the Firewall -# -monitor_firewall() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - let "timeout=- $1" - pause="Yes" - else - pause="No" - timeout=$1 - fi - - - if qt which awk; then - TMP_DIR=$(mktempdir) - [ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; } - haveawk=Yes - determine_zones - rm -rf $TMP_DIR - else - haveawk= - fi - - while true; do - display_chains - - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 20 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 20 - timed_read - fi - - clear_term - echo "$banner $(date)" - echo - echo "NAT Status" - echo - $IPTABLES -t nat -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "TOS/MARK Status" - echo - $IPTABLES -t mangle -L $IPT_OPTIONS - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Tracked Connections" - echo - cat /proc/net/ip_conntrack - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Traffic Shaping/Control" - echo - show_tc - timed_read - - clear_term - echo "$banner $(date)" - echo - echo - echo "Packet Classifiers" - echo - show_classifiers - timed_read - done -} - -# -# Watch the Firewall Log -# -logwatch() # $1 = timeout -- if negative, prompt each time that - # an 'interesting' packet count changes -{ - - host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ $1 -lt 0 ]; then - timeout=$((- $1)) - pause="Yes" - else - pause="No" - timeout=$1 - fi - - qt which awk && haveawk=Yes || haveawk= - - while true; do - clear_term - echo "$banner $(date)" - echo - - echo "Dropped/Rejected Packet Log" - echo - - show_reset - - rejects=$($IPTABLES -L -v -n | grep 'LOG') - - if [ "$rejects" != "$oldrejects" ]; then - oldrejects="$rejects" - - $RING_BELL - - packet_log 40 - - if [ "$pause" = "Yes" ]; then - echo - echo $ECHO_N 'Enter any character to continue: ' - read foo - else - timed_read - fi - else - echo - packet_log 40 - timed_read - fi - done -} - -# -# Help information -# -help() -{ - [ -x $HELP ] && { export version; exec $HELP $*; } - echo "Help subsystem is not installed at $HELP" -} - -# -# Give Usage Information -# -usage() # $1 = exit status -{ - echo "Usage: $(basename $0) [debug|trace] [nolock] [-c ] [ -x ] [ -q ] [ -f ] " - echo "where is one of:" - echo " add [:{[:]|}[,...]] ... " - echo " allow
..." - echo " check [ ]" - echo " clear" - echo " delete [:{[:]|}[,...]] ... " - echo " drop
..." - echo " forget [ ]" - echo " help [ | host | address ]" - echo " hits" - echo " ipcalc [
/ |
]" - echo " iprange
-
" - echo " logwatch []" - echo " monitor []" - echo " refresh" - echo " reject
..." - echo " reset" - echo " restart [ ]" - echo " restore [ ]" - echo " save [ ]" - echo " show [ [ ... ]|classifiers|connections|log|nat|tc|tos|zones]" - echo " start [ ]" - echo " stop" - echo " status" - echo " try [ ]" - echo " version" - echo - echo "The -c and -f options may not be specified with a in the start, restart and check commands" - exit $1 -} - -# -# Display the time that the counters were last reset -# -show_reset() { - [ -f $STATEDIR/restarted ] && \ - echo "Counters reset $(cat $STATEDIR/restarted)" && \ - echo -} -# -# Display's the passed file name followed by "=" and the file's contents. -# -show_proc() # $1 = name of a file -{ - [ -f $1 ] && echo " $1 = $(cat $1)" -} - -# -# Execution begins here -# -debugging= - -if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then - debugging=debug - shift -fi - -nolock= - -if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then - nolock=nolock - shift -fi - -SHOREWALL_DIR= -QUIET= -IPT_OPTIONS="-nv" -FAST= - -done=0 - -while [ $done -eq 0 ]; do - [ $# -eq 0 ] && usage 1 - option=$1 - case $option in - -*) - option=${option#-} - - [ -z "$option" ] && usage 1 - - while [ -n "$option" ]; do - case $option in - c) - [ $# -eq 1 ] && usage 1 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - option= - shift - ;; - x*) - IPT_OPTIONS="-xnv" - option=${option#x} - ;; - q*) - QUIET=Yes - option=${option#q} - ;; - f*) - FAST=Yes - option=${option#f} - ;; - *) - usage 1 - ;; - esac - done - shift - ;; - *) - done=1 - ;; - esac -done - -if [ $# -eq 0 ]; then - usage 1 -fi - -[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR -[ -n "$QUIET" ] && export QUIET - -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -MUTEX_TIMEOUT= - -SHARED_DIR=/usr/share/shorewall -FIREWALL=$SHARED_DIR/firewall -FUNCTIONS=$SHARED_DIR/functions -VERSION_FILE=$SHARED_DIR/version -HELP=$SHARED_DIR/help - -if [ -f $FUNCTIONS ]; then - . $FUNCTIONS -else - echo "$FUNCTIONS does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -config=$(find_file shorewall.conf) - -if [ -f $config ]; then - if [ -r $config ]; then - . $config - else - echo "Cannot read $config! (Hint: Are you root?)" >&2 - exit 1 - fi -else - echo "$config does not exist!" >&2 - exit 2 -fi - -ensure_config_path - -export CONFIG_PATH - -get_config - -[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - -if [ ! -f $FIREWALL ]; then - echo "ERROR: Shorewall is not properly installed" - if [ -L $FIREWALL ]; then - echo " $FIREWALL is a symbolic link to a" - echo " non-existant file" - else - echo " The file $FIREWALL does not exist" - fi - - exit 2 -fi - -if [ -f $VERSION_FILE ]; then - version=$(cat $VERSION_FILE) -else - echo "ERROR: Shorewall is not properly installed" - echo " The file $VERSION_FILE does not exist" - exit 1 -fi - -banner="Shorewall-$version Status at $HOSTNAME -" - -case $(echo -e) in - -e*) - RING_BELL="echo \a" - ;; - *) - RING_BELL="echo -e \a" - ;; -esac - -case $(echo -n "Testing") in - -n*) - ECHO_N= - ;; - *) - ECHO_N=-n - ;; -esac - -case "$1" in - start) - case $# in - 1) - ;; - 2) - [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - - if [ -n "$FAST" ]; then - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH - date > $STATEDIR/restarted - echo Shorewall restored from $RESTOREPATH - else - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start - fi - else - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start - fi - ;; - stop|reset|clear|refresh) - [ $# -ne 1 ] && usage 1 - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 - ;; - check|restart) - case $# in - 1) - ;; - 2) - [ -n "$SHOREWALL_DIR" ] && usage 2 - - if [ ! -d $2 ]; then - if [ -e $2 ]; then - echo "$2 is not a directory" >&2 && exit 2 - else - echo "Directory $2 does not exist" >&2 && exit 2 - fi - fi - - SHOREWALL_DIR=$2 - export SHOREWALL_DIR - ;; - *) - usage 1 - ;; - esac - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 - ;; - add|delete) - [ $# -lt 3 ] && usage 1 - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ - ;; - show|list) - [ -n "$debugging" ] && set -x - case "$2" in - connections) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Connections at $HOSTNAME - $(date)" - echo - cat /proc/net/ip_conntrack - ;; - nat) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version NAT at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t nat -L $IPT_OPTIONS - ;; - tos|mangle) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version TOS at $HOSTNAME - $(date)" - echo - show_reset - $IPTABLES -t mangle -L $IPT_OPTIONS - ;; - log) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Log at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - packet_log 20 - ;; - tc) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)" - echo - show_tc - ;; - classifiers) - [ $# -gt 2 ] && usage 1 - echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)" - echo - show_classifiers - ;; - zones) - [ $# -gt 2 ] && usage 1 - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - if [ -f $STATEDIR/zones ]; then - echo "Shorewall-$version Zones at $HOSTNAME - $(date)" - echo - while read zone hosts; do - echo $zone - for host in $hosts; do - echo " $host" - done - done < $STATEDIR/zones - echo - else - echo " ERROR: $STATEDIR/zones does not exist" >&2 - exit 1 - fi - ;; - *) - shift - - echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $IPTABLES -L $chain $IPT_OPTIONS - done - else - $IPTABLES -L $IPT_OPTIONS - fi - ;; - esac - ;; - monitor) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - monitor_firewall $2 - elif [ $# -eq 1 ]; then - monitor_firewall 30 - else - usage 1 - fi - ;; - status) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - clear_term - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - show_reset - host=$(echo $HOSTNAME | sed 's/\..*$//') - $IPTABLES -L $IPT_OPTIONS - echo - packet_log 20 - echo - echo "NAT Table" - echo - $IPTABLES -t nat -L $IPT_OPTIONS - echo - echo "Mangle Table" - echo - $IPTABLES -t mangle -L $IPT_OPTIONS - echo - cat /proc/net/ip_conntrack - echo - echo "IP Configuration" - echo - ip addr ls - echo - echo "IP Stats" - echo - ip -stat link ls - - if qt which brctl; then - echo - echo "Bridges" - echo - brctl show - fi - - echo - echo "/proc" - echo - - show_proc /proc/sys/net/ipv4/ip_forward - show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all - - for directory in /proc/sys/net/ipv4/conf/*; do - for file in proxy_arp arp_filter rp_filter log_martians; do - show_proc $directory/$file - done - done - - if [ -n "$(ip rule ls)" ]; then - echo - echo "Routing Rules" - echo - ip rule ls - ip rule ls | while read rule; do - table=${rule##* } - echo - echo "Table $table:" - echo - ip route ls table $table - done - else - echo - echo "Routing Table" - echo - ip route ls - fi - - echo - echo "ARP" - echo - arp -na - - if qt which lsmod; then - echo - echo "Modules" - echo - lsmod | grep -E '^ip_|^ipt_' - fi - ;; - hits) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - clear_term - echo "Shorewall-$version Hits at $HOSTNAME - $(date)" - echo - - timeout=30 - - if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then - echo " HITS IP DATE" - echo " ---- --------------- ------" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS IP PORT" - echo " ---- --------------- -----" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ - t - s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS DATE" - echo " ---- ------" - grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn - echo "" - - echo " HITS PORT SERVICE(S)" - echo " ---- ----- ----------" - grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ - while read count port ; do - # List all services defined for the given port - srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u) - srv=$(echo $srv | sed 's/ /,/g') - - if [ -n "$srv" ] ; then - printf '%7d %5d %s\n' $count $port $srv - else - printf '%7d %5d\n' $count $port - fi - done - fi - ;; - version) - echo $version - ;; - try) - [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" - [ $# -lt 2 -o $# -gt 3 ] && usage 1 - if ! $0 $debugging -c $2 restart; then - if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then - $0 start - fi - elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then - $0 start - elif [ $# -eq 3 ]; then - sleep $3 - $0 restart - fi - ;; - logwatch) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - logwatch $2 - elif [ $# -eq 1 ]; then - logwatch 30 - else - usage 1 - fi - ;; - drop) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - $IPTABLES -A dynamic -s $1 -j DROP || break 1 - echo "$1 Dropped" - done - mutex_off - ;; - reject) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - qt $IPTABLES -D dynamic -s $1 -j reject - qt $IPTABLES -D dynamic -s $1 -j DROP - $IPTABLES -A dynamic -s $1 -j reject || break 1 - echo "$1 Rejected" - done - mutex_off - ;; - allow) - [ -n "$debugging" ] && set -x - [ $# -eq 1 ] && usage 1 - mutex_on - while [ $# -gt 1 ]; do - shift - if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then - echo "$1 Allowed" - else - echo "$1 Not Dropped or Rejected" - fi - done - mutex_off - ;; - save) - [ -n "$debugging" ] && set -x - - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - mutex_on - - if qt $IPTABLES -L shorewall -n; then - [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall - - if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration" - else - case $RESTOREFILE in - save|restore-base) - echo " ERROR: Reserved file name: $RESTOREFILE" - ;; - *) - if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then - echo " Dynamic Rules Saved" - if [ -f /var/lib/shorewall/restore-base ]; then - cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ - if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then - echo __EOF__ >> /var/lib/shorewall/restore-$$ - [ -f /var/lib/shorewall/restore-tail ] && \ - cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH - chmod +x $RESTOREPATH - echo " Currently-running Configuration Saved to $RESTOREPATH" - else - rm -f /var/lib/shorewall/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" - fi - else - echo " ERROR: /var/lib/shorewall/restore-base does not exist" - fi - else - echo "Error Saving the Dynamic Rules" - fi - ;; - esac - fi - else - echo "Shorewall isn't started" - fi - mutex_off - ;; - forget) - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - rm -f $RESTOREPATH - echo " $RESTOREPATH removed" - elif [ -f $RESTOREPATH ]; then - echo " $RESTOREPATH exists and is not a saved Shorewall configuration" - fi - ;; - ipcalc) - [ -n "$debugging" ] && set -x - if [ $# -eq 2 ]; then - address=${2%/*} - vlsm=${2#*/} - elif [ $# -eq 3 ]; then - address=$2 - vlsm=$(ip_vlsm $3) - else - usage 1 - fi - - [ -z "$vlsm" ] && exit 2 - [ "x$address" = "x$vlsm" ] && usage 2 - [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 - - address=$address/$vlsm - - echo " CIDR=$address" - temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" - temp=$(ip_network $address); echo " NETWORK=$temp" - temp=$(broadcastaddress $address); echo " BROADCAST=$temp" - ;; - - iprange) - [ -n "$debugging" ] && set -x - case $2 in - *.*.*.*-*.*.*.*) - ip_range $2 - ;; - *) - usage 1 - ;; - esac - ;; - restore) - case $# in - 1) - ;; - 2) - RESTOREFILE="$2" - validate_restorefile '' - ;; - *) - usage 1 - ;; - esac - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE" - else - echo "File /var/lib/shorewall/$RESTOREFILE: file not found" - exit 2 - fi - ;; - call) - [ -n "$debugging" ] && set -x - # - # Undocumented way to call functions in /usr/share/shorewall/functions directly - # - shift; - $@ - ;; - help) - shift - [ $# -ne 1 ] && usage 1 - help $@ - ;; - *) - usage 1 - ;; - -esac diff --git a/LrpN/usr/share/shorewall/action.AllowAuth b/LrpN/usr/share/shorewall/action.AllowAuth deleted file mode 100644 index af54a9e9c..000000000 --- a/LrpN/usr/share/shorewall/action.AllowAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth -# -# This action accepts Auth (identd) traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowDNS b/LrpN/usr/share/shorewall/action.AllowDNS deleted file mode 100644 index 9887b9795..000000000 --- a/LrpN/usr/share/shorewall/action.AllowDNS +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS -# -# This action accepts DNS traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 53 -ACCEPT - - tcp 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowFTP b/LrpN/usr/share/shorewall/action.AllowFTP deleted file mode 100644 index 0a0c9951b..000000000 --- a/LrpN/usr/share/shorewall/action.AllowFTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP -# -# This action accepts FTP traffic. See -# http://www.shorewall.net/FTP.html for additional considerations. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 21 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowICMPs b/LrpN/usr/share/shorewall/action.AllowICMPs deleted file mode 100644 index 91e462913..000000000 --- a/LrpN/usr/share/shorewall/action.AllowICMPs +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs -# -# ACCEPT needed ICMP types -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -# -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded diff --git a/LrpN/usr/share/shorewall/action.AllowIMAP b/LrpN/usr/share/shorewall/action.AllowIMAP deleted file mode 100644 index 71e7b15d1..000000000 --- a/LrpN/usr/share/shorewall/action.AllowIMAP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP -# -# This action accepts IMAP traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 143 #Unsecure IMAP -ACCEPT - - tcp 993 #Secure IMAP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowNNTP b/LrpN/usr/share/shorewall/action.AllowNNTP deleted file mode 100644 index a5d68b49e..000000000 --- a/LrpN/usr/share/shorewall/action.AllowNNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP -# -# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 119 -ACCEPT - - tcp 563 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowNTP b/LrpN/usr/share/shorewall/action.AllowNTP deleted file mode 100644 index 936954769..000000000 --- a/LrpN/usr/share/shorewall/action.AllowNTP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP -# -# This action accepts NTP traffic (ntpd). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT - - udp 123 -ACCEPT - - udp 1024: 123 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowPCA b/LrpN/usr/share/shorewall/action.AllowPCA deleted file mode 100644 index 26b57bdca..000000000 --- a/LrpN/usr/share/shorewall/action.AllowPCA +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA -# -# This action accepts PCAnywere (tm) -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 5632 -ACCEPT - - tcp 5631 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowPOP3 b/LrpN/usr/share/shorewall/action.AllowPOP3 deleted file mode 100644 index 4634b9bbd..000000000 --- a/LrpN/usr/share/shorewall/action.AllowPOP3 +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3 -# -# This action accepts POP3 traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT - - tcp 110 #Unsecure POP3 -ACCEPT - - tcp 995 #Secure POP3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowPing b/LrpN/usr/share/shorewall/action.AllowPing deleted file mode 100644 index 4ef4eeae1..000000000 --- a/LrpN/usr/share/shorewall/action.AllowPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowPing -# -# This action accepts 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowRdate b/LrpN/usr/share/shorewall/action.AllowRdate deleted file mode 100644 index 5c1d8054f..000000000 --- a/LrpN/usr/share/shorewall/action.AllowRdate +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate -# -# This action accepts remote time retrieval (rdate). -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 37 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowSMB b/LrpN/usr/share/shorewall/action.AllowSMB deleted file mode 100644 index b7f1e4412..000000000 --- a/LrpN/usr/share/shorewall/action.AllowSMB +++ /dev/null @@ -1,14 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB -# -# Allow Microsoft SMB traffic. You need to invoke this action in -# both directions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 135,445 -ACCEPT - - udp 137:139 -ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowSMTP b/LrpN/usr/share/shorewall/action.AllowSMTP deleted file mode 100644 index 2ad5f2597..000000000 --- a/LrpN/usr/share/shorewall/action.AllowSMTP +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP -# -# This action accepts SMTP (email) traffic. -# -# Note: This action allows traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the AllowPOP3 or AllowIMAP actions. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 25 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowSNMP b/LrpN/usr/share/shorewall/action.AllowSNMP deleted file mode 100644 index 33b1b4c0d..000000000 --- a/LrpN/usr/share/shorewall/action.AllowSNMP +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP -# -# This action accepts SNMP traffic (including traps): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 161:162 -ACCEPT - - tcp 161 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowSSH b/LrpN/usr/share/shorewall/action.AllowSSH deleted file mode 100644 index 71ae5adbf..000000000 --- a/LrpN/usr/share/shorewall/action.AllowSSH +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH -# -# This action accepts secure shell (SSH) traffic. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 22 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowTelnet b/LrpN/usr/share/shorewall/action.AllowTelnet deleted file mode 100644 index 3b06d098a..000000000 --- a/LrpN/usr/share/shorewall/action.AllowTelnet +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet -# -# This action accepts Telnet traffic. For traffic over the -# internet, telnet is inappropriate; use SSH instead -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 23 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowTrcrt b/LrpN/usr/share/shorewall/action.AllowTrcrt deleted file mode 100644 index 9fbce93fa..000000000 --- a/LrpN/usr/share/shorewall/action.AllowTrcrt +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt -# -# This action accepts Traceroute (for up to 30 hops): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - udp 33434:33524 #UDP Traceroute -ACCEPT - - icmp 8 #ICMP Traceroute -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowVNC b/LrpN/usr/share/shorewall/action.AllowVNC deleted file mode 100644 index bf6a40aa9..000000000 --- a/LrpN/usr/share/shorewall/action.AllowVNC +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC -# -# This action accepts VNC traffic for VNC display's 0 - 9. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5900:5909 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowVNCL b/LrpN/usr/share/shorewall/action.AllowVNCL deleted file mode 100644 index 2bcabd2a4..000000000 --- a/LrpN/usr/share/shorewall/action.AllowVNCL +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL -# -# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 5500 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.AllowWeb b/LrpN/usr/share/shorewall/action.AllowWeb deleted file mode 100644 index f32049606..000000000 --- a/LrpN/usr/share/shorewall/action.AllowWeb +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb -# -# This action accepts WWW traffic (secure and insecure): -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -ACCEPT - - tcp 80 -ACCEPT - - tcp 443 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.Drop b/LrpN/usr/share/shorewall/action.Drop deleted file mode 100644 index fc8188d18..000000000 --- a/LrpN/usr/share/shorewall/action.Drop +++ /dev/null @@ -1,49 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.Drop -# -# The default DROP common rules -# -# This action is invoked before a DROP policy is enforced. The purpose of the action -# is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is DROP. -# Otherwise, you may experience problems establishing connections with -# servers that use auth. -# c) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! -###################################################################################### -#TARGET SOURCE DEST PROTO -# -# Reject 'auth' -# -RejectAuth -# -# Don't log broadcasts -# -dropBcast -# -# ACCEPT critical ICMP types -# -AllowICMPs - - icmp -# -# Drop packets that in the INVALID state -- these are usually ICMP packets and just -# confuse people when they appear in the log. -# -dropInvalid -# -# Drop Microsoft noise so that it doesn't clutter up the log. -# -DropSMB -DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. -# -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.DropDNSrep b/LrpN/usr/share/shorewall/action.DropDNSrep deleted file mode 100644 index 760ac92e3..000000000 --- a/LrpN/usr/share/shorewall/action.DropDNSrep +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep -# -# This action silently drops DNS UDP replies -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp - 53 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.DropPing b/LrpN/usr/share/shorewall/action.DropPing deleted file mode 100644 index fb079bac6..000000000 --- a/LrpN/usr/share/shorewall/action.DropPing +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropPing -# -# This action silently drops 'ping' requests. -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - icmp 8 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.DropSMB b/LrpN/usr/share/shorewall/action.DropSMB deleted file mode 100644 index ac2218470..000000000 --- a/LrpN/usr/share/shorewall/action.DropSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropSMB -# -# This action silently drops Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 135 -DROP - - udp 137:139 -DROP - - udp 445 -DROP - - tcp 135 -DROP - - tcp 139 -DROP - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.DropUPnP b/LrpN/usr/share/shorewall/action.DropUPnP deleted file mode 100644 index 30a4865f8..000000000 --- a/LrpN/usr/share/shorewall/action.DropUPnP +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP -# -# This action silently drops UPnP probes on UDP port 1900 -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 1900 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.Reject b/LrpN/usr/share/shorewall/action.Reject deleted file mode 100644 index 9e116eb22..000000000 --- a/LrpN/usr/share/shorewall/action.Reject +++ /dev/null @@ -1,46 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.Reject -# -# The default REJECT action common rules -# -# This action is invoked before a REJECT policy is enforced. The purpose of the action -# is: -# -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful -# internet operation are always ACCEPTed. -# -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! -###################################################################################### -#TARGET SOURCE DEST PROTO -# -# Don't log 'auth' REJECT -# -RejectAuth -# -# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). -# -dropBcast -# -# ACCEPT critical ICMP types -# -AllowICMPs - - icmp -# -# Drop packets that in the INVALID state -- these are usually ICMP packets and just -# confuse people when they appear in the log (these ICMPs cannot be rejected). -# -dropInvalid -# -# Drop Microsoft noise so that it doesn't clutter up the lot. -# -RejectSMB -DropUPnP -# -# Drop 'newnotsyn' traffic so that it doesn't get logged. -# -dropNotSyn - - tcp -# -# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. -# -DropDNSrep -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.RejectAuth b/LrpN/usr/share/shorewall/action.RejectAuth deleted file mode 100644 index a89ee4dfc..000000000 --- a/LrpN/usr/share/shorewall/action.RejectAuth +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth -# -# This action silently rejects Auth (tcp 113) traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - tcp 113 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.RejectSMB b/LrpN/usr/share/shorewall/action.RejectSMB deleted file mode 100644 index 19cc5af2d..000000000 --- a/LrpN/usr/share/shorewall/action.RejectSMB +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB -# -# This action silently rejects Microsoft SMB traffic -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -REJECT - - udp 135 -REJECT - - udp 137:139 -REJECT - - udp 445 -REJECT - - tcp 135 -REJECT - - tcp 139 -REJECT - - tcp 445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/action.template b/LrpN/usr/share/shorewall/action.template deleted file mode 100644 index 80152daa5..000000000 --- a/LrpN/usr/share/shorewall/action.template +++ /dev/null @@ -1,164 +0,0 @@ -# -# Shorewall 2.2 /etc/shorewall/action.template -# -# This file is a template for files with names of the form -# /etc/shorewall/action. where is an -# ACTION defined in /etc/shorewall/actions. -# -# To define a new action: -# -# 1. Add the to /etc/shorewall/actions -# 2. Copy this file to /etc/shorewall/action. -# 3. Add the desired rules to that file. -# -# Columns are: -# -# -# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a -# previously-defined -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as p2pwall. -# CONTINUE -- Discontinue processing this action -# and return to the point where the -# action was invoked. -# -- An defined in -# /etc/shorewall/actions. The -# must appear in that file BEFORE the -# one being defined in this file. -# -# The TARGET may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# ACCEPT:debugging). This causes the packet to be -# logged at the specified level. -# -# The special log level 'none' does not result in logging -# but rather exempts the rule from being overridden by a -# non-forcing log level when the action is invoked. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. -# A comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# 192.168.2.2 Host 192.168.2.2 -# -# 155.186.235.0/24 Subnet 155.186.235.0/24 -# -# 10.0.0.4-10.0.0.9 Range of IP addresses; your -# kernel and iptables must have -# iprange match support. -# -# 192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2. -# ~00-A0-C9-15-39-78 Host with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# name. For example, eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., eth1:192.168.1.5). -# -# DEST Location of Server. Same as above with the exception that -# MAC addresses are not allowed. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or -# "all". -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this column: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/actions.std b/LrpN/usr/share/shorewall/actions.std deleted file mode 100644 index 7d8c5c334..000000000 --- a/LrpN/usr/share/shorewall/actions.std +++ /dev/null @@ -1,53 +0,0 @@ -# -# Shorewall 2.2 /usr/share/shorewall/actions.std -# -# -# Builtin Actions are: -# -# allowBcast #Silently Allow Broadcast/multicast -# dropBcast #Silently Drop Broadcast/multicast -# dropNotSyn #Silently Drop Non-syn TCP packets -# rejNotSyn #Silently Reject Non-syn TCP packets -# dropInvalid #Silently Drop packets that are in the INVALID -# #conntrack state. -# allowInvalid #Accept packets that are in the INVALID -# #conntrack state. -# allowoutUPnP #Allow traffic from local command 'upnpd' -# allowinUPnP #Allow UPnP inbound (to firewall) traffic -# forwardUPnP #Allow traffic that upnpd has redirected from -# #'upnp' interfaces. -# -#ACTION - -DropSMB #Silently Drops Microsoft SMB Traffic -RejectSMB #Silently Reject Microsoft SMB Traffic -DropUPnP #Silently Drop UPnP Probes -RejectAuth #Silently Reject Auth -DropPing #Silently Drop Ping -DropDNSrep #Silently Drop DNS Replies - -AllowPing #Accept Ping -AllowFTP #Accept FTP -AllowDNS #Accept DNS -AllowSSH #Accept SSH -AllowWeb #Allow Web Browsing -AllowSMB #Allow MS Networking -AllowAuth #Allow Auth (identd) -AllowSMTP #Allow SMTP (Email) -AllowPOP3 #Allow reading mail via POP3 -AllowICMPs #Allows critical ICMP types -AllowIMAP #Allow reading mail via IMAP -AllowTelnet #Allow Telnet Access (not recommended for use over the - #Internet) -AllowVNC #Allow VNC viewer->server, Displays 0-9 -AllowVNCL #Allow VNC server->viewer in listening mode -AllowNTP #Allow Network Time Protocol (ntpd) -AllowRdate #Allow remote time (rdate). -AllowNNTP #Allow network news (Usenet). -AllowTrcrt #Allows Traceroute (20 hops) -AllowSNMP #Allows SNMP (including traps) -AllowPCA #Allows PCAnywhere (tm) - -Drop:DROP #Common Action for DROP policy -Reject:REJECT #Common Action for REJECT policy -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/bogons b/LrpN/usr/share/shorewall/bogons deleted file mode 100644 index 43c37b1f2..000000000 --- a/LrpN/usr/share/shorewall/bogons +++ /dev/null @@ -1,72 +0,0 @@ -# -# Shorewall 2.2-- Bogons File -# -# /etc/shorewall/bogons -# -# Lists the subnetworks that are blocked by the 'nobogons' interface option. -# -# The default list includes those those ip ADDRESSES listed -# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C -# reserved for use in documentation and examples. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNET The subnet (host addresses also allowed as are IP -# address ranges provided that your kernel and iptables -# include iprange match support). -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -############################################################################### -#SUBNET TARGET -0.0.0.0 RETURN # Stop the DHCP whining -255.255.255.255 RETURN # We need to allow limited broadcast -169.254.0.0/16 DROP # DHCP autoconfig -192.0.2.0/24 logdrop # Example addresses (RFC 3330) -# -# The following are generated with the help of the Python program found at: -# -# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ -# -# The program was contributed by Andy Wiggin -# -0.0.0.0/7 logdrop # Reserved -2.0.0.0/8 logdrop # Reserved -5.0.0.0/8 logdrop # Reserved -7.0.0.0/8 logdrop # Reserved -23.0.0.0/8 logdrop # Reserved -27.0.0.0/8 logdrop # Reserved -31.0.0.0/8 logdrop # Reserved -36.0.0.0/7 logdrop # Reserved -39.0.0.0/8 logdrop # Reserved -41.0.0.0/8 logdrop # Reserved -42.0.0.0/8 logdrop # Reserved -49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 -73.0.0.0/8 logdrop # Reserved -74.0.0.0/7 logdrop # Reserved -76.0.0.0/6 logdrop # Reserved -89.0.0.0/8 logdrop # Reserved -90.0.0.0/7 logdrop # Reserved -92.0.0.0/6 logdrop # Reserved -96.0.0.0/3 logdrop # Reserved -127.0.0.0/8 logdrop # Loopback -173.0.0.0/8 logdrop # Reserved -174.0.0.0/7 logdrop # Reserved -176.0.0.0/5 logdrop # Reserved -184.0.0.0/6 logdrop # Reserved -189.0.0.0/8 logdrop # Reserved -190.0.0.0/8 logdrop # Reserved -197.0.0.0/8 logdrop # Reserved -198.18.0.0/15 logdrop # Reserved -223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003 -240.0.0.0/4 logdrop # Reserved -# -# End of generated entries -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/configpath b/LrpN/usr/share/shorewall/configpath deleted file mode 100644 index f676bd1b0..000000000 --- a/LrpN/usr/share/shorewall/configpath +++ /dev/null @@ -1,7 +0,0 @@ -# -# Shorewall version 2.0 - Default Config Path -# -# /usr/share/shorewall/configpath -# - -CONFIG_PATH=/etc/shorewall:/usr/share/shorewall \ No newline at end of file diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall deleted file mode 100755 index 37193674a..000000000 --- a/LrpN/usr/share/shorewall/firewall +++ /dev/null @@ -1,7727 +0,0 @@ -#!/bin/sh -# -# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2 -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -# -# If an error occurs while starting or restarting the firewall, the -# firewall is automatically stopped. -# -# Commands are: -# -# shorewall start Starts the firewall -# shorewall restart Restarts the firewall -# shorewall stop Stops the firewall -# shorewall status Displays firewall status -# shorewall reset Resets iptables packet and -# byte counts -# shorewall clear Remove all Shorewall chains -# and rules/policies. -# shorewall refresh . Rebuild the common chain -# shorewall check Verify the more heavily-used -# configuration files. -# -# Mutual exclusion -- These functions are jackets for the mutual exclusion -# routines in $FUNCTIONS. They invoke -# the corresponding function in that file if the user did -# not specify "nolock" on the runline. -# -my_mutex_on() { - [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } -} - -my_mutex_off() { - [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } -} - -# -# Message to stderr -# -error_message() # $* = Error Message -{ - echo " $@" >&2 -} - -# -# Fatal error -- stops the firewall after issuing the error message -# -fatal_error() # $* = Error Message -{ - echo " Error: $@" >&2 - if [ $COMMAND = check ]; then - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - else - stop_firewall - fi - exit 2 -} - -# -# Fatal error during startup -- generate an error message and abend without -# altering the state of the firewall -# -startup_error() # $* = Error Message -{ - echo " Error: $@" >&2 - my_mutex_off - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - kill $$ - exit 2 -} - -# -# Send a message to STDOUT and the System Log -# -report () { # $* = message - echo "$@" - logger "$@" -} - -# -# Write the passed args to $RESTOREBASE -# -save_command() -{ - echo "$@" >> $RESTOREBASE -} - -# -# Write a progress_message command to $RESTOREBASE -# -save_progress_message() -{ - - echo >> $RESTOREBASE - echo "progress_message \"$@\"" >> $RESTOREBASE - echo >> $RESTOREBASE -} - -# -# Save the passed command in the restore script then run it -- returns the status of the command -# If the command involves file redirection then it must be enclosed in quotes as in: -# -# run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" -# -run_and_save_command() -{ - echo "$@" >> $RESTOREBASE - eval $* -} - -# -# Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die -# -ensure_and_save_command() -{ - if eval $* ; then - echo "$@" >> $RESTOREBASE - else - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -# -# Append a file in $STATEDIR to $RESTOREBASE -# -append_file() # $1 = File Name -{ - save_command "cat > $STATEDIR/$1 << __EOF__" - cat $STATEDIR/$1 >> $RESTOREBASE - save_command __EOF__ -} - -# -# Run iptables and if an error occurs, stop the firewall and quit -# -run_iptables() { - - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"$IPTABLES $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Version of 'run_iptables' that inserts white space after "!" in the arg list -# -run_iptables2() { - - case "$@" in - *!*) - run_iptables $(fix_bang $@) - ;; - *) - run_iptables $@ - ;; - esac - -} - -# -# Quietly run iptables -# -qt_iptables() { - - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - qt $IPTABLES $@ -} - -# -# Run ip and if an error occurs, stop the firewall and quit -# -run_ip() { - if ! ip $@ ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"ip $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Run tc and if an error occurs, stop the firewall and quit -# -run_tc() { - if ! tc $@ ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"tc $@\" Failed" - stop_firewall - exit 2 - fi - fi -} - -# -# Create a filter chain -# -# If the chain isn't one of the common chains then add a rule to the chain -# allowing packets that are part of an established connection. Create a -# variable exists_${1} and set its value to Yes to indicate that the chain now -# exists. -# -createchain() # $1 = chain name, $2 = If "yes", create default rules -{ - local c=$(chain_base $1) - - run_iptables -N $1 - - if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval exists_${c}=Yes -} - -createchain2() # $1 = chain name, $2 = If "yes", create default rules -{ - local c=$(chain_base $1) - - if $IPTABLES -N $1; then - - if [ $2 = yes ]; then - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn - fi - - eval exists_${c}=Yes - fi -} - -# -# Determine if a chain exists -# -# When we create a chain "chain", we create a variable named exists_chain and -# set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havechain() # $1 = name of chain -{ - local c=$(chain_base $1) - - eval test \"\$exists_${c}\" = Yes -} - -# -# Query NetFilter about the existence of a filter chain -# -chain_exists() # $1 = chain name -{ - qt $IPTABLES -L $1 -n -} - -# -# Query NetFilter about the existence of a mangle chain -# -mangle_chain_exists() # $1 = chain name -{ - qt $IPTABLES -t mangle -L $1 -n -} - -# -# Ensure that a chain exists (create it if it doesn't) -# -ensurechain() # $1 = chain name -{ - havechain $1 || createchain $1 yes -} - -ensurechain1() # $1 = chain name -{ - havechain $1 || createchain $1 no -} - -# -# Add a rule to a chain creating the chain if necessary -# -addrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables -A $@ -} - -addrule2() # $1 = chain name, remainder of arguments specify the rule -{ - ensurechain $1 - run_iptables2 -A $@ -} - -# -# Create a nat chain -# -# Create a variable exists_nat_${1} and set its value to Yes to indicate that -# the chain now exists. -# -createnatchain() # $1 = chain name -{ - run_iptables -t nat -N $1 - - eval exists_nat_${1}=Yes -} - -# -# Determine if a nat chain exists -# -# When we create a chain "chain", we create a variable named exists_nat_chain -# and set its value to Yes. This function tests for the "exists_" variable -# corresponding to the passed chain having the value of "Yes". -# -havenatchain() # $1 = name of chain -{ - eval test \"\$exists_nat_${1}\" = Yes -} - -# -# Ensure that a nat chain exists (create it if it doesn't) -# -ensurenatchain() # $1 = chain name -{ - havenatchain $1 || createnatchain $1 -} - -# -# Add a rule to a nat chain creating the chain if necessary -# -addnatrule() # $1 = chain name, remainder of arguments specify the rule -{ - ensurenatchain $1 - run_iptables2 -t nat -A $@ -} - -# -# Delete a chain if it exists -# -deletechain() # $1 = name of chain -{ - qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 -} - -# -# Determine if a chain is a policy chain -# -is_policy_chain() # $1 = name of chain -{ - eval test \"\$${1}_is_policy\" = Yes -} - -# -# Set a standard chain's policy -# -setpolicy() # $1 = name of chain, $2 = policy -{ - run_iptables -P $1 $2 -} - -# -# Set a standard chain to enable established and related connections -# -setcontinue() # $1 = name of chain -{ - run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -} - -# -# Flush one of the NAT table chains -# -flushnat() # $1 = name of chain -{ - run_iptables -t nat -F $1 -} - -# -# Flush one of the Mangle table chains -# -flushmangle() # $1 = name of chain -{ - run_iptables -t mangle -F $1 -} - -# -# Find interfaces to a given zone -# -# Search the variables representing the contents of the interfaces file and -# for each record matching the passed ZONE, echo the expanded contents of -# the "INTERFACE" column -# -find_interfaces() # $1 = interface zone -{ - local zne=$1 - local z - local interface - - for interface in $ALL_INTERFACES; do - eval z=\$$(chain_base $interface)_zone - [ "x${z}" = x${zne} ] && echo $interface - done -} - -# -# Forward Chain for an interface -# -forward_chain() # $1 = interface -{ - echo $(chain_base $1)_fwd -} - -# -# Input Chain for an interface -# -input_chain() # $1 = interface -{ - echo $(chain_base $1)_in -} - -# -# Output Chain for an interface -# -output_chain() # $1 = interface -{ - echo $(chain_base $1)_out -} - -# -# Masquerade Chain for an interface -# -masq_chain() # $1 = interface -{ - echo $(chain_base $1)_masq -} - -# -# MAC Verification Chain for an interface -# -mac_chain() # $1 = interface -{ - echo $(chain_base $1)_mac -} - -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - -# -# Functions for creating dynamic zone rules -# -dynamic_fwd() # $1 = interface -{ - echo $(chain_base $1)_dynf -} - -dynamic_in() # $1 = interface -{ - echo $(chain_base $1)_dyni -} - -dynamic_out() # $1 = interface -{ - echo $(chain_base $1)_dyno -} - -dynamic_chains() #$1 = interface -{ - local c=$(chain_base $1) - - echo ${c}_dyni ${c}_dynf ${c}_dyno -} - -# -# DNAT Chain from a zone -# -dnat_chain() # $1 = zone -{ - echo ${1}_dnat -} - -# -# SNAT Chain to a zone or from an interface -# -snat_chain() # $1 = zone or interface -{ - echo $(chain_base $1)_snat -} - -# -# ECN Chain to an interface -# -ecn_chain() # $1 = interface -{ - echo $(chain_base $1)_ecn -} - -# -# First chains for an interface -# -first_chains() #$1 = interface -{ - local c=$(chain_base $1) - - echo ${c}_fwd ${c}_in -} - -# -# Horrible hack to work around an iptables limitation -# -iprange_echo() -{ - if [ -f $TMP_DIR/iprange ]; then - echo $@ - else - echo "-m iprange $@" - > $TMP_DIR/iprange - fi -} - - -# -# Source IP range -# -source_ip_range() # $1 = Address or Address Range -{ - case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --src-range ${1#!}" - ;; - *) - iprange_echo "--src-range $1" - ;; - esac - ;; - *) - echo "-s $1" - ;; - esac -} - -# -# Destination IP range -# -dest_ip_range() # $1 = Address or Address Range -{ - case $1 in - *.*.*.*-*.*.*.*) - case $1 in - !*) - iprange_echo "! --dst-range ${1#!}" - ;; - *) - iprange_echo "--dst-range $1" - ;; - esac - ;; - *) - echo "-d $1" - ;; - esac -} - -both_ip_ranges() # $1 = Source address or range, $2 = dest address or range -{ - local prefix= match= - - case $1 in - *.*.*.*-*.*.*.*) - prefix="-m iprange" - match="--src-range $1" - ;; - *) - match="-s $1" - ;; - esac - - case $2 in - *.*.*.*-*.*.*.*) - prefix="-m iprange" - match="$match --dst-range $2" - ;; - *) - match="$match -d $2" - ;; - esac - - echo "$prefix $match" -} - -# -# Horrible hack to work around an iptables limitation -# -physdev_echo() -{ - if [ -f $TMP_DIR/physdev ]; then - echo $@ - else - echo -m physdev $@ - > $TMP_DIR/physdev - fi -} - -# -# We allow hosts to be specified by IP address or by physdev. These two functions -# are used to produce the proper match in a netfilter rule. -# -match_source_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" - ;; - *.*.*.*) - echo $(source_ip_range $1) - ;; - *) - physdev_echo "--physdev-in $1" - ;; - esac - else - echo $(source_ip_range $1) - fi -} - -match_dest_hosts() -{ - if [ -n "$BRIDGING" ]; then - case $1 in - *:*) - physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" - ;; - *.*.*.*) - echo $(dest_ip_range $1) - ;; - *) - physdev_echo "--physdev-out $1" - ;; - esac - else - echo $(dest_ip_range $1) - fi -} - -# -# Similarly, the source or destination in a rule can be qualified by a device name. If -# the device is defined in /etc/shorewall/interfaces then a normal interface match is -# generated (-i or -o); otherwise, a physdev match is generated. -#------------------------------------------------------------------------------------- -# -# loosely match the passed interface with those in /etc/shorewall/interfaces. -# -known_interface() # $1 = interface name -{ - local iface - - for iface in $ALL_INTERFACES ; do - if if_match $iface $1 ; then - return 0 - fi - done - - return 1 -} - -match_source_dev() -{ - if [ -n "$BRIDGING" ]; then - list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1 - else - echo -i $1 - fi -} - -match_dest_dev() -{ - if [ -n "$BRIDGING" ]; then - list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1 - else - echo -o $1 - fi -} - -verify_interface() -{ - known_interface $1 || { [ -n "$BRIDGING" ] && list_search $1 $all_ports ; } -} - -# -# Determine if communication to/from a host is encrypted using IPSEC -# -is_ipsec_host() # $1 = zone, $2 = host -{ - eval local is_ipsec=\$${1}_is_ipsec - eval local hosts=\"\$${1}_ipsec_hosts\" - - test -n "$is_ipsec" || list_search $2 $hosts -} - -# -# Generate a match for decrypted packets -# -match_ipsec_in() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_in_options\" - echo "-m policy --pol ipsec --dir in $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir in" - fi -} - -# -# Generate a match for packets that will be encrypted -# -match_ipsec_out() # $1 = zone, $2 = host -{ - if is_ipsec_host $1 $2 ; then - eval local options=\"\$${1}_ipsec_options \$${1}_ipsec_out_options\" - echo "-m policy --pol ipsec --dir out $options" - elif [ -n "$POLICY_MATCH" ]; then - echo "-m policy --pol none --dir out" - fi -} - -# -# Jacket for ip_range() that takes care of iprange match -# - -firewall_ip_range() # $1 = IP address or range -{ - [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 -} - -# -# -# Find hosts in a given zone -# -# Read hosts file and for each record matching the passed ZONE, -# echo the expanded contents of the "HOST(S)" column -# -find_hosts() # $1 = host zone -{ - local hosts interface address addresses - - while read z hosts options; do - if [ "x$(expand $z)" = "x$1" ]; then - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo $interface:$address - done - fi - done < $TMP_DIR/hosts -} - -# -# Check for duplicate zone definitions -# -check_duplicate_zones() { - local localzones= - - for zone in $zones; do - list_search $zone $localzones && startup_error "Zone $zone is defined more than once" - localzones="$localzones $zone" - done -} -# -# Determine the interfaces on the firewall -# -# For each zone, create a variable called ${zone}_interfaces. This -# variable contains a space-separated list of interfaces to the zone -# -determine_interfaces() { - for zone in $zones; do - interfaces=$(find_interfaces $zone) - interfaces=$(echo $interfaces) # Remove extra trash - eval ${zone}_interfaces=\"\$interfaces\" - done -} - -# -# Determine if an interface has a given option -# -interface_has_option() # $1 = interface, #2 = option -{ - local options - - eval options=\$$(chain_base $1)_options - - list_search $2 $options -} - -# -# Determine the defined hosts in each zone and generate report -# -determine_hosts() { - - for zone in $zones; do - hosts=$(find_hosts $zone) - hosts=$(echo $hosts) # Remove extra trash - - eval interfaces=\$${zone}_interfaces - - for interface in $interfaces; do - if interface_has_option $interface detectnets; then - networks=$(get_routed_networks $interface) - else - networks=0.0.0.0/0 - fi - - for networks in $networks; do - if [ -z "$hosts" ]; then - hosts=$interface:$networks - else - hosts="$hosts $interface:$networks" - fi - - if interface_has_option $interface routeback; then - eval ${zone}_routeback=\"$interface:$networks \$${zone}_routeback\" - fi - done - done - - interfaces= - - for host in $hosts; do - interface=${host%:*} - if list_search $interface $interfaces; then - list_search $interface:0.0.0.0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - list_search $interface:0/0 $hosts && \ - startup_error "Invalid zone definition for zone $zone" - eval ${zone}_is_complex=Yes - else - if [ -z "$interfaces" ]; then - interfaces=$interface - else - interfaces="$interfaces $interface" - fi - fi - done - - eval ${zone}_interfaces="\$interfaces" - eval ${zone}_hosts="\$hosts" - - if [ -n "$hosts" ]; then - eval display=\$${zone}_display - display_list "$display Zone:" $hosts - else - error_message "Warning: Zone $zone is empty" - fi - done -} - -# -# Ensure that the passed zone is defined in the zones file or is the firewall -# -validate_zone() # $1 = zone -{ - list_search $1 $zones $FW -} -# -# Ensure that the passed zone is defined in the zones file. -# -validate_zone1() # $1 = zone -{ - list_search $1 $zones -} - -# -# Validate the zone names and options in the interfaces file -# -validate_interfaces_file() { - local wildcard - local found_obsolete_option= - local z interface networks options r iface option - - while read z interface networks options; do - expandv z interface networks options - r="$z $interface $networks $options" - - [ "x$z" = "x-" ] && z= - - if [ -n "$z" ]; then - validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" - fi - - list_search $interface $ALL_INTERFACES && \ - startup_error "Duplicate Interface $interface" - - wildcard= - - case $interface in - *:*|+) - startup_error "Invalid Interface Name: $interface" - ;; - *+) - wildcard=Yes - ;; - esac - - ALL_INTERFACES="$ALL_INTERFACES $interface" - options=$(separate_list $options) - iface=$(chain_base $interface) - - eval ${iface}_broadcast="$networks" - eval ${iface}_zone="$z" - eval ${iface}_options=\"$options\" - - for option in $options; do - case $option in - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) - ;; - detectnets) - [ -n "$wildcard" ] && \ - startup_error "The \"detectnets\" option may not be used with a wild-card interface" - ;; - routeback) - [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - - [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" - - done < $TMP_DIR/interfaces -} - -# -# Validate the zone names and options in the hosts file -# -validate_hosts_file() { - local z hosts options r interface host option port ports - - check_bridge_port() - { - list_search $1 $ports || ports="$ports $1" - list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" - list_search $1 $all_ports || all_ports="$all_ports $1" - } - - while read z hosts options; do - expandv z hosts options - r="$z $hosts $options" - validate_zone1 $z || startup_error "Invalid zone ($z) in record \"$r\"" - - interface=${hosts%%:*} - iface=$(chain_base $interface) - - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - - hosts=${hosts#*:} - - eval ports=\$${iface}_ports - eval zports=\$${z}_ports - - for host in $(separate_list $hosts); do - if [ -n "$BRIDGING" ]; then - case $host in - *:*) - known_interface ${host%:*} && \ - startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - check_bridge_port ${host%%:*} - ;; - *.*.*.*) - ;; - *) - known_interface $host && \ - startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" - check_bridge_port $host - ;; - esac - fi - - for option in $(separate_list $options) ; do - case $option in - maclist|norfc1918|nobogons|blacklist|tcpflags|nosmurfs|newnotsyn|-) - ;; - ipsec) - [ -n "$POLICY_MATCH" ] || \ - startup_error "Your kernel and/or iptables does not support policy match: ipsec" - eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" - eval ${z}_is_complex=Yes - ;; - routeback) - [ -z "$ports" ] && \ - eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" - ;; - *) - error_message "Warning: Invalid option ($option) in record \"$r\"" - ;; - esac - done - done - - if [ -n "$ports" ]; then - eval ${iface}_ports=\"$ports\" - eval ${z}_ports=\"$zports\" - fi - - done < $TMP_DIR/hosts - - [ -n "$all_ports" ] && echo " Bridge ports are: $all_ports" -} - -# -# Format a match by the passed MAC address -# The passed address begins with "~" and uses "-" as a separator between bytes -# Example: ~01-02-03-04-05-06 -# -mac_match() # $1 = MAC address formated as described above -{ - echo "--match mac --mac-source $(echo $1 | sed 's/~//;s/-/:/g')" -} - -# -# validate the policy file -# -validate_policy() -{ - local clientwild - local serverwild - local zone - local zone1 - local pc - local chain - local policy - local loglevel - local synparams - - print_policy() # $1 = source zone, $2 = destination zone - { - [ $COMMAND != check ] || \ - [ $1 = $2 ] || \ - [ $1 = all ] || \ - [ $2 = all ] || \ - progress_message " Policy for $1 to $2 is $policy using chain $chain" - } - - all_policy_chains= - - strip_file policy - - while read client server policy loglevel synparams; do - expandv client server policy loglevel synparams - - clientwild= - serverwild= - - case "$client" in - all|ALL) - clientwild=Yes - ;; - *) - if ! validate_zone $client; then - startup_error "Undefined zone $client" - fi - esac - - case "$server" in - all|ALL) - serverwild=Yes - ;; - *) - if ! validate_zone $server; then - startup_error "Undefined zone $server" - fi - esac - - case $policy in - ACCEPT|REJECT|DROP|CONTINUE|QUEUE) - ;; - NONE) - [ "$client" = "$FW" -o "$server" = "$FW" ] && \ - startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone" - - [ -n "$clientwild" -o -n "$serverwild" ] && \ - startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\"" - ;; - *) - startup_error "Invalid policy $policy" - ;; - esac - - chain=${client}2${server} - - if is_policy_chain $chain ; then - startup_error "Duplicate policy $policy" - fi - - [ "x$loglevel" = "x-" ] && loglevel= - - [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" - - eval ${chain}_is_policy=Yes - eval ${chain}_policy=$policy - eval ${chain}_loglevel=$loglevel - eval ${chain}_synparams=$synparams - - if [ -n "${clientwild}" ]; then - if [ -n "${serverwild}" ]; then - for zone in $zones $FW all; do - for zone1 in $zones $FW all; do - eval pc=\$${zone}2${zone1}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${zone1}_policychain=$chain - eval ${zone}2${zone1}_policy=$policy - print_policy $zone $zone1 - fi - done - done - else - for zone in $zones $FW all; do - eval pc=\$${zone}2${server}_policychain - - if [ -z "$pc" ]; then - eval ${zone}2${server}_policychain=$chain - eval ${zone}2${server}_policy=$policy - print_policy $zone $server - fi - done - fi - elif [ -n "$serverwild" ]; then - for zone in $zones $FW all; do - eval pc=\$${client}2${zone}_policychain - - if [ -z "$pc" ]; then - eval ${client}2${zone}_policychain=$chain - eval ${client}2${zone}_policy=$policy - print_policy $client $zone - fi - done - else - eval ${chain}_policychain=${chain} - print_policy $client $server - fi - - done < $TMP_DIR/policy -} - -# -# Find broadcast addresses -# -find_broadcasts() { - for interface in $ALL_INTERFACES; do - eval bcast=\$$(chain_base $interface)_broadcast - if [ "x$bcast" = "xdetect" ]; then - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u - elif [ "x${bcast}" != "x-" ]; then - echo $(separate_list $bcast) - fi - done -} - -# -# Find interface address--returns the first IP address assigned to the passed -# device -# -find_first_interface_address() # $1 = interface -{ - # - # get the line of output containing the first IP address - # - addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) - # - # If there wasn't one, bail out now - # - [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" - # - # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) - # along with everything else on the line - # - echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' -} - -# -# Find interfaces that have the passed option specified -# -find_interfaces_by_option() # $1 = option -{ - for interface in $ALL_INTERFACES; do - eval options=\$$(chain_base $interface)_options - list_search $1 $options && echo $interface - done -} - -# -# Find hosts with the passed option -# -find_hosts_by_option() # $1 = option -{ - local ignore hosts interface address addresses options ipsec= list - - while read ignore hosts options; do - expandv options - list=$(separate_list $options) - if list_search $1 $list; then - list_search ipsec $list && ipsec=ipsec || ipsec=none - expandv hosts - interface=${hosts%%:*} - addresses=${hosts#*:} - for address in $(separate_list $addresses); do - echo ${ipsec}^$interface:$address - done - fi - done < $TMP_DIR/hosts - - for interface in $ALL_INTERFACES; do - interface_has_option $interface $1 && \ - echo none^${interface}:0.0.0.0/0 - done -} - -# -# Flush and delete all user-defined chains in the filter table -# -deleteallchains() { - run_iptables -F - run_iptables -X -} - -# -# Source a user exit file if it exists -# -run_user_exit() # $1 = file name -{ - local user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." - . $user_exit - fi -} - -# -# Add a logging rule. -# -log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule -{ - local level=$1 - local chain=$2 - local displayChain=$3 - local disposition=$4 - local rulenum= - local limit="${5:-$LOGLIMIT}" - local tag=${6:+$6 } - local command=${7:--A} - local prefix - local base=$(chain_base $displayChain) - - shift;shift;shift;shift;shift;shift;shift - - if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then - displayChain=$tag - tag= - fi - - if [ -n "$LOGRULENUMBERS" ]; then - eval rulenum=\$${base}_logrules - - rulenum=${rulenum:-1} - - prefix="$(printf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}" - - rulenum=$(($rulenum + 1)) - eval ${base}_logrules=$rulenum - else - prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}" - fi - - if [ ${#prefix} -gt 29 ]; then - prefix="$(echo $prefix | truncate 29)" - error_message "Warning: Log Prefix shortened to \"$prefix\"" - fi - - case $level in - ULOG) - if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed" - stop_firewall - exit 2 - fi - fi - ;; - *) - if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then - if [ -z "$stopping" ]; then - error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed" - stop_firewall - exit 2 - fi - fi - ;; - esac - - if [ $? -ne 0 ] ; then - [ -z "$stopping" ] && { stop_firewall; exit 2; } - fi -} - -log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule -{ - local level=$1 - local chain=$2 - local disposition=$3 - - shift;shift;shift - - log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ -} - -# -# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING -# -setup_forwarding() { - - save_progress_message "Restoring IP Forwarding..." - - case "$IP_FORWARDING" in - [Oo][Nn]) - run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - run_and_save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" - echo "IP Forwarding Disabled!" - ;; - esac -} - -# -# Disable IPV6 -# -disable_ipv6() { - local foo="$(ip -f inet6 addr ls 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt which ip6tables; then - save_progress_message "Disabling IPV6..." - ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -disable_ipv6_1() { - local foo="$(ip -f inet6 addr ls 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt which ip6tables; then - progress_message "Disabling IPV6..." - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - -# -# Process the routestopped file either adding or deleting rules -# - -process_routestopped() # $1 = command -{ - local hosts= interface host host1 options networks - - while read interface host options; do - expandv interface host options - [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0 - for h in $(separate_list $host); do - hosts="$hosts $interface:$h" - done - - routeback= - - if [ -n "$options" ]; then - for option in $(separate_list $options); do - case $option in - routeback) - if [ -n "$routeback" ]; then - error_message "Warning: Duplicate routestopped option ignored: routeback" - else - routeback=Yes - for h in $(separate_list $host); do - run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT - done - fi - ;; - *) - error_message "Warning: Unknown routestopped option ignored: $option" - ;; - esac - done - fi - - done < $TMP_DIR/routestopped - - for host in $hosts; do - interface=${host%:*} - networks=${host#*:} - $IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT - - for host1 in $hosts; do - [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT - done - done -} - -# -# Stop the Firewall -# -stop_firewall() { - # - # Turn off trace unless we were tracing "stop" or "clear" - # - - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - case $COMMAND in - stop|clear) - ;; - check) - kill $$ - exit 2 - ;; - *) - set +x - - [ -z "$RESTOREFILE" ] && RESTOREFILE=restore - - RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - - if [ -x $RESTOREPATH ]; then - echo Restoring Shorewall... - $RESTOREPATH - echo "Shorewall restored from $RESTOREPATH" - my_mutex_off - kill $$ - exit 2 - fi - ;; - esac - - stopping="Yes" - - terminator= - - deletechain shorewall - - run_user_exit stop - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$NAT_ENABLED" ] && delete_nat - delete_proxy_arp - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$DISABLE_IPV6" ] && disable_ipv6_1 - - if [ -z "$ADMINISABSENTMINDED" ]; then - for chain in INPUT OUTPUT FORWARD; do - setpolicy $chain DROP - done - - deleteallchains - else - for chain in INPUT FORWARD; do - setpolicy $chain DROP - done - - setpolicy OUTPUT ACCEPT - - deleteallchains - - for chain in INPUT FORWARD; do - setcontinue $chain - done - fi - - hosts= - - [ -f $TMP_DIR/routestopped ] || strip_file routestopped - - process_routestopped -A - - $IPTABLES -A INPUT -i lo -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -o lo -j ACCEPT - - for interface in $(find_interfaces_by_option dhcp); do - $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT - [ -z "$ADMINISABSENTMINDED" ] && \ - $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT - # - # This might be a bridge - # - $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT - done - - case "$IP_FORWARDING" in - [Oo][Nn]) - echo 1 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Enabled" - ;; - [Oo][Ff][Ff]) - echo 0 > /proc/sys/net/ipv4/ip_forward - echo "IP Forwarding Disabled!" - ;; - esac - - run_user_exit stopped - - logger "Shorewall Stopped" - - rm -rf $TMP_DIR - - case $COMMAND in - stop|clear) - ;; - *) - # - # The firewall is being stopped when we were trying to do something - # else. Remove the lock file and Kill the shell in case we're in a - # subshell - # - my_mutex_off - kill $$ - ;; - esac -} - -# -# Remove all rules and remove all user-defined chains -# -clear_firewall() { - stop_firewall - - run_iptables -F - - echo 1 > /proc/sys/net/ipv4/ip_forward - - setpolicy INPUT ACCEPT - setpolicy FORWARD ACCEPT - setpolicy OUTPUT ACCEPT - - if qt which ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - - run_user_exit clear - - logger "Shorewall Cleared" -} - -# -# Set up ipsec tunnels -# -setup_tunnels() # $1 = name of tunnels file -{ - local inchain - local outchain - - - setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones - { - local kind=$2 noah= - - case $kind in - *:*) - noah=${kind#*:} - [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" - kind=${kind%:*} - ;; - esac - - [ $kind = IPSEC ] && kind=ipsec - - options="-m state --state NEW -j ACCEPT" - addrule2 $inchain -p 50 $(source_ip_range $1) -j ACCEPT - addrule2 $outchain -p 50 $(dest_ip_range $1) -j ACCEPT - - if [ -z "$noah" ]; then - run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT - run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT - fi - - run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options - - if [ $kind = ipsec ]; then - run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options - else - run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 500 $options - run_iptables -A $inchain -p udp $(source_ip_range $1) --dport 4500 $options - fi - - for z in $(separate_list $3); do - if validate_zone $z; then - addrule ${FW}2${z} -p udp --dport 500 $options - if [ $kind = ipsec ]; then - addrule ${z}2${FW} -p udp --dport 500 $options - else - addrule ${z}2${FW} -p udp --dport 500 $options - addrule ${z}2${FW} -p udp --dport 4500 $options - fi - else - fatal_error "Invalid gateway zone ($z) -- Tunnel \"$tunnel\"" - fi - done - - progress_message " IPSEC tunnel to $gateway defined." - } - - setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol - { - addrule2 $inchain -p $3 $(source_ip_range $2) -j ACCEPT - addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT - - progress_message " $1 tunnel to $2 defined." - } - - setup_pptp_client() # $1 = gateway - { - addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT - addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT - addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT - - progress_message " PPTP tunnel to $1 defined." - } - - setup_pptp_server() # $1 = gateway - { - addrule2 $inchain -p 47 $(source_ip_range $1) -j ACCEPT - addrule2 $outchain -p 47 $(dest_ip_range $1) -j ACCEPT - addrule2 $inchain -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT - - progress_message " PPTP server defined." - } - - setup_one_openvpn() # $1 = gateway, $2 = kind[:port] - { - local protocol=udp - local p=1194 - - case $2 in - *:*:*) - protocol=${2%:*} - protocol=${protocol#*:} - p=${2##*:} - ;; - *:*) - p=${2#*:} - ;; - esac - - addrule2 $inchain -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT - addrule2 $outchain -p $protocol $(dest_ip_range $1) --dport $p -j ACCEPT - - progress_message " OPENVPN tunnel to $1:$protocol:$p defined." - } - - setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone - { - local protocol - local p= - - case $2 in - *:*:*) - p=${2##*:} - protocol=${2%:*} - protocol=${protocol#*:} - ;; - *:*) - protocol=${2#*:} - ;; - *) - protocol=udp - p=5000 - ;; - esac - - p=${p:+--dport $p} - - addrule2 $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT - addrule2 $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT - - for z in $(separate_list $3); do - if validate_zone $z; then - addrule ${FW}2${z} -p $protocol $p -j ACCEPT - addrule ${z}2${FW} -p $protocol $p -j ACCEPT - else - error_message "Warning: Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" may encounter problems" - fi - done - - progress_message " GENERIC tunnel to $1:$p defined." - } - - strip_file tunnels $1 - - while read kind z gateway z1; do - expandv kind z gateway z1 - tunnel="$(echo $kind $z $gateway $z1)" - if validate_zone $z; then - inchain=${z}2${FW} - outchain=${FW}2${z} - gateway=${gateway:-0.0.0.0/0} - case $kind in - ipsec|IPSEC|ipsec:*|IPSEC:*) - setup_one_ipsec $gateway $kind $z1 - ;; - ipsecnat|IPSECNAT|ipsecnat:*|IPSECNAT:*) - setup_one_ipsec $gateway $kind $z1 - ;; - ipip|IPIP) - setup_one_other IPIP $gateway 4 - ;; - gre|GRE) - setup_one_other GRE $gateway 47 - ;; - 6to4|6TO4) - setup_one_other 6to4 $gateway 41 - ;; - pptpclient|PPTPCLIENT) - setup_pptp_client $gateway - ;; - pptpserver|PPTPSERVER) - setup_pptp_server $gateway - ;; - openvpn|OPENVPN|openvpn:*|OPENVPN:*) - setup_one_openvpn $gateway $kind - ;; - generic:*|GENERIC:*) - setup_one_generic $gateway $kind $z1 - ;; - *) - error_message "Tunnels of type $kind are not supported:" \ - "Tunnel \"$tunnel\" Ignored" - ;; - esac - else - error_message "Invalid gateway zone ($z)" \ - " -- Tunnel \"$tunnel\" Ignored" - fi - done < $TMP_DIR/tunnels -} - -# -# Process the ipsec file -# -setup_ipsec() { - local zone - # - # Add a --set-mss rule to the passed chain - # - set_mss1() # $1 = chain, $2 = MSS - { - eval local policy=\$${1}_policy - - if [ "$policy" != NONE ]; then - case $COMMAND in - start|restart) - ensurechain $1 - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 - ;; - esac - fi - } - # - # Set up rules to set MSS to and/or from zone "$zone" - # - set_mss() # $1 = MSS value, $2 = _in, _out or "" - { - if [ $COMMAND != check ]; then - for z in $zones; do - case $2 in - _in) - set_mss1 ${zone}2${z} $1 - ;; - _out) - set_mss1 ${z}2${zone} $1 - ;; - *) - set_mss1 ${z}2${zone} $1 - set_mss1 ${zone}2${z} $1 - ;; - esac - done - fi - } - - do_options() # $1 = _in, _out or "" - $2 = option list - { - local option opts newoptions= val - - [ x${2} = x- ] && return - - opts=$(separate_list $2) - - for option in $opts; do - val=${option#*=} - - case $option in - mss=[0-9]*) set_mss $val $1 ;; - strict) newoptions="$newoptions --strict" ;; - next) newoptions="$newoptions --next" ;; - reqid=*) newoptions="$newoptions --reqid $val" ;; - spi=*) newoptions="$newoptions --spi $val" ;; - proto=*) newoptions="$newoptions --proto $val" ;; - mode=*) newoptions="$newoptions --mode $val" ;; - tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; - tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; - reqid!=*) newoptions="$newoptions ! --reqid $val" ;; - spi!=*) newoptions="$newoptions ! --spi $val" ;; - proto!=*) newoptions="$newoptions ! --proto $val" ;; - mode!=*) newoptions="$newoptions ! --mode $val" ;; - tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; - tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; - *) fatal_error "Invalid option \"$option\" for zone $zone" ;; - esac - done - - if [ -n "$newoptions" ]; then - eval ${zone}_is_complex=Yes - eval ${zone}_ipsec${1}_options=\"${newoptions# }\" - fi - } - - strip_file ipsec $1 - - while read zone ipsec options in_options out_options mss; do - expandv zone ipsec options in_options out_options mss - - [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" - - validate_zone1 $zone || fatal_error "Unknown zone: $zone" - - case $ipsec in - -|No|no) - ;; - Yes|yes) - eval ${zone}_is_ipsec=Yes - eval ${zone}_is_complex=Yes - ;; - *) - fatal_error "Invalid IPSEC column value: $ipsec" - ;; - esac - - do_options "" $options - do_options "_in" $in_options - do_options "_out" $out_options - - done < $TMP_DIR/ipsec -} - -# -# Setup Proxy ARP -# -setup_proxy_arp() { - - local setlist= resetlist= - - print_error() { - error_message "Invalid value for HAVEROUTE - ($haveroute)" - error_message "Entry \"$address $interface $external $haveroute\" ignored" - } - - print_error1() { - error_message "Invalid value for PERSISTENT - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored" - } - - print_warning() { - error_message "PERSISTENT setting ignored - ($persistent)" - error_message "Entry \"$address $interface $external $haveroute $persistent\"" - } - - setup_one_proxy_arp() { - - case $haveroute in - [Nn][Oo]) - haveroute= - ;; - [Yy][Ee][Ss]) - ;; - *) - if [ -n "$haveroute" ]; then - print_error - return - fi - ;; - esac - - case $persistent in - [Nn][Oo]) - persistent= - ;; - [Yy][Ee][Ss]) - [ -z "$haveroute" ] || print_warning - ;; - *) - if [ -n "$persistent" ]; then - print_error1 - return - fi - ;; - esac - - if [ -z "$haveroute" ]; then - ensure_and_save_command ip route replace $address dev $interface - [ -n "$persistent" ] && haveroute=yes - fi - - ensure_and_save_command arp -i $external -Ds $address $external pub - - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp - - progress_message " Host $address connected to $interface added to ARP on $external" - } - - > ${STATEDIR}/proxyarp - - save_progress_message "Restoring Proxy ARP..." - - while read address interface external haveroute persistent; do - expandv address interface external haveroute persistent - list_search $interface $setlist || setlist="$setlist $interface" - list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external" - setup_one_proxy_arp - done < $TMP_DIR/proxyarp - - for interface in $resetlist; do - list_search $interface $setlist || \ - run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done - - for interface in $setlist; do - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done - - interfaces=$(find_interfaces_by_option proxyarp) - - for interface in $interfaces; do - if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - progress_message " Enabled proxy ARP on $interface" - save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - else - error_message "Warning: Unable to enable proxy ARP on $interface" - fi - done -} - -# -# Set up MAC Verification -# -setup_mac_lists() { - local interface - local mac - local addresses - local address - local chain - local chain1 - local macpart - local blob - local hosts - local ipsec - local policy= - # - # Generate the list of interfaces having MAC verification - # - maclist_interfaces= - - for hosts in $maclist_hosts; do - hosts=${hosts#*^} - interface=${hosts%%:*} - if ! list_search $interface $maclist_interfaces; then\ - if [ -z "$maclist_interfaces" ]; then - maclist_interfaces=$interface - else - maclist_interfaces="$maclist_interfaces $interface" - fi - fi - done - - progress_message "Setting up MAC Verification on $maclist_interfaces..." - # - # Create chains. - # - for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - createchain $chain no - - if [ -n "$MACLIST_TTL" ]; then - chain1=$(macrecent_target $interface) - createchain $chain1 no - run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1 - run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT - run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT - fi - done - # - # Process the maclist file producing the verification rules - # - while read interface mac addresses; do - expandv interface mac addresses - - physdev_part= - - if [ -n "$BRIDGING" ]; then - case $interface in - *:*) - physdev_part="-m physdev --physdev-in ${interface#*:}" - interface=${interface%:*} - ;; - esac - fi - - chain=$(mac_chain $interface) - chain1=$(macrecent_target $interface) - - if ! havechain $chain ; then - fatal_error "No hosts on $interface have the maclist option specified" - fi - - macpart=$(mac_match $mac) - - if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart $physdev_part -j $chain1 - else - for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1 - done - fi - done < $TMP_DIR/maclist - # - # Must take care of our own broadcasts and multicasts then terminate the verification - # chains - # - for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - chain1=$(macrecent_target $interface) - - blob=$(ip link show $interface 2> /dev/null) - - [ -z "$blob" ] && \ - fatal_error "Interface $interface must be up before Shorewall can start" - - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do - if [ -n "$broadcast" ]; then - run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1 - fi - - run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1 - run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1 - done - - if [ -n "$MACLIST_LOG_LEVEL" ]; then - log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION - fi - - run_iptables -A $chain -j $maclist_target - done - # - # Generate jumps from the input and forward chains - # - for hosts in $maclist_hosts; do - ipsec=${hosts%^*} - hosts=${hosts#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${hosts%%:*} - hosts=${hosts#*:} - for chain in $(first_chains $interface) ; do - run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ - $policy -j $(mac_chain $interface) - done - done -} - -# -# Set up SYN flood protection -# -setup_syn_flood_chain () - # $1 = policy chain - # $2 = synparams - # $3 = loglevel -{ - local chain=@$1 - local limit=$2 - local limit_burst= - - case $limit in - *:*) - limit_burst="--limit-burst ${limit#*:}" - limit=${limit%:*} - ;; - esac - - run_iptables -N $chain - run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN - [ -n "$3" ] && \ - log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" "" - run_iptables -A $chain -j DROP -} - -# -# Enable SYN flood protection on a chain -# -# Insert a jump rule to the protection chain from the first chain. Inserted -# as the second rule and restrict the jump to SYN packets -# -enable_syn_flood_protection() # $1 = chain, $2 = protection chain -{ - run_iptables -I $1 2 -p tcp --syn -j @$2 - progress_message " Enabled SYN flood protection" -} - -# -# Delete existing Proxy ARP -# -delete_proxy_arp() { - if [ -f ${STATEDIR}/proxyarp ]; then - while read address interface external haveroute; do - qt arp -i $external -d $address pub - [ -z "$haveroute" ] && qt ip route del $address dev $interface - done < ${STATEDIR}/proxyarp - - rm -f ${STATEDIR}/proxyarp - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp - - for f in /proc/sys/net/ipv4/conf/*; do - [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp - done -} - -# -# Setup Static Network Address Translation (NAT) -# -setup_nat() { - local external= interface= internal= allints= localnat= policyin= policyout= - - validate_one() #1 = Variable Name, $2 = Column name, $3 = value - { - case $3 in - Yes|yes) - ;; - No|no) - eval ${1}= - ;; - *) - [ -n "$3" ] && \ - fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\"" - ;; - esac - } - - do_one_nat() { - local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*} - - if [ -n "$add_ip_aliases" ]; then - case $interface in - *:) - interface=${interface%:} - add_ip_aliases= - ;; - *) - [ -n "$RETAIN_ALIASES" ] || run_and_save_command qt ip addr del $external dev $iface - ;; - esac - else - interface=${interface%:} - fi - - validate_one allints "ALL INTERFACES" $allints - validate_one localnat "LOCAL" $localnat - - if [ -n "$allints" ]; then - addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal - addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external - else - addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external - fi - - [ -n "$localnat" ] && \ - run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal - - if [ -n "$add_ip_aliases" ]; then - list_search $external $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $interface" - fi - } - # - # At this point, we're just interested in the network translation - # - > ${STATEDIR}/nat - - if [ -n "$POLICY_MATCH" ]; then - policyin="-m policy --pol none --dir in" - policyout="-m policy --pol none --dir out" - fi - - [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring one-to-one NAT..." - - while read external interface internal allints localnat; do - expandv external interface internal allints localnat - - do_one_nat - - progress_message " Host $internal NAT $external on $interface" - done < $TMP_DIR/nat -} - -# -# Delete existing Static NAT -# -delete_nat() { - run_iptables -t nat -F - run_iptables -t nat -X - - if [ -f ${STATEDIR}/nat ]; then - while read external interface; do - qt ip addr del $external dev $interface - done < ${STATEDIR}/nat - - rm -f {$STATEDIR}/nat - fi - - [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat -} - -# -# Setup Network Mapping (NETMAP) -# -setup_netmap() { - - while read type net1 interface net2 ; do - expandv type net1 interface net2 - - list_search $interface $ALL_INTERFACES || \ - fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" - - case $type in - DNAT) - addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 - ;; - SNAT) - addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 - ;; - *) - fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" - ;; - esac - - progress_message " Network $net1 on $interface mapped to $net2 ($type)" - - done < $TMP_DIR/netmap -} - -# -# Setup ECN disabling rules -# -setup_ecn() # $1 = file name -{ - local interfaces="" - local hosts= - local h - - strip_file ecn $1 - - echo "Processing $1..." - - while read interface host; do - expandv interface host - list_search $interface $ALL_INTERFACES || \ - startup_error "Unknown interface $interface" - list_search $interface $interfaces || \ - interfaces="$interfaces $interface" - [ "x$host" = "x-" ] && host= - for h in $(separate_list ${host:-0.0.0.0/0}); do - hosts="$hosts $interface:$h" - done - done < $TMP_DIR/ecn - - if [ -n "$interfaces" ]; then - progress_message "Setting up ECN control on${interfaces}..." - - for interface in $interfaces; do - chain=$(ecn_chain $interface) - if mangle_chain_exists $chain; then - flushmangle $chain - else - run_iptables -t mangle -N $chain - run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain - run_iptables -t mangle -A OUTPUT -p tcp -o $interface -j $chain - fi - done - - for host in $hosts; do - interface=${host%:*} - h=${host#*:} - run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove - progress_message " ECN Disabled to $h through $interface" - done - fi -} - -# -# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the -# default marking chain -# -process_tc_rule() -{ - chain=$MARKING_CHAIN target="MARK --set-mark" marktest= - - verify_designator() { - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - chain=$1 - mark="${mark%:*}" - } - - add_a_tc_rule() { - r= - - if [ "x$source" != "x-" ]; then - case $source in - *.*.*) - r="$(source_ip_range $source) " - ;; - ~*) - r="$(mac_match $source) " - ;; - $FW:*) - chain=tcout - r="$(source_ip_range ${source%:*}) " - ;; - $FW) - chain=tcout - ;; - *) - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev) $source " - ;; - esac - fi - - if [ "x${user:--}" != "x-" ]; then - - [ "$chain" != tcout ] && \ - fatal_error "Invalid use of a user/group: rule \"$rule\"" - - case "$user" in - *:*) - r="$r-m owner" - temp="${user%:*}" - [ -n "$temp" ] && r="$r --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && r="$r --gid-owner $temp " - ;; - *) - r="$r-m owner --uid-owner $user " - ;; - esac - fi - - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - - if [ "x$dest" != "x-" ]; then - case $dest in - *.*.*) - r="${r}$(dest_ip_range $dest) " - ;; - *) - verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" - r="${r}$(match_dest_dev $dest) " - ;; - esac - fi - - if [ "x$proto" = xipp2p ]; then - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-p tcp -m ipp2p --${port} " - else - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}--dport $port " - fi - - [ "x$sport" = "x-" ] || r="${r}--sport $sport " - - case $chain in - tcpost) - run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark - ;; - *) - run_iptables2 -t mangle -A $chain $r -j $target $mark - ;; - esac - - } - - if [ "$mark" != "${mark%:*}" ]; then - case "${mark#*:}" in - p|P) - verify_designator tcpre - ;; - cp|CP) - verify_designator tcpre - target="CONNMARK --set-mark" - ;; - f|F) - verify_designator tcfor - ;; - cf|CF) - verify_designator tcfor - target="CONNMARK --set-mark" - ;; - c|C) - target="CONNMARK --set-mark" - mark=${mark%:*} - ;; - *) - chain=tcpost - ;; - esac - fi - - case $mark in - SAVE) - target="CONNMARK --save-mark" - mark= - ;; - SAVE/*) - target="CONNMARK --save-mark --mask" - mark=${mark#*/} - ;; - RESTORE) - target="CONNMARK --restore-mark" - mark= - ;; - RESTORE/*) - target="CONNMARK --restore-mark --mask" - mark=${mark#*/} - ;; - CONTINUE) - target=RETURN - mark= - ;; - esac - - case $testval in - -) - ;; - !*:C) - marktest="connmark ! " - testval=${testval%:*} - testval=${testval#!} - ;; - *:C) - marktest="connmark " - testval=${testval%:*} - ;; - !*) - marktest="mark ! " - testval=${testval#!} - ;; - *) - [ -n "$testval" ] && marktest="mark " - ;; - esac - - for source in $(separate_list ${sources:=-}); do - for dest in $(separate_list ${dests:=-}); do - for port in $(separate_list ${ports:=-}); do - for sport in $(separate_list ${sports:=-}); do - add_a_tc_rule - done - done - done - done - - progress_message " TC Rule \"$rule\" added" -} - -# -# Setup queuing and classes -# -setup_tc1() { - # - # Create the TC mangle chains - # - - run_iptables -t mangle -N tcpre - run_iptables -t mangle -N tcfor - run_iptables -t mangle -N tcout - run_iptables -t mangle -N tcpost - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports user testval; do - expandv mark sources dests proto ports sports user testval - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval") - process_tc_rule - done < $TMP_DIR/tcrules - # - # Link to the TC mangle chains from the main chains - # - - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A PREROUTING -j tcpre - run_iptables -t mangle -A OUTPUT -j tcout - run_iptables -t mangle -A POSTROUTING -j tcpost - - f=$(find_file tcstart) - - if [ -f $f ]; then - - run_user_exit tcstart - - save_progress_message "Restoring Traffic Control..." - save_command . $(find_file tcstart) - fi -} - -setup_tc() { - - echo "Setting up Traffic Control Rules..." - - setup_tc1 -} - -# -# Clear Traffic Shaping -# -delete_tc() -{ - - clear_one_tc() { - run_and_save_command "tc qdisc del dev $1 root 2> /dev/null" - run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" - - } - - save_progress_message "Clearing Traffic Control/QOS" - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -delete_tc1() -{ - - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Process a record from the accounting file -# -process_accounting_rule() { - rule= - rule2= - jumpchain= - - accounting_error() { - error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user - } - - accounting_interface_error() { - error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user - } - - accounting_interface_verify() { - verify_interface $1 || accounting_interface_error $1 - } - - jump_to_chain() { - if ! havechain $jumpchain; then - if ! createchain2 $jumpchain No; then - accounting_error - return 2 - fi - fi - - rule="$rule -j $jumpchain" - } - - case $source in - *:*) - accounting_interface_verify ${source%:*} - rule="-s ${source#*:} $(match_source_dev ${source%:*})" - ;; - *.*.*.*) - rule="-s $source" - ;; - -|all|any) - ;; - *) - if [ -n "$source" ]; then - accounting_interface_verify $source - rule="$(match_source_dev $source)" - fi - ;; - esac - - [ -n "$dest" ] && case $dest in - *:*) - accounting_interface_verify ${dest%:*} - rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" - ;; - *.*.*.*) - rule="$rule $(dest_ip_range $dest)" - ;; - -|all|any) - ;; - *) - accounting_interface_verify $dest - rule="$rule $(match_dest_dev $dest)" - ;; - esac - - [ -n "$proto" ] && case $proto in - -|any|all) - ;; - ipp2p) - rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" - port= - ;; - *) - rule="$rule -p $proto" - ;; - esac - - [ -n "$port" ] && case $port in - -|any|all) - ;; - *) - rule="$rule --dport $port" - ;; - esac - - [ -n "$sport" ] && case $sport in - -|any|all) - ;; - *) - rule="$rule --sport $sport" - ;; - esac - - [ -n "$user" ] && case $user in - -|any|all) - ;; - *:*) - [ "$chain" != OUTPUT ] && \ - fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner" - temp="${user%:*}" - [ -n "$temp" ] && rule="$rule --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && rule="$rule --gid-owner $temp " - ;; - *) - [ "$chain" != OUTPUT ] && \ - fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain" - rule="$rule -m owner --uid-owner $user " - ;; - esac - - case $action in - COUNT) - ;; - DONE) - rule="$rule -j RETURN" - ;; - *:COUNT) - rule2="$rule" - jumpchain=${action%:*} - jump_to_chain || return - ;; - JUMP:*) - jumpchain=${action#*:} - jump_to_chain || return - ;; - *) - jumpchain=$action - jump_to_chain || return - ;; - esac - - [ "x$chain" = "x-" ] && chain=accounting - [ -z "$chain" ] && chain=accounting - - ensurechain1 $chain - - if $IPTABLES -A $chain $(fix_bang $rule) ; then - [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 - progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added - else - accounting_error - fi -} - -# -# Set up Accounting -# -setup_accounting() # $1 = Name of accounting file -{ - - echo "Setting up Accounting..." - - strip_file accounting $1 - - while read action chain source dest proto port sport user ; do - expandv action chain source dest proto port sport user - process_accounting_rule - done < $TMP_DIR/accounting - - if havechain accounting; then - for chain in INPUT FORWARD OUTPUT; do - run_iptables -A $chain -j accounting - done - fi - -} - -# -# Check the configuration -# -check_config() { - - disclaimer() { - echo - echo "Notice: The 'check' command is provided to catch" - echo " obvious errors in a Shorewall configuration." - echo " It is not designed to catch all possible errors" - echo " so please don't submit problem reports about" - echo " error conditions that 'check' doesn't find" - echo - } - - - report_capabilities - - echo "Verifying Configuration..." - - verify_os_version - - if [ -n "$BRIDGING" ]; then - [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" - fi - - echo "Determining Zones..." - - determine_zones - check_duplicate_zones - - [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" - - display_list "Zones:" $zones - - ipsecfile=$(find_file ipsec) - - [ -f $ipsecfile ] && \ - echo "Validating ipsec file..." && \ - setup_ipsec $ipsecfile - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - echo "Validating policy file..." - - validate_policy - - echo "Pre-validating Actions..." - - process_actions1 - - echo "Validating rules file..." - - rules=$(find_file rules) - strip_file rules $rules - process_rules - - echo "Validating Actions..." - - process_actions2 - process_actions3 - - rm -rf $TMP_DIR - [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE - - echo "Configuration Validated" - - disclaimer - -} - -# -# Refresh queuing and classes -# -refresh_tc() { - - echo "Refreshing Traffic Control Rules..." - - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - - if mangle_chain_exists $chain; then - # - # Flush the TC mangle chains - # - run_iptables -t mangle -F $chain - - run_iptables -t mangle -F tcout - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports; do - expandv mark sources dests proto ports sports - rule=$(echo "$mark $sources $dests $proto $ports $sports") - process_tc_rule - done < $TMP_DIR/tcrules - - run_user_exit tcstart - else - setup_tc1 - fi - -} - -# -# Add one Filter Rule from an action -- Helper function for the action file processor -# -# The caller has established the following variables: -# COMMAND = current command. If 'check', we're executing a 'check' -# which only goes through the motions. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# action = The chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup = owner match clause -# logtag = Log tag -# -add_an_action() -{ - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - action_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - action_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" - ;; - *.*.*) - cli="-s $client" - ;; - ~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - action_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - action_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - servport=$serverport - multiport= - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - LOG) - [ -z "$loglevel" ] && fatal_error "LOG requires log level" - ;; - esac - - if [ $COMMAND != check ]; then - if [ -n "${serv}" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(firewall_ip_range $serv1); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) - fi - - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target - done - done - else - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) - fi - - run_iptables2 -A $chain $proto $multiport $cli $dest_interface $sports \ - $dports $ratelimit $userandgroup -j $target - fi - fi -} - -# -# Process a record from an action file for the 'start', 'restart' or 'check' commands -# -process_action() # $1 = chain (Chain to add the rules to) - # $2 = action (The action name for logging purposes) - # $3 = target (The (possibly modified) contents of the TARGET column) - # $4 = clients - # $5 = servers - # $6 = protocol - # $7 = ports - # $8 = cports - # $9 = ratelimit - # $10 = userspec -{ - local chain="$1" - local action="$2" - local target="$3" - local clients="$4" - local servers="$5" - local protocol="$6" - local ports="$7" - local cports="$8" - local ratelimit="$9" - local userspec="${10}" - local userandgroup= - local logtag= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - -) - ratelimit= - ;; - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - [ "x$userspec" = "x-" ] && userspec= - - if [ -n "$userspec" ]; then - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - userandgroup="-m owner" - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" - ;; - *) - userandgroup="-m owner --uid-owner $userspec" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - case $loglevel in - none*) - loglevel= - logtag= - [ $target = LOG ] && return - ;; - esac - - loglevel=${loglevel%\!} - fi - - logtarget="$target" - - case $target in - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - *) - ;; - esac - - # Generate Netfilter rule(s) - - [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_an_action() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_an_action - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_an_action - done - done - done - done - fi - # - # Report Result - # - if [ $COMMAND = check ]; then - progress_message " Rule \"$rule\" checked." - else - progress_message " Rule \"$rule\" added." - fi -} - -# -# Create and record a log action chain -- Log action chains have names -# that are formed from the action name by prepending a "%" and appending -# a 1- or 2-digit sequence number. In the functions that follow, -# the CHAIN, LEVEL and TAG variable serves as arguments to the user's -# exit. We call the exit corresponding to the name of the action but we -# set CHAIN to the name of the iptables chain where rules are to be added. -# Similarly, LEVEL and TAG contain the log level and log tag respectively. -# -# For each , we maintain two variables: -# -# _actchain - The action chain number. -# _chains - List of ( level[:tag] , chainname ) pairs -# -# The maximum length of a chain name is 30 characters -- since the log -# action chain name is 2-3 characters longer than the base chain name, -# this function truncates the original chain name where necessary before -# it adds the leading "%" and trailing sequence number. - -createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] -{ - local actchain= action=$1 level=$2 - - eval actchain=\${${action}_actchain} - - case ${#action} in - 29|30) - CHAIN=$(echo $action | truncate 28) # %...n makes 30 - ;; - *) - CHAIN=${action} - ;; - esac - - [ "$COMMAND" != check ] && \ - while havechain %${CHAIN}${actchain}; do - actchain=$(($actchain + 1)) - [ $actchain -eq 10 -a ${#CHAIN} -eq 28 ] && CHAIN=$(echo $CHAIN | truncate 27) # %...nn makes 30 - done - - CHAIN=%${CHAIN}${actchain} - - eval ${action}_actchain=$(($actchain + 1)) - - if [ $COMMAND != check ]; then - createchain $CHAIN No - LEVEL=${level%:*} - if [ "$LEVEL" != "$level" ]; then - TAG=${level#*:} - else - TAG= - fi - run_user_exit $1 - fi - - eval ${action}_chains=\"\$${action}_chains $level $CHAIN\" - -} - -# -# Create an action chain and run it's associated user exit -# - -createactionchain() # $1 = Action, including log level and tag if any -{ - case $1 in - *:*:*) - set -- $(split $1) - createlogactionchain $1 $2:$3 - ;; - *:*) - set -- $(split $1) - createlogactionchain $1 $2 - ;; - *) - CHAIN=$1 - if [ $COMMAND != check ]; then - LEVEL= - TAG= - createchain $CHAIN no - run_user_exit $CHAIN - fi - ;; - esac -} - -# -# Find the chain that handles the passed action. If the chain cannot be found, -# a fatal error is generated and the function does not return. -# -find_logactionchain() # $1 = Action, including log level and tag if any -{ - local fullaction=$1 action=${1%%:*} level= chains= - - case $fullaction in - *:*) - level=${fullaction#*:} - ;; - *) - if [ $COMMAND != check ]; then - havechain $action || fatal_error "Fatal error in find_logactionchain" - fi - - echo $action - return - ;; - esac - - eval chains="\$${action}_chains" - - set -- $chains - - while [ $# -gt 0 ]; do - [ "$1" = "$level" ] && { echo $2 ; return ; } - shift;shift - done - - fatal_error "Fatal error in find_logactionchain" - -} - -# -# This function determines the logging for a subordinate action or a rule within a subordinate action -# -merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called -{ - local superior=$1 subordinate=$2 - - set -- $(split $1) - - case $superior in - *:*:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!' - return - ;; - *'!') - echo ${subordinate%%:*}:$2:$3 - return - ;; - *) - case $subordinate in - *:*) - echo $subordinate - return - ;; - *) - echo ${subordinate%%:*}:$2:$3 - return - ;; - esac - ;; - esac - ;; - *:*) - case $2 in - 'none!') - echo ${subordinate%%:*}:'none!' - return - ;; - *'!') - echo ${subordinate%%:*}:$2 - return - ;; - *) - case $subordinate in - *:*) - echo $subordinate - return - ;; - *) - echo ${subordinate%%:*}:$2 - return - ;; - esac - ;; - esac - ;; - *) - echo $subordinate - ;; - esac -} - -# -# The next three functions implement the three phases of action processing. -# -# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std -# and /etc/shorewall/actions are scanned (in that order) and for each action: -# -# a) The related action definition file is located and scanned. -# b) Forward and unresolved action references are trapped as errors. -# c) A dependency graph is created. For each , the variable 'requiredby_' lists the -# action[:level[:tag]] of each action invoked by . -# d) All actions are listed in the global variable ACTIONS. -# e) Common actions are recorded (in variables of the name _common) and are added to the global -# USEDACTIONS -# -# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an -# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name -# %n is used where the name is truncated on the right where necessary to ensure that the total -# length of the chain name does not exceed 30 characters. -# -# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of -# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created. -# -# The final phase (process_actions3) is to traverse the USEDACTIONS list populating each chain appropriately -# by reading the action definition files and creating rules. Note that a given action definition file is -# processed once for each unique [:level[:tag]] applied to an invocation of the action. -# -process_actions1() { - - ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" - - USEDACTIONS= - - strip_file actions - - strip_file actions.std /usr/share/shorewall/actions.std - - for inputfile in actions.std actions; do - while read xaction rest; do - [ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" - - case $xaction in - *:*) - temp=${xaction#*:} - [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp" - xaction=${xaction%:*} - case $temp in - ACCEPT|REJECT|DROP|QUEUE) - eval ${temp}_common=$xaction - if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then - USEDACTIONS="$USEDACTIONS $xaction" - fi - ;; - *) - startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE" - ;; - esac - esac - - [ -z "$xaction" ] && continue - - [ "$xaction" = "$(chain_base $xaction)" ] || startup_error "Invalid Action Name: $xaction" - - if ! list_search $xaction $ACTIONS; then - f=action.$xaction - fn=$(find_file $f) - - eval requiredby_${action}= - - if [ -f $fn ]; then - echo " Pre-processing $fn..." - strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do - expandv xtarget - temp="${xtarget%%:*}" - case "$temp" in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) - ;; - *) - if list_search $temp $ACTIONS; then - eval requiredby_${xaction}=\"\$requiredby_${xaction} $xtarget\" - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - startup_error "Invalid TARGET in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/$f - else - startup_error "Missing Action File: $f" - fi - - ACTIONS="$ACTIONS $xaction" - fi - done < $TMP_DIR/$inputfile - done -} - -process_actions2() { - - local interfaces="$(find_interfaces_by_option upnp)" - - if [ -n "$interfaces" ]; then - if ! list_search forwardUPnP $USEDACTIONS; then - error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)" - USEDACTIONS="$USEDACTIONS forwardUPnP" - fi - fi - - progress_message " Generating Transitive Closure of Used-action List..." - - changed=Yes - - while [ -n "$changed" ]; do - changed= - for xaction in $USEDACTIONS; do - - eval required=\"\$requiredby_${xaction%%:*}\" - - for xaction1 in $required; do - # - # Generate the action that will be passed to process_action by merging the - # logging specified when the action was invoked with the logging in the - # invocation of the subordinate action (usually no logging) - # - xaction2=$(merge_levels $xaction $xaction1) - - if ! list_search $xaction2 $USEDACTIONS; then - # - # We haven't seen this one before -- create and record a chain to handle it - # - USEDACTIONS="$USEDACTIONS $xaction2" - createactionchain $xaction2 - changed=Yes - fi - done - done - done -} - -process_actions3() { - - for xaction in $USEDACTIONS; do - # - # Find the chain associated with this action:level:tag - # - xchain=$(find_logactionchain $xaction) - # - # Split the action:level:tag - # - set -- $(split $xaction) - - xaction1=$1 - xlevel=$2 - xtag=$3 - # - # Handle Builtin actions - # - case $xaction1 in - dropBcast) - if [ "$COMMAND" != check ]; then - if [ -n "$PKTTYPE" ]; then - case $xlevel in - none'!') - ;; - *) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast - fi - ;; - esac - - run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP - run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP - else - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address - ;; - esac - - run_iptables -A $xchain -d $address -j DROP - done - fi - fi - ;; - allowBcast) - if [ "$COMMAND" != check ]; then - if [ -n "$PKTTYPE" ]; then - case $xlevel in - none'!') - ;; - *) - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast - fi - ;; - esac - - run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT - run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT - else - for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do - case $xlevel in - none*) - ;; - *) - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address - ;; - esac - - run_iptables -A $xchain -d $address -j ACCEPT - done - fi - fi - ;; - dropNonSyn) - error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\"" - - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j DROP - fi - ;; - dropNotSyn) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j DROP - fi - ;; - rejNotSyn) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn - run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset - fi - ;; - dropInvalid) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID - run_iptables -A $xchain -m state --state INVALID -j DROP - fi - ;; - allowInvalid) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID - run_iptables -A $xchain -m state --state INVALID -j ACCEPT - fi - ;; - forwardUPnP) - ;; - allowinUPnP) - if [ "$COMMAND" != check ]; then - if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900 - log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152 - fi - - run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT - run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT - fi - ;; - allowoutUPnP) - if [ "$COMMAND" != check ]; then - [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd - run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT - fi - ;; - *) - # - # Not a builtin - # - f=action.$xaction1 - - echo "Processing $(find_file $f) for Chain $xchain..." - - while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do - expandv xtarget - # - # Generate the target:level:tag to pass to process_action() - # - xaction2=$(merge_levels $xaction $xtarget) - - case ${xaction2%%:*} in - ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) - # - # Builtin target -- Nothing to do - # - ;; - *) - # - # Not a builtin target -- Replace the target from the file - # -- with the one generated above - xtarget=$xaction2 - # - # And locate the chain for that action:level:tag - # - xaction2=$(find_logactionchain $xtarget) - ;; - esac - - expandv xclients xservers xprotocol xports xcports xratelimit xuserspec - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec - - done < $TMP_DIR/$f - ;; - esac - done -} - -# -# Add a NAT rule - Helper function for the rules file processor -# -# The caller has established the following variables: -# COMMAND = The current command -- if 'check', we just go through -# the motions. -# cli = Source IP, interface or MAC Specification -# serv = Destination IP Specification -# servport = Port the server is listening on -# dest_interface = Destination Interface Specification -# proto = Protocol Specification -# addr = Original Destination Address -# dports = Destination Port Specification. 'dports' may be changed -# by this function -# cport = Source Port Specification -# multiport = String to invoke multiport match if appropriate -# ratelimit = Optional rate limiting clause -# userandgroup = -m owner match to limit the rule to a particular user and/or group -# logtag = Log tag -# -add_nat_rule() { - local chain - local excludedests= - - # Be sure we can NAT - - if [ -z "$NAT_ENABLED" ]; then - fatal_error "Rule \"$rule\" requires NAT which is disabled" - fi - - # Parse SNAT address if any - - if [ "$addr" != "${addr%:*}" ]; then - fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead" - fi - - # Set original destination address - - case $addr in - all) - addr= - ;; - detect) - addr= - if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then - eval interfaces=\$${source}_interfaces - for interface in $interfaces; do - addr=${addr:+$addr,}$(find_first_interface_address $interface) - done - fi - ;; - !*) - if [ $(list_count $addr) -gt 1 ]; then - excludedests="$(separate_list ${addr#\!})" - addr= - fi - ;; - esac - - addr=${addr:-0.0.0.0/0} - - # Select target - - if [ -n "$serv" ]; then - servport="${servport:+:$servport}" - serv1= - for srv in $(separate_list $serv); do - serv1="$serv1 --to-destination ${srv}${servport}" - done - target1="DNAT $serv1" - else - target1="REDIRECT --to-port $servport" - fi - - if [ $source = $FW ]; then - [ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\"" - fi - - # Generate nat table rules - - if [ $COMMAND != check ]; then - if [ "$source" = "$FW" ]; then - if [ -n "$excludedests" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - - for adr in $(separate_list $addr); do - run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain - done - - for adr in $excludedests; do - addnatrule $chain $(dest_ip_range $adr) -j RETURN - done - - if [ -n "$loglevel" ]; then - log_rule $loglevel $chain $logtarget -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \ - $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) - fi - - run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1 - done - fi - else - chain=$(dnat_chain $source) - - if [ -n "${excludezones}${excludedests}" ]; then - chain=nonat${nonat_seq} - nonat_seq=$(($nonat_seq + 1)) - createnatchain $chain - - for adr in $(separate_list $addr); do - addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain - done - - for z in $(separate_list $excludezones); do - eval hosts=\$${z}_hosts - for host in $hosts; do - addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN - done - done - - for adr in $excludedests; do - addnatrule $chain $(dest_ip_range $adr) -j RETURN - done - - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat - fi - - addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection - else - for adr in $(separate_list $addr); do - if [ -n "$loglevel" ]; then - ensurenatchain $chain - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ - $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) - fi - - addnatrule $chain $proto $ratelimit $cli $sports \ - -d $adr $multiport $dports -j $target1 - done - fi - fi - fi - - # Replace destination port by the new destination port - - if [ -n "$servport" ]; then - if [ -z "$multiport" ]; then - dports="--dport ${servport#*:}" - else - dports="--dports ${servport#*:}" - fi - fi - - [ "x$addr" = "x0.0.0.0/0" ] && addr= - ratelimit= -} - -# -# Add one Filter Rule -- Helper function for the rules file processor -# -# The caller has established the following variables: -# COMMAND = current command. If 'check', we're executing a 'check' -# which only goes through the motions. -# client = SOURCE IP or MAC -# server = DESTINATION IP or interface -# protocol = Protocol -# address = Original Destination Address -# port = Destination Port -# cport = Source Port -# multioption = String to invoke multiport match if appropriate -# servport = Port the server listens on -# chain = The canonical chain for this rule -# ratelimit = Optional rate limiting clause -# userandgroup= -m owner clause -# userspec = User name -# logtag = Log tag -# -add_a_rule() -{ - local natrule= - - do_ports() { - if [ -n "$port" ]; then - dports="--dport" - if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then - multiport="$multioption" - dports="--dports" - fi - dports="$dports $port" - fi - - if [ -n "$cport" ]; then - sports="--sport" - if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then - multiport="$multioption" - sports="--sports" - fi - sports="$sports $cport" - fi - } - - interface_error() - { - fatal_error "Unknown interface $1 in rule: \"$rule\"" - } - - rule_interface_verify() - { - verify_interface $1 || interface_error $1 - } - - # Set source variables. The 'cli' variable will hold the client match predicate(s). - - cli= - - case "$client" in - -) - ;; - *:*) - rule_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" - ;; - *.*.*) - cli="$(source_ip_range $client)" - ;; - ~*) - cli=$(mac_match $client) - ;; - *) - if [ -n "$client" ]; then - rule_interface_verify $client - cli="$(match_source_dev $client)" - fi - ;; - esac - - # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s). - - dest_interface= - serv= - - case "$server" in - -) - ;; - *.*.*) - serv=$server - ;; - ~*) - fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" - ;; - *) - if [ -n "$server" ]; then - [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget" - rule_interface_verify $server - dest_interface="$(match_dest_dev $server)" - fi - ;; - esac - - # Setup protocol and port variables - - sports= - dports= - proto=$protocol - addr=$address - servport=$serverport - multiport= - - [ x$port = x- ] && port= - [ x$cport = x- ] && cport= - - case $proto in - tcp|TCP|6) - do_ports - [ "$target" = QUEUE ] && proto="$proto --syn" - ;; - udp|UDP|17) - do_ports - ;; - icmp|ICMP|1) - [ -n "$port" ] && dports="--icmp-type $port" - ;; - all|ALL) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" - proto= - ;; - ipp2p) - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=tcp - do_ports - ;; - *) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - ;; - esac - - proto="${proto:+-p $proto}" - - # Some misc. setup - - case "$logtarget" in - ACCEPT|DROP|REJECT|CONTINUE) - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - ;; - REDIRECT) - [ -n "$serv" ] && \ - fatal_error "REDIRECT rules cannot specify a server IP; rule: \"$rule\"" - servport=${servport:=$port} - natrule=Yes - ;; - DNAT) - [ -n "$serv" ] || \ - fatal_error "DNAT rules require a server address; rule: \"$rule\"" - natrule=Yes - ;; - LOG) - [ -z "$loglevel" ] && \ - fatal_error "LOG requires log level" - ;; - esac - - if [ -n "${serv}${servport}" ]; then - if [ $COMMAND != check ]; then - - # A specific server or server port given - - if [ -n "$natrule" ]; then - add_nat_rule - elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" - fi - - if [ -z "$dnat_only" ]; then - if [ -n "$serv" ]; then - for serv1 in $(separate_list $serv); do - for srv in $(firewall_ip_range $serv1); do - if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then - for adr in $(separate_list $addr); do - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ - $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) - fi - - run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ - $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target - done - else - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target - fi - done - done - else - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $sports $multiport $cli $dports) - fi - - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target - fi - fi - fi - else - - # Destination is a simple zone - - [ -n "$addr" ] && fatal_error \ - "An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT or REDIRECT: \"$rule\"" - - if [ $COMMAND != check ]; then - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) - fi - - if [ "$logtarget" != LOG ]; then - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $userandgroup -j $target - fi - fi - fi -} - -# -# Process a record from the rules file for the 'start', 'restart' or 'check' commands -# -process_rule() # $1 = target - # $2 = clients - # $3 = servers - # $4 = protocol - # $5 = ports - # $6 = cports - # $7 = address - # $8 = ratelimit - # $9 = userspec -{ - local target="$1" - local clients="$2" - local servers="$3" - local protocol="$4" - local ports="$5" - local cports="$6" - local address="$7" - local ratelimit="$8" - local userspec="$9" - local userandgroup= - local logtag= - local nonat= - - # Function Body - isolate rate limit - - [ "x$ratelimit" = "x-" ] && ratelimit= - - if [ -n "$ratelimit" ]; then - case $ratelimit in - *:*) - ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" - ;; - *) - ratelimit="-m limit --limit $ratelimit" - ;; - esac - fi - - # Isolate log level - - if [ "$target" = "${target%:*}" ]; then - loglevel= - else - loglevel="${target#*:}" - target="${target%%:*}" - expandv loglevel - if [ "$loglevel" != "${loglevel%:*}" ]; then - logtag="${loglevel#*:}" - loglevel="${loglevel%:*}" - expandv logtag - fi - - if [ "$loglevel" = none ]; then - [ "$target" = LOG ] && return - loglevel= - logtag= - fi - - loglevel=${loglevel%\!} - fi - # - # Save the original target in 'logtarget' for logging rules - # - logtarget=${target%-} - # - # Targets ending in "-" only apply to the nat table - # - [ $target = $logtarget ] && dnat_only= || dnat_only=Yes - - # Tranform the rule: - # - # - parse the user specification - # - set 'target' to the filter table target. - # - make $FW the destination for REDIRECT - # - remove '-' suffix from logtargets while setting 'dnat_only' - # - clear 'address' if it has been set to '-' - - [ "x$userspec" = x- ] && userspec= - [ "x$address" = "x-" ] && address= - - if [ -n "$userspec" ]; then - case "$userspec" in - !*:*) - if [ "$userspec" != "!:" ]; then - userandgroup="-m owner" - temp="${userspec#!}" - temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" - fi - ;; - *:*) - if [ "$userspec" != ":" ]; then - userandgroup="-m owner" - temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" - temp="${userspec#*:}" - [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi - ;; - !*) - userandgroup="-m owner ! --uid-owner ${userspec#!}" - ;; - *) - userandgroup="-m owner --uid-owner $userspec" - ;; - esac - fi - - case $target in - ACCEPT+|NONAT) - nonat=Yes - target=ACCEPT - ;; - ACCEPT|LOG) - ;; - DROP) - [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" - ;; - REJECT) - target=reject - ;; - CONTINUE) - target=RETURN - ;; - DNAT*) - target=ACCEPT - address=${address:=detect} - ;; - REDIRECT*) - target=ACCEPT - address=${address:=all} - if [ "x-" = "x$servers" ]; then - servers=$FW - else - servers="$FW::$servers" - fi - ;; - esac - - # Parse and validate source - - if [ "$clients" = "${clients%:*}" ]; then - clientzone="$clients" - clients= - else - clientzone="${clients%%:*}" - clients="${clients#*:}" - [ -z "$clientzone" -o -z "$clients" ] && \ - fatal_error "Empty source zone or qualifier: rule \"$rule\"" - fi - - if [ "$clientzone" = "${clientzone%!*}" ]; then - excludezones= - else - excludezones="${clientzone#*!}" - clientzone="${clientzone%!*}" - - [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ - fatal_error "Exclude list only allowed with DNAT or REDIRECT" - fi - - validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" - - # Parse and validate destination - - source=$clientzone - - if [ $source = $FW ]; then - source_hosts= - elif [ -n "$userspec" ]; then - fatal_error "Invalid use of a user-qualification: rule \"$rule\"" - else - eval source_hosts=\"\$${source}_hosts\" - fi - - if [ "$servers" = "${servers%:*}" ] ; then - serverzone="$servers" - servers= - serverport= - else - serverzone="${servers%%:*}" - servers="${servers#*:}" - if [ "$servers" != "${servers%:*}" ] ; then - serverport="${servers#*:}" - servers="${servers%:*}" - [ -z "$serverzone" -o -z "$serverport" ] && \ - fatal_error "Empty destination zone or server port: rule \"$rule\"" - else - serverport= - [ -z "$serverzone" -o -z "$servers" ] && \ - fatal_error "Empty destination zone or qualifier: rule \"$rule\"" - fi - fi - - if ! validate_zone $serverzone; then - fatal_error "Undefined Server Zone in rule \"$rule\"" - fi - - dest=$serverzone - - # Ensure that this rule doesn't apply to a NONE policy pair of zones - - chain=${source}2${dest} - - eval policy=\$${chain}_policy - - [ -z "$policy" ] && \ - fatal_error "No policy defined from zone $source to zone $dest" - - [ $policy = NONE ] && \ - fatal_error "Rules may not override a NONE policy: rule \"$rule\"" - - # Create the canonical chain if it doesn't already exist - - [ $COMMAND = check ] || ensurechain $chain - - # Generate Netfilter rule(s) - - protocol=${protocol:=all} - - case $logtarget in - DNAT*) - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - server=${servers:=-} - add_a_rule - done - done - done - fi - ;; - *) - - if [ -n "$XMULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] - then - # - # Extended MULTIPORT is enabled, and less than - # 16 ports are listed (port ranges count as two ports) - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - elif [ -n "$MULTIPORT" ] && \ - ! list_search $protocol "icmp" "ICMP" "1" && \ - [ "$ports" = "${ports%:*}" -a \ - "$cports" = "${cports%:*}" -a \ - $(list_count $ports) -le 15 -a \ - $(list_count $cports) -le 15 ] - then - # - # MULTIPORT is enabled, there are no port ranges in the rule and less than - # 16 ports are listed - use multiport match. - # - multioption="-m multiport" - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done - done - else - # - # MULTIPORT is disabled or the rule isn't compatible with multiport match - # - multioption= - for client in $(separate_list ${clients:=-}); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_a_rule - done - done - done - done - fi - ;; - esac - # - # Report Result - # - if [ $COMMAND = check ]; then - progress_message " Rule \"$rule\" checked." - else - progress_message " Rule \"$rule\" added." - fi -} - -# -# Process the rules file for the 'start', 'restart' or 'check' command. -# -process_rules() -{ - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() { - local yclients yservers ysourcezone ydestzone ypolicy - - for yclients in $xclients; do - for yservers in $xservers; do - ysourcezone=${yclients%%:*} - ydestzone=${yservers%%:*} - if [ "${ysourcezone}" != "${ydestzone}" ] ; then - eval ypolicy=\$${ysourcezone}2${ydestzone}_policy - if [ "$ypolicy" != NONE ] ; then - rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec - fi - fi - done - done - } - - do_it() { - expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec - - if [ "x$xclients" = xall ]; then - xclients="$zones $FW" - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - fi - process_wildcard_rule - continue - fi - - if [ "x$xservers" = xall ]; then - xservers="$zones $FW" - process_wildcard_rule - continue - fi - - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec - } - - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do - expandv xtarget - - case "${xtarget%%:*}" in - ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) - do_it - ;; - *) - if list_search ${xtarget%%:*} $ACTIONS; then - if ! list_search $xtarget $USEDACTIONS; then - createactionchain $xtarget - USEDACTIONS="$USEDACTIONS $xtarget" - fi - - xtarget=$(find_logactionchain $xtarget) - do_it - else - rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" - fatal_error "Invalid Action in rule \"$rule\"" - fi - ;; - - esac - done < $TMP_DIR/rules -} - -# -# Process a record from the tos file -# -# The caller has loaded the column contents from the record into the following -# variables: -# -# src dst protocol sport dport tos -# -# and has loaded a space-separated list of their values in "rule". -# -process_tos_rule() { - # - # Parse the contents of the 'src' variable - # - if [ "$src" = "${src%:*}" ]; then - srczone="$src" - src= - else - srczone="${src%:*}" - src="${src#*:}" - fi - - source= - # - # Validate the source zone - # - if validate_zone $srczone; then - source=$srczone - elif [ "$srczone" = "all" ]; then - source="all" - else - error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$src" ] && case "$src" in - *.*.*) - # - # IP Address or networks - # - src="$(source_ip_range $src)" - ;; - ~*) - src=$(mac_match $src) - ;; - *) - # - # Assume that this is a device name - # - if ! verify_interface $src ; then - error_message "Warning: Unknown Interface in rule \"$rule\" ignored" - return - fi - - src="$(match_source_dev $src)" - ;; - esac - - # - # Parse the contents of the 'dst' variable - # - if [ "$dst" = "${dst%:*}" ]; then - dstzone="$dst" - dst= - else - dstzone="${dst%:*}" - dst="${dst#*:}" - fi - - dest= - # - # Validate the destination zone - # - if validate_zone $dstzone; then - dest=$dstzone - elif [ "$dstzone" = "all" ]; then - dest="all" - else - error_message \ - "Warning: Undefined Destination Zone - rule \"$rule\" ignored" - return - fi - - [ -n "$dst" ] && case "$dst" in - *.*.*) - # - # IP Address or networks - # - ;; - *) - # - # Assume that this is a device name - # - error_message \ - "Warning: Invalid Destination - rule \"$rule\" ignored" - return - ;; - esac - - # - # Setup PROTOCOL and PORT variables - # - sports="" - dports="" - - case $protocol in - tcp|udp|TCP|UDP|6|17) - [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ - sports="--sport $sport" - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--dport $dport" - ;; - icmp|ICMP|0) - [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ - dports="--icmp-type $dport" - ;; - all|ALL) - protocol= - ;; - *) - ;; - esac - - protocol="${protocol:+-p $protocol}" - - tos="-j TOS --set-tos $tos" - - case "$dstzone" in - all|ALL) - dst=0.0.0.0/0 - ;; - *) - [ -z "$dst" ] && eval dst=\$${dstzone}_hosts - ;; - esac - - for dest in $dst; do - dest="$(dest_ip_range $dest)" - - case $srczone in - $FW) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - ;; - all|ALL) - run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos - run_iptables2 -t mangle -A pretos \ - $protocol $dest $dports $sports $tos - ;; - *) - if [ -n "$src" ]; then - run_iptables2 -t mangle -A pretos $src \ - $protocol $dest $dports $sports $tos - else - eval interfaces=\$${srczone}_interfaces - - for interface in $interfaces; do - run_iptables2 -t mangle -A pretos -i $interface \ - $protocol $dest $dports $sports $tos - done - fi - ;; - esac - done - - progress_message " Rule \"$rule\" added." -} - -# -# Process the tos file -# -process_tos() # $1 = name of tos file -{ - echo "Processing $1..." - - run_iptables -t mangle -N pretos - run_iptables -t mangle -N outtos - - strip_file tos $1 - - while read src dst protocol sport dport tos; do - expandv src dst protocol sport dport tos - rule="$(echo $src $dst $protocol $sport $dport $tos)" - process_tos_rule - done < $TMP_DIR/tos - - run_iptables -t mangle -A PREROUTING -j pretos - run_iptables -t mangle -A OUTPUT -j outtos -} - -# -# Display elements of a list with leading white space -# -display_list() # $1 = List Title, rest of $* = list to display -{ - [ $# -gt 1 ] && echo " $*" -} - -# -# Add policy rule ( and possibly logging rule) to the passed chain -# -policy_rules() # $1 = chain to add rules to - # $2 = policy - # $3 = loglevel -{ - local target="$2" - - case "$target" in - ACCEPT) - [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common - ;; - DROP) - [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common - ;; - REJECT) - [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common - target=reject - ;; - QUEUE) - [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common - ;; - CONTINUE) - target= - ;; - *) - fatal_error "Invalid policy ($policy) for $1" - ;; - esac - - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 - fi - - [ -n "$target" ] && run_iptables -A $1 -j $target -} - -# -# Generate default policy & log level rules for the passed client & server -# zones -# -# This function is only called when the canonical chain for this client/server -# pair is known to exist. If the default policy for this pair specifies the -# same chain then we add the policy (and logging) rule to the canonical chain; -# otherwise add a rule to the canonical chain to jump to the appropriate -# policy chain. -# -default_policy() # $1 = client $2 = server -{ - local chain="${1}2${2}" - local policy= - local loglevel= - local chain1 - - jump_to_policy_chain() { - # - # Add a jump to from the canonical chain to the policy chain. On return, - # $chain is set to the name of the policy chain - # - run_iptables -A $chain -j $chain1 - chain=$chain1 - } - - apply_default() - { - # - # Generate policy file column values from the policy chain - # - eval policy=\$${chain1}_policy - eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams - # - # Add the appropriate rules to the canonical chain ($chain) to enforce - # the specified policy - - if [ "$chain" = "$chain1" ]; then - # - # The policy chain is the canonical chain; add policy rule to it - # The syn flood jump has already been added if required. - # - policy_rules $chain $policy $loglevel - else - # - # The policy chain is different from the canonical chain -- approach - # depends on the policy - # - case $policy in - ACCEPT|QUEUE) - if [ -n "$synparams" ]; then - # - # To avoid double-counting SYN packets, enforce the policy - # in this chain. - # - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - else - # - # No problem with double-counting so just jump to the - # policy chain. - # - jump_to_policy_chain - fi - ;; - CONTINUE) - # - # Silly to jump to the policy chain -- add any logging - # rules and enable SYN flood protection if requested - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - policy_rules $chain $policy $loglevel - ;; - *) - # - # DROP or REJECT policy -- enforce in the policy chain and - # enable SYN flood protection if requested. - # - [ -n "$synparams" ] && \ - enable_syn_flood_protection $chain $chain1 - jump_to_policy_chain - ;; - esac - fi - - progress_message " Policy $policy for $1 to $2 using chain $chain" - } - - eval chain1=\$${1}2${2}_policychain - - if [ -n "$chain1" ]; then - apply_default $1 $2 - else - fatal_error "No default policy for zone $1 to zone $2" - fi -} - -# -# Complete a standard chain -# -# - run any supplied user exit -# - search the policy file for an applicable policy and add rules as -# appropriate -# - If no applicable policy is found, add rules for an assummed -# policy of DROP INFO -# -complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone -{ - local policy= - local loglevel= - local policychain= - - run_user_exit $1 - - eval policychain=\$${2}2${3}_policychain - - if [ -n "$policychain" ]; then - eval policy=\$${policychain}_policy - eval loglevel=\$${policychain}_loglevel - - policy_rules $1 $policy $loglevel - else - policy_rules $1 DROP INFO - fi -} - -# -# Find the appropriate chain to pass packets from a source zone to a -# destination zone -# -# If the canonical chain for this zone pair exists, echo it's name; otherwise -# locate and echo the name of the appropriate policy chain -# -rules_chain() # $1 = source zone, $2 = destination zone -{ - local chain=${1}2${2} - - havechain $chain && { echo $chain; return; } - - [ "$1" = "$2" ] && { echo ACCEPT; return; } - - eval chain=\$${chain}_policychain - - [ -n "$chain" ] && { echo $chain; return; } - - fatal_error "No policy defined for zone $1 to zone $2" -} - -# -# echo the list of networks routed out of a given interface -# -get_routed_networks() # $1 = interface name -{ - local address - local rest - - ip route show dev $1 2> /dev/null | - while read address rest; do - if [ "x$address" = xdefault ]; then - error_message "Warning: default route ignored on interface $1" - else - [ "$address" = "${address%/*}" ] && address="${address}/32" - echo $address - fi - done -} - -# -# Set up Source NAT (including masquerading) -# -setup_masq() -{ - do_ipsec_options() { - local options="$(separate_list $ipsec)" option - policy="-m policy --pol ipsec --dir out" - - for option in $options; do - case $option in - [Yy]es) ;; - strict) policy="$policy --strict" ;; - next) policy="$policy --next" ;; - reqid=*) policy="$policy --reqid ${option#*=}" ;; - spi=*) policy="$policy --spi ${option#*=}" ;; - proto=*) policy="$policy --proto ${option#*=}" ;; - mode=*) policy="$policy --mode ${option#*=}" ;; - tunnel-src=*) policy="$policy --tunnel-src ${option#*=}" ;; - tunnel-dst=*) policy="$policy --tunnel-dst ${option#*=}" ;; - reqid!=*) policy="$policy ! --reqid ${option#*=}" ;; - spi!=*) policy="$policy ! --spi ${option#*=}" ;; - proto!=*) policy="$policy ! --proto ${option#*=}" ;; - mode!=*) policy="$policy ! --mode ${option#*=}" ;; - tunnel-src!=*) policy="$policy ! --tunnel-src ${option#*=}" ;; - tunnel-dst!=*) policy="$policy ! --tunnel-dst ${option#*=}" ;; - *) fatal_error "Invalid IPSEC option \"$option\"" ;; - esac - done - } - - setup_one() { - local add_snat_aliases=$ADD_SNAT_ALIASES pre_nat= policy= destnets= - - [ "x$ipsec" = x- ] && ipsec= - - case $ipsec in - Yes|yes) - [ -n "$POLICY_MATCH" ] || \ - fatal_error "IPSEC=Yes requires policy match support in your kernel and iptables" - policy="-m policy --pol ipsec --dir out" - ;; - No|no) - [ -n "$POLICY_MATCH" ] || \ - fatal_error "IPSEC=No requires policy match support in your kernel and iptables" - policy="-m policy --pol none --dir out" - ;; - *) - if [ -n "$ipsec" ]; then - do_ipsec_options - elif [ -n "$POLICY_MATCH" ]; then - policy="-m policy --pol none --dir out" - fi - ;; - esac - - case $fullinterface in - +*) - pre_nat=Yes - fullinterface=${fullinterface#+} - ;; - esac - - case $fullinterface in - *::*) - add_snat_aliases= - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:*:*) - # Both alias name and networks - destnets="${fullinterface##*:}" - fullinterface="${fullinterface%:*}" - ;; - *:) - add_snat_aliases= - fullinterface=${fullinterface%:} - ;; - *:*) - # Alias name OR networks - case ${fullinterface#*:} in - *.*) - # It's a networks - destnets="${fullinterface#*:}" - fullinterface="${fullinterface%:*}" - ;; - *) - #it's an alias name - ;; - esac - ;; - *) - ;; - esac - - interface=${fullinterface%:*} - - if ! list_search $interface $ALL_INTERFACES; then - fatal_error "Unknown interface $interface" - fi - - if [ "$networks" = "${networks%!*}" ]; then - nomasq= - else - nomasq="${networks#*!}" - networks="${networks%!*}" - fi - - - source="$networks" - - case $source in - *.*.*) - ;; - *) - networks=$(get_routed_networks $networks) - [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" - networks="$networks" - ;; - esac - - [ "x$addresses" = x- ] && addresses= - - if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then - for address in $(separate_list $addresses); do - address=${address%:)} - if [ -n "$address" ]; then - for addr in $(ip_range_explicit ${address%:*}) ; do - if ! list_search $addr $aliases_to_add; then - [ -n "$RETAIN_ALIASES" ] || save_command qt ip addr del $addr dev $interface - aliases_to_add="$aliases_to_add $addr $fullinterface" - case $fullinterface in - *:*) - fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) - ;; - esac - fi - done - fi - done - fi - - [ "x$proto" = x- ] && proto= - [ "x$ports" = x- ] && ports= - - if [ -n "$proto" ]; then - - displayproto="($proto)" - - case $proto in - tcp|TCP|udp|UDP|6|17) - if [ -n "$ports" ]; then - displayproto="($proto $ports)" - - listcount=$(list_count $ports) - - if [ $listcount -gt 1 ]; then - case $ports in - *:*) - if [ -n "$XMULTIPORT" ]; then - if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then - ports="-m multiport --dports $ports" - else - fatal_error "More than 15 entries in port list ($ports)" - fi - else - fatal_error "Port Range not allowed in list ($ports)" - fi - ;; - *) - if [ -n "$MULTIPORT" ]; then - [ $listcount -le 15 ] || fatal_error "More than 15 entries in port list ($ports)" - ports="-m multiport --dports $ports" - else - fatal_error "Port Ranges require multiport match support in your kernel ($ports)" - fi - ;; - esac - else - ports="--dport $ports" - fi - fi - ;; - *) - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - ;; - esac - - proto="-p $proto" - else - displayproto="(all)" - [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" - fi - - destination=${destnets:=0.0.0.0/0} - - [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) - - case $destnets in - !*) - newchain=masq${masq_seq} - createnatchain $newchain - destnets=${destnets#!} - - for destnet in $(separate_list $destnets); do - addnatrule $newchain $(dest_ip_range $destnet) -j RETURN - done - - if [ -n "$networks" ]; then - for s in $networks; do - addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain - done - networks= - else - addnatrule $chain -j $newchain - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - destnets=0.0.0.0/0 - proto= - ports= - policy= - - if [ -n "$nomasq" ]; then - for addr in $(separate_list $nomasq); do - addnatrule $chain $(source_ip_range $addr) -j RETURN - done - source="$source except $nomasq" - fi - ;; - *) - if [ -n "$nomasq" ]; then - newchain=masq${masq_seq} - createnatchain $newchain - - if [ -n "$networks" ]; then - for s in $networks; do - for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports -j $newchain - done - done - else - for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain - done - fi - - masq_seq=$(($masq_seq + 1)) - chain=$newchain - networks= - destnets=0.0.0.0/0 - proto= - ports= - policy= - - for addr in $(separate_list $nomasq); do - addnatrule $chain $(source_ip_range $addr) -j RETURN - done - - source="$source except $nomasq" - fi - ;; - esac - - addrlist= - target=MASQUERADE - - if [ -n "$addresses" ]; then - for address in $(separate_list $addresses); do - case $address in - *.*.*.*) - target=SNAT - addrlist="$addrlist --to-source $address" - ;; - *) - addrlist="$addrlist --to-ports ${address#:}" - ;; - esac - done - fi - - if [ -n "$networks" ]; then - for network in $networks; do - for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist - done - - if [ -n "$addresses" ]; then - progress_message " To $destination $displayproto from $network through ${interface} using $addresses" - else - progress_message " To $destination $displayproto from $network through ${interface}" - fi - done - else - for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist - done - - if [ -n "$addresses" ]; then - progress_message " To $destination $displayproto from $source through ${interface} using $addresses" - else - progress_message " To $destination $displayproto from $source through ${interface}" - fi - fi - - } - - strip_file masq $1 - - if [ -n "$NAT_ENABLED" ]; then - echo "Masqueraded Networks and Hosts:" - [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring Masquerading/SNAT..." - fi - - while read fullinterface networks addresses proto ports ipsec; do - expandv fullinterface networks addresses proto ports ipsec - [ -n "$NAT_ENABLED" ] && setup_one || \ - error_message "Warning: NAT disabled; masq rule ignored" - done < $TMP_DIR/masq -} - -# -# Add a record to the blacklst chain -# -# $source = address match -# $proto = protocol selector -# $dport = destination port selector -# -add_blacklist_rule() { - if [ -n "$BLACKLIST_LOGLEVEL" ]; then - log_rule $BLACKLIST_LOGLEVEL blacklst $BLACKLIST_DISPOSITION $(fix_bang $source $proto $dport) - fi - - run_iptables2 -A blacklst $source $proto $dport -j $disposition -} - -# -# Process a record from the blacklist file -# -# $networks = address/networks -# $protocol = Protocol Number/Name -# $port = Port Number/Name -# -process_blacklist_rec() { - local source - local addr - local proto - local dport - - for addr in $(separate_list $networks); do - case $addr in - ~*) - addr=$(echo $addr | sed 's/~//;s/-/:/g') - source="--match mac --mac-source $addr" - ;; - *) - source="$(source_ip_range $addr)" - ;; - esac - - if [ -n "$protocol" ]; then - proto=" -p $protocol " - - case $protocol in - tcp|TCP|6|udp|UDP|17) - if [ -n "$ports" ]; then - if [ -n "$MULTIPORT" -a \ - "$ports" != "${ports%,*}" -a \ - "$ports" = "${ports%:*}" -a \ - $(list_count $ports) -le 15 ] - then - dport="-m multiport --dports $ports" - add_blacklist_rule - else - for dport in $(separate_list $ports); do - dport="--dport $dport" - add_blacklist_rule - done - fi - else - add_blacklist_rule - fi - ;; - icmp|ICMP|0) - if [ -n "$ports" ]; then - for dport in $(separate_list $ports); do - dport="--icmp-type $dport" - add_blacklist_rule - done - else - add_blacklist_rule - fi - ;; - *) - add_blacklist_rule - ;; - esac - else - add_blacklist_rule - fi - - if [ -n "$ports" ]; then - addr="$addr $protocol $ports" - elif [ -n "$protocol" ]; then - addr="$addr $protocol" - fi - - progress_message " $addr added to Black List" - done -} - -# -# Setup the Black List -# -setup_blacklist() { - local hosts="$(find_hosts_by_option blacklist)" - local f=$(find_file blacklist) - local disposition=$BLACKLIST_DISPOSITION - local ipsec policy - - if [ -n "$hosts" -a -f $f ]; then - echo "Setting up Blacklisting..." - - strip_file blacklist $f - - createchain blacklst no - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst - done - - [ $network = 0/0.0.0.0 ] && network= || network=":$network" - - progress_message " Blacklisting enabled on ${interface}${network}" - done - - [ "$disposition" = REJECT ] && disposition=reject - - if [ -z "$DELAYBLACKLISTLOAD" ]; then - while read networks protocol ports; do - expandv networks protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - fi - fi -} - -# -# Refresh the Black List -# -refresh_blacklist() { - local f=$(find_file blacklist) - local disposition=$BLACKLIST_DISPOSITION - - if qt $IPTABLES -L blacklst -n ; then - echo "Loading Black List..." - - strip_file blacklist $f - - [ "$disposition" = REJECT ] && disposition=reject - - run_iptables -F blacklst - - while read networks protocol ports; do - expandv networks protocol ports - process_blacklist_rec - done < $TMP_DIR/blacklist - fi -} - -# -# Verify that kernel has netfilter support -# -verify_os_version() { - - osversion=$(uname -r) - - case $osversion in - 2.4.*|2.5.*|2.6.*) - ;; - *) - startup_error "Shorewall version $version does not work with kernel version $osversion" - ;; - esac - - [ $COMMAND = start -a -n "$(lsmod 2> /dev/null | grep '^ipchains')" ] && \ - startup_error "Shorewall can't start with the ipchains kernel module loaded - see FAQ #8" -} - -# -# Add IP Aliases -# -add_ip_aliases() -{ - local addresses external interface inet cidr rest val - - address_details() - { - # - # Folks feel uneasy if they don't see all of the same - # decoration on these IP addresses that they see when their - # distro's net config tool adds them. In an attempt to reduce - # the anxiety level, we have the following code which sets - # the VLSM and BRD from an existing address in the same networks - # - # Get all of the lines that contain inet addresses with broadcast - # - ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do - case $cidr in - */*) - if in_network $external $cidr; then - echo "/${cidr#*/} brd $(broadcastaddress $cidr)" - break - fi - ;; - esac - done - } - - do_one() - { - val=$(address_details) - - if [ -n "$RETAIN_ALIASES" ]; then - run_ip addr add ${external}${val} dev $interface $label - save_command qt ip addr add ${external}${val} dev $interface $label - else - ensure_and_save_command ip addr add ${external}${val} dev $interface $label - fi - - echo "$external $interface" >> ${STATEDIR}/nat - [ -n "$label" ] && label="with $label" - progress_message " IP Address $external added to interface $interface $label" - } - - set -- $aliases_to_add - - save_progress_message "Restoring IP Addresses..." - - while [ $# -gt 0 ]; do - external=$1 - interface=$2 - label= - - if [ "$interface" != "${interface%:*}" ]; then - label="${interface#*:}" - interface="${interface%:*}" - label="label $interface:$label" - fi - - shift;shift - - list_search $external $(find_interface_addresses $interface) || do_one - done -} - -# -# Load kernel modules required for Shorewall -# -load_kernel_modules() -{ - save_modules_dir=$MODULESDIR - - [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - modules=$(find_file modules) - - if [ -f $modules -a -d $MODULESDIR ]; then - progress_message "Loading Modules..." - . $modules - fi - - MODULESDIR=$save_modules_dir -} - -save_load_kernel_modules() -{ - - modules=$(find_file modules) - - save_progress_message "Loading kernel modules..." - save_command "reload_kernel_modules <<__EOF__" - - while read command; do - case "$command" in - loadmodule*) - save_command $command - ;; - esac - done < $modules - - save_command __EOF__ - save_command "" - -} - -# Verify that the 'ip' program is installed - -verify_ip() { - qt ip link ls ||\ - startup_error "Shorewall $version requires the iproute package ('ip' utility)" -} - -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - - qt $IPTABLES -N fooX1234 - qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes - qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes - - if [ -n "$PKTTYPE" ]; then - qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= - fi - - qt $IPTABLES -F fooX1234 - qt $IPTABLES -X fooX1234 -} - -report_capability() # $1 = Capability Description , $2 Capability Setting (if any) -{ - local setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting -} - -report_capabilities() { - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability "NAT" $NAT_ENABLED - report_capability "Packet Mangling" $MANGLE_ENABLED - report_capability "Multi-port Match" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT - report_capability "Connection Tracking Match" $CONNTRACK_MATCH - report_capability "Packet Type Match" $PKTTYPE - report_capability "Policy Match" $POLICY_MATCH - report_capability "Physdev Match" $PHYSDEV_MATCH - report_capability "IP range Match" $IPRANGE_MATCH - report_capability "Recent Match" $RECENT_MATCH - report_capability "Owner Match" $OWNER_MATCH -} - -# -# Perform Initialization -# - Delete all old rules -# - Delete all user chains -# - Set the POLICY on all standard chains and add a rule to allow packets -# that are part of established connections -# - Determine the zones -# -initialize_netfilter () { - - report_capabilities - - if [ -n "$BRIDGING" ]; then - [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" - fi - - - [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ - startup_error "RFC1918_STRICT=Yes requires Connection Tracking match" - - echo "Determining Zones..." - - determine_zones - check_duplicate_zones - - [ -z "$zones" ] && startup_error "No Zones Defined" - - display_list "Zones:" $zones - - echo "Validating interfaces file..." - - validate_interfaces_file - - echo "Validating hosts file..." - - validate_hosts_file - - echo "Validating Policy file..." - - validate_policy - - echo "Determining Hosts in Zones..." - - determine_interfaces - determine_hosts - - run_user_exit init - - # - # Some files might be large so strip them while the firewall is still running - # (restart command). This reduces the length of time that the firewall isn't - # accepting new connections. - # - - strip_file rules - strip_file proxyarp - strip_file maclist - strip_file nat - strip_file netmap - - echo "Pre-processing Actions..." - process_actions1 - - terminator=fatal_error - - deletechain shorewall - - [ -n "$NAT_ENABLED" ] && delete_nat - - delete_proxy_arp - - [ -n "$MANGLE_ENABLED" ] && \ - run_iptables -t mangle -F && \ - run_iptables -t mangle -X - - [ -n "$CLEAR_TC" ] && delete_tc - - echo "Deleting user chains..." - - exists_INPUT=Yes - exists_OUTPUT=Yes - exists_FORWARD=Yes - setpolicy INPUT DROP - setpolicy OUTPUT DROP - setpolicy FORWARD DROP - - deleteallchains - - setcontinue FORWARD - setcontinue INPUT - setcontinue OUTPUT - - run_user_exit continue - - f=$(find_file routestopped) - - echo "Processing $f ..." - - strip_file routestopped $f - - process_routestopped -A - - [ -n "$DISABLE_IPV6" ] && disable_ipv6 - - # - # Enable the Loopback interface for now - # - run_iptables -A INPUT -i lo -j ACCEPT - run_iptables -A OUTPUT -o lo -j ACCEPT - - # - # Allow DNS lookups during startup for FQDNs - # - - for chain in INPUT OUTPUT FORWARD; do - run_iptables -A $chain -p udp --dport 53 -j ACCEPT - [ -n "$DROPINVALID" ] && \ - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP - done - - if [ -n "$CLAMPMSS" ]; then - case $CLAMPMSS in - Yes) - option="--clamp-mss-to-pmtu" - ;; - *) - option="--set-mss $CLAMPMSS" - ;; - esac - - run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option - fi - - accounting_file=$(find_file accounting) - - [ -f $accounting_file ] && setup_accounting $accounting_file - - if [ -z "$NEWNOTSYN" ]; then - createchain newnotsyn no - - for host in $(find_hosts_by_option newnotsyn); do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags ACK ACK -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags RST RST -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -p tcp --tcp-flags FIN FIN -j ACCEPT - run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) $policy -j RETURN - done - - run_user_exit newnotsyn - - if [ -n "$LOGNEWNOTSYN" ]; then - log_rule $LOGNEWNOTSYN newnotsyn DROP - fi - - run_iptables -A newnotsyn -j DROP - fi - - createchain icmpdef no - createchain reject no - createchain dynamic no - createchain smurfs no - - if [ -f /var/lib/shorewall/save ]; then - echo "Restoring dynamic rules..." - - if [ -f /var/lib/shorewall/save ]; then - while read target ignore1 ignore2 address rest; do - case $target in - DROP|reject) - run_iptables -A dynamic -s $address -j $target - ;; - *) - ;; - esac - done < /var/lib/shorewall/save - fi - fi - - [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state= - - echo "Creating Interface Chains..." - - for interface in $ALL_INTERFACES; do - createchain $(forward_chain $interface) no - run_iptables -A $(forward_chain $interface) $state -j dynamic - createchain $(input_chain $interface) no - run_iptables -A $(input_chain $interface) $state -j dynamic - done -} - -# -# Construct zone-independent rules -# -add_common_rules() { - local savelogparms="$LOGPARMS" - local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" - - drop_broadcasts() { - for address in $broadcasts ; do - run_iptables -A reject -d $address -j DROP - done - } - - # - # Populate the smurf chain - # - for address in $broadcasts ; do - [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address - run_iptables -A smurfs $(source_ip_range $address) -j DROP - done - # - # Reject Rules -- Don't respond to broadcasts with an ICMP - # - if [ -n "$PKTTYPE" ]; then - qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP - if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then - # - # No pkttype support -- do it the hard way - # - drop_broadcasts - fi - else - drop_broadcasts - fi - # - # Don't feed the smurfs - # - for address in $broadcasts ; do - run_iptables -A reject -s $address -j DROP - done - - run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset - run_iptables -A reject -p udp -j REJECT - # - # Not all versions of iptables support these so don't complain if they don't work - # - qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable - if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then - # - # In case the above doesn't work - # - run_iptables -A reject -j REJECT - fi - - # - # Create common action chains - # - for action in $USEDACTIONS; do - createactionchain $action - done - - run_user_exit initdone - - # - # Process Black List - # - setup_blacklist - - # - # SMURFS - # - hosts=$(find_hosts_by_option nosmurfs) - - if [ -n "$hosts" ]; then - - echo "Adding Anti-smurf Rules" - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs - done - done - fi - # - # DHCP - # - interfaces=$(find_interfaces_by_option dhcp) - - if [ -n "$interfaces" ]; then - - echo "Adding rules for DHCP" - - for interface in $interfaces; do - if [ -n "$BRIDGING" ]; then - eval is_bridge=\$$(chain_base $interface)_ports - [ -n "$is_bridge" ] && \ - $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT - fi - run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT - run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT - done - fi - # - # RFC 1918 - # - hosts="$(find_hosts_by_option norfc1918)" - - if [ -n "$hosts" ]; then - echo "Enabling RFC1918 Filtering" - - strip_file rfc1918 - - createchain norfc1918 no - - createchain rfc1918 no - - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP - - run_iptables -A rfc1918 -j DROP - - chain=norfc1918 - - if [ -n "$RFC1918_STRICT" ]; then - # - # We'll generate two chains - one for source and one for destination - # - chain=rfc1918d - createchain $chain no - elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then - # - # Mangling is enabled but conntrack match isn't available -- - # create a chain in the mangle table to filter RFC1918 destination - # addresses. This must be done in the mangle table before we apply - # any DNAT rules in the nat table - # - # Also add a chain to log and drop any RFC1918 packets that we find - # - run_iptables -t mangle -N man1918 - run_iptables -t mangle -N rfc1918 - log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle - run_iptables -t mangle -A rfc1918 -j DROP - fi - - while read networks target; do - case $target in - logdrop) - target=rfc1918 - s_target=rfc1918 - ;; - DROP) - s_target=DROP - ;; - RETURN) - [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - for network in $(separate_list $networks); do - run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target - - if [ -n "$CONNTRACK_MATCH" ]; then - # - # We have connection tracking match -- match on the original destination - # - run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target - elif [ -n "$MANGLE_ENABLED" ]; then - # - # No connection tracking match but we have mangling -- add a rule to - # the mangle table - # - run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target - fi - done - done < $TMP_DIR/rfc1918 - - [ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - networks=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $networks) $policy -j norfc1918 - done - - [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ - run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $networks) -j man1918 - done - fi - # - # Bogons - # - hosts="$(find_hosts_by_option nobogons)" - - if [ -n "$hosts" ]; then - echo "Enabling Bogon Filtering" - - strip_file bogons - - createchain nobogons no - - createchain bogons no - - log_rule $BOGON_LOG_LEVEL bogons DROP - - run_iptables -A bogons -j DROP - - while read networks target; do - case $target in - logdrop) - target=bogons - ;; - DROP|RETURN) - ;; - *) - fatal_error "Invalid target ($target) for $networks" - ;; - esac - - run_iptables2 -A nobogons $(source_ip_range $networks) -j $target - - done < $TMP_DIR/bogons - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons - done - done - - fi - - hosts=$(find_hosts_by_option tcpflags) - - if [ -n "$hosts" ]; then - echo "Setting up TCP Flags checking..." - - createchain tcpflags no - - if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then - createchain logflags no - - savelogparms="$LOGPARMS" - - LOGPARMS="$LOGPARMS --log-ip-options" - - log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION - - LOGPARMS="$savelogparms" - - case $TCP_FLAGS_DISPOSITION in - REJECT) - run_iptables -A logflags -j REJECT --reject-with tcp-reset - ;; - *) - run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION - ;; - esac - - disposition="-j logflags" - else - disposition="-j $TCP_FLAGS_DISPOSITION" - fi - - run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition - run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition - run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition - # - # There are a lot of probes to ports 80, 3128 and 8080 that use a source - # port of 0. This catches them even if they are directed at an IP that - # hosts a web server. - # - run_iptables -A tcpflags -p tcp --syn --sport 0 $disposition - - for host in $hosts; do - ipsec=${host%^*} - host=${host#*^} - [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - interface=${host%%:*} - network=${host#*:} - - for chain in $(first_chains $interface); do - run_iptables -A $chain -p tcp $(match_source_hosts $network) $policy -j tcpflags - done - done - fi - # - # ARP Filtering - # - save_progress_message "Restoring ARP filtering..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/arp_filter ] && echo 0 > $f/arp_filter" - done - - interfaces=$(find_interfaces_by_option arp_filter) - - if [ -n "$interfaces" ]; then - echo "Setting up ARP Filtering..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/arp_filter - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set ARP filtering on $interface" - fi - done - fi - # - # Route Filtering - # - interfaces="$(find_interfaces_by_option routefilter)" - - if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then - echo "Setting up Kernel Route Filtering..." - - save_progress_message "Restoring Route Filtering..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/rp_filter ] && echo 0 > $f/rp_filter" - done - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/rp_filter - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set route filtering on $interface" - fi - done - - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - - if [ -n "$ROUTE_FILTER" ]; then - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - fi - - run_and_save_command ip route flush cache - fi - - # - # Martian Logging - # - interfaces="$(find_interfaces_by_option logmartians)" - - if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then - echo "Setting up Martian Logging..." - - save_progress_message "Restoring Martian Logging..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/log_martians ] && echo 0 > $f/log_martians" - done - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/log_martians - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set Martian logging on $interface" - fi - done - - if [ -n "$LOG_MARTIANS" ]; then - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians" - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" - fi - - fi - - # - # Source Routing - # - save_progress_message "Restoring Accept Source Routing..." - - for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/accept_source_route ] && echo 0 > $f/accept_source_route" - done - - interfaces=$(find_interfaces_by_option sourceroute) - - if [ -n "$interfaces" ]; then - echo "Setting up Accept Source Routing..." - - for interface in $interfaces; do - file=/proc/sys/net/ipv4/conf/$interface/accept_source_route - if [ -f $file ]; then - run_and_save_command "echo 1 > $file" - else - error_message \ - "Warning: Cannot set Accept Source Routing on $interface" - fi - done - fi - - if [ -n "$DYNAMIC_ZONES" ]; then - echo "Setting up Dynamic Zone Chains..." - - for interface in $ALL_INTERFACES; do - for chain in $(dynamic_chains $interface); do - createchain $chain no - done - - chain=$(dynamic_in $interface) - createnatchain $chain - - run_iptables -A $(input_chain $interface) -j $chain - run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) - done - fi - # - # UPnP - # - interfaces=$(find_interfaces_by_option upnp) - - if [ -n "$interfaces" ]; then - echo "Setting up UPnP..." - - createnatchain UPnP - - for interface in $interfaces; do - run_iptables -t nat -A PREROUTING -i $interface -j UPnP - done - fi - - setup_forwarding -} - -# -# Scan the policy file defining the necessary chains -# Add the appropriate policy rule(s) to the end of each canonical chain -# -apply_policy_rules() { - # - # Create policy chains - # - for chain in $all_policy_chains; do - eval policy=\$${chain}_policy - eval loglevel=\$${chain}_loglevel - eval synparams=\$${chain}_synparams - - [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel - - if havechain $chain; then - [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - else - # - # The chain doesn't exist. Create the chain and add policy - # rules - # - # We must include the ESTABLISHED and RELATED state - # rule here to account for replys and reverse - # related sessions associated with sessions going - # in the other direction - # - createchain $chain yes - - # - # If either client or server is 'all' then this MUST be - # a policy chain and we must apply the appropriate policy rules - # - # Otherwise, this is a canonical chain which will be handled in - # the for loop below - # - case $chain in - all2*|*2all) - policy_rules $chain $policy $loglevel - ;; - esac - - [ -n "$synparams" ] && \ - [ $policy = ACCEPT -o $policy = CONTINUE ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain - fi - - done - - # - # Add policy rules to canonical chains - # - for zone in $FW $zones; do - for zone1 in $FW $zones; do - chain=${zone}2${zone1} - if havechain $chain; then - run_user_exit $chain - default_policy $zone $zone1 - fi - done - done -} - -# -# Activate the rules -# -activate_rules() -{ - local PREROUTING_rule=1 - local POSTROUTING_rule=1 - # - # Jump to a NAT chain from one of the builtin nat chains - # - addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain ; then - run_iptables2 -t nat -A $sourcechain $@ -j $destchain - else - [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - fi - } - - # - # Jump to a RULES chain from one of the builtin nat chains. These jumps are - # are inserted before jumps to one-to-one NAT chains. - # - addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { - local sourcechain=$1 destchain=$2 - shift - shift - - if havenatchain $destchain; then - eval run_iptables2 -t nat -I $sourcechain \ - \$${sourcechain}_rule $@ -j $destchain - eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) - else - [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - fi - } - - # - # Add jumps to early SNAT chains - # - for interface in $ALL_INTERFACES; do - addnatjump POSTROUTING $(snat_chain $interface) -o $interface - done - # - # Add jumps for dynamic nat chains - # - [ -n "$DYNAMIC_ZONES" ] && for interface in $ALL_INTERFACES ; do - addrulejump PREROUTING $(dynamic_in $interface) -i $interface - done - # - # Add jumps from the builtin chains to the nat chains - # - addnatjump PREROUTING nat_in - addnatjump POSTROUTING nat_out - - for interface in $ALL_INTERFACES; do - addnatjump PREROUTING $(input_chain $interface) -i $interface - addnatjump POSTROUTING $(output_chain $interface) -o $interface - done - - > ${STATEDIR}/chains - > ${STATEDIR}/zones - # - # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. - # - for zone in $zones; do - if eval test -n \"\$${zone}_is_complex\" ; then - frwd_chain=${zone}_frwd - createchain $frwd_chain No - - if [ -n "$POLICY_MATCH" ]; then - eval is_ipsec=\$${zone}_is_ipsec - - if [ -n "$is_ipsec" ]; then - eval source_hosts=\$${zone}_hosts - if [ -n "$DYNAMIC_ZONES" ]; then - createchain ${zone}_dyn No - run_iptables -A $frwd_chain -j ${zone}_dyn - fi - else - eval source_hosts=\$${zone}_ipsec_hosts - fi - - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain - done - fi - fi - done - - for zone in $zones; do - eval source_hosts=\$${zone}_hosts - - chain1=$(rules_chain $FW $zone) - chain2=$(rules_chain $zone $FW) - - eval complex=\$${zone}_is_complex - - [ -n "$complex" ] && frwd_chain=${zone}_frwd - - echo $zone $source_hosts >> ${STATEDIR}/zones - - if [ -n "$DYNAMIC_ZONES" ]; then - echo "$FW $zone $chain1" >> ${STATEDIR}/chains - echo "$zone $FW $chain2" >> ${STATEDIR}/chains - fi - - need_broadcast= - - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 - - # - # Add jumps from the builtin chains for DNAT and SNAT rules - # - addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) - addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - - run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 - - if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then - run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain - fi - - case $networks in - *.*.*.*) - if [ "$networks" != 0.0.0.0/0 ]; then - if ! list_search $interface $need_broadcast ; then - interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" - fi - fi - ;; - esac - done - - for interface in $need_broadcast ; do - run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 - run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 - done - - for zone1 in $zones; do - - eval policy=\$${zone}2${zone1}_policy - - [ "$policy" = NONE ] && continue - - eval dest_hosts=\$${zone1}_hosts - - chain="$(rules_chain $zone $zone1)" - - [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - - if [ $zone = $zone1 ]; then - # - # Try not to generate superfluous intra-zone rules - # - eval routeback=\"\$${zone}_routeback\" - eval interfaces=\"\$${zone}_interfaces\" - eval ports="\$${zone}_ports" - - num_ifaces=$(list_count1 $interfaces) - # - # If the zone has a single interface then what matters is how many ports it has - # - [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) - # - # If we don't need to route back and if we have only one interface or one port to - # the zone then assume that hosts in the zone can communicate directly. - # - if [ $num_ifaces -lt 2 -a -z "$routeback" ] ; then - continue - fi - else - routeback= - num_ifaces=0 - fi - - if [ -n "$complex" ]; then - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - # - # Only generate an intrazone rule if the zone has more than one interface (port) or if - # routeback was specified for this host group - # - if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then - run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain - fi - done - else - for host in $source_hosts; do - interface=${host%%:*} - networks=${host#*:} - - chain1=$(forward_chain $interface) - - for host1 in $dest_hosts; do - interface1=${host1%%:*} - networks1=${host1#*:} - - if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain - fi - done - done - fi - done - done - - for interface in $ALL_INTERFACES ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) - run_iptables -A INPUT -i $interface -j $(input_chain $interface) - addnatjump POSTROUTING $(masq_chain $interface) -o $interface - # - # Bridges under the 2.4 kernel have the wierd property that REJECTS have the physdev-in and physdev-out set to the input physdev. - # To accomodate this feature/bug, we effectively set 'routeback' on bridge ports. - # - eval ports=\$$(chain_base $interface)_ports - for port in $ports; do - run_iptables -A $(forward_chain $interface) -o $interface -m physdev --physdev-in $port --physdev-out $port -j ACCEPT - done - done - - chain=${FW}2${FW} - - if havechain $chain; then - # - # There is a fw->fw chain. Send loopback output through that chain - # - run_ip link ls | grep LOOPBACK | while read ordinal interface rest ; do - run_iptables -A OUTPUT -o ${interface%:*} -j $chain - done - # - # And delete the unconditional ACCEPT rule - # - run_iptables -D OUTPUT -o lo -j ACCEPT - fi - - complete_standard_chain INPUT all $FW - complete_standard_chain OUTPUT $FW all - complete_standard_chain FORWARD all all - # - # Remove rules added to keep the firewall alive during [re]start" - # - for chain in INPUT OUTPUT FORWARD; do - run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT - run_iptables -D $chain -p udp --dport 53 -j ACCEPT - done - - process_routestopped -D - - if [ -n "$LOGALLNEW" ]; then - for table in mangle nat filter; do - case $table in - mangle) - chains="PREROUTING INPUT FORWARD POSTROUTING" - ;; - nat) - chains="PREROUTING POSTROUTING OUTPUT" - ;; - *) - chains="INPUT FORWARD OUTPUT" - ;; - esac - - for chain in $chains; do - log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table - done - done - fi -} - -# -# Check for disabled startup -# -check_disabled_startup() { - if [ -z "$STARTUP_ENABLED" ]; then - echo " Shorewall Startup is disabled -- to enable startup" - echo " after you have completed Shorewall configuration," - echo " change the setting of STARTUP_ENABLED to Yes in" - echo " /etc/shorewall/shorewall.conf" - - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2 - fi -} - -# -# Start/Restart the Firewall -# -define_firewall() # $1 = Command (Start or Restart) -{ - check_disabled_startup - - echo "${1}ing Shorewall..." - - verify_os_version - verify_ip - - [ -d /var/lib/shorewall ] || { mkdir -p /var/lib/shorewall ; chmod 700 /var/lib/shorewall; } - - RESTOREBASE=$(mktempfile /var/lib/shorewall) - - [ -n "$RESTOREBASE" ] || startup_error "Cannot create temporary file in /var/lib/shorewall" - - echo '#bin/sh' >> $RESTOREBASE - save_command "#" - save_command "# Restore base file generated by Shorewall $version - $(date)" - save_command "#" - save_command ". /usr/share/shorewall/functions" - - f=$(find_file params) - - [ -f $f ] && \ - save_command ". $f" - - save_command "#" - save_command "MODULESDIR=\"$MODULESDIR\"" - save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" - - save_load_kernel_modules - - echo "Initializing..."; initialize_netfilter - echo "Configuring Proxy ARP"; setup_proxy_arp - echo "Setting up NAT..."; setup_nat - echo "Setting up NETMAP..."; setup_netmap - echo "Adding Common Rules"; add_common_rules - - tunnels=$(find_file tunnels) - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels - - ipsecfile=$(find_file ipsec) - [ -f $ipsecfile ] && \ - echo "Processing $ipsecfile..." && setup_ipsec $ipsecfile - - maclist_hosts=$(find_hosts_by_option maclist) - [ -n "$maclist_hosts" ] && setup_mac_lists - - echo "Processing $(find_file rules)..."; process_rules - echo "Processing Actions..."; process_actions2 - process_actions3 - echo "Processing $(find_file policy)..."; apply_policy_rules - - masq=$(find_file masq) - [ -f $masq ] && setup_masq $masq - - tos=$(find_file tos) - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos - - ecn=$(find_file ecn) - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - - [ -n "$TC_ENABLED" ] && setup_tc - - echo "Activating Rules..."; activate_rules - - [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && add_ip_aliases - - for file in chains nat proxyarp zones; do - append_file $file - done - - save_progress_message "Restoring Netfilter Configuration..." - - save_command 'iptables-restore << __EOF__' - - # 'shorewall save' appends the iptables-save output and '__EOF__' - - mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$ - - > $RESTOREBASE - - save_command "#" - save_command "# Restore tail file generated by Shorewall $version - $(date)" - save_command "#" - save_command "date > $STATEDIR/restarted" - - run_user_exit start - - [ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist - - createchain shorewall no - - date > $STATEDIR/restarted - - report "Shorewall ${1}ed" - - rm -rf $TMP_DIR - - mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base - mv -f $RESTOREBASE /var/lib/shorewall/restore-tail - - run_user_exit started -} - -# -# Refresh the firewall -# -refresh_firewall() -{ - echo "Refreshing Shorewall..." - - echo "Determining Zones and Interfaces..." - - determine_zones - - validate_interfaces_file - - [ -z "$zones" ] && startup_error "No Zones Defined" - - determine_interfaces - - run_user_exit refresh - - # - # Blacklist - # - refresh_blacklist - - ecn=$(find_file ecn) - - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - # - # Refresh Traffic Control - # - [ -n "$TC_ENABLED" ] && refresh_tc - - report "Shorewall Refreshed" - - rm -rf $TMP_DIR -} - -# -# Add a host or networks to a zone -# -add_to_zone() # $1...${n-1} = [:] $n = zone -{ - local interface host zone z h z1 z2 chain - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - nat_chain_exists() # $1 = chain name - { - qt $IPTABLES -t nat -L $1 -n - } - - do_iptables() # $@ = command - { - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - - if ! $IPTABLES $@ ; then - error_message "Can't add $newhost to zone $zone" - fi - } - - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Check for duplicates and create a new zone state file - # - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - for h in $hosts; do - for host in $hostlist; do - if [ "$h" = "$host" ]; then - rm -f ${STATEDIR}/zones_$$ - startup_error "$host already in zone $zone" - fi - done - done - - [ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts $hostlist" - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - - terminator=fatal_error - # - # Create a new Zone state file - # - for newhost in $hostlist; do - # - # Isolate interface and host parts - # - interface=${newhost%%:*} - host=${newhost#*:} - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $newhost ; then - do_iptables -A $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - do_iptables -A ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - else - do_iptables -A $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain - fi - fi - done - fi - fi - done < ${STATEDIR}/chains - - progress_message "$newhost added to zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - local interface host zone z h z1 z2 chain delhost - local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts hostlist= - - # - # Load $zones - # - determine_zones - # - # Validate Interfaces File - # - validate_interfaces_file - # - # Validate Hosts File - # - validate_hosts_file - # - # Validate IPSec File - # - f=$(find_file ipsec) - - [ -f $f ] && setup_ipsec $f - - # - # Normalize host list - # - while [ $# -gt 1 ]; do - interface=${1%%:*} - host=${1#*:} - # - # Be sure that the interface was dynamic at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - - if [ -z "$host" ]; then - hostlist="$hostlist $interface:0.0.0.0/0" - else - for h in $(separate_list $host); do - hostlist="$hostlist $interface:$h" - done - fi - - shift - done - # - # Validate Zone - # - zone=$1 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" - - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Delete the passed hosts from the zone state file - # - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for host in $hostlist; do - found= - for h in $temp; do - if [ "$h" = "$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || error_message "Warning: $1 does not appear to be in zone $2" - done - - for h in $temp; do - found= - for host in $hostlist; do - if [ "$h" = "$host" ]; then - found=Yes - break - fi - done - - [ -n "$found" ] || hosts="$hosts $h" - done - fi - - eval ${z}_hosts=\"$hosts\" - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - - terminator=fatal_error - - for delhost in $hostlist; do - interface=${delhost%%:*} - host=${delhost#*:} - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain - else - source_chain=$(dynamic_fwd $interface) - if is_ipsec_host $z1 $delhost ; then - qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd - else - eval dest_hosts=\"\$${z2}_hosts\" - - [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" - - for h in $dest_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain - fi - done - fi - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - if is_ipsec_host $z1 $h; then - qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - else - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain - fi - fi - done - fi - fi - done < ${STATEDIR}/chains - - progress_message "$delhost removed from zone $zone" - - done - - rm -rf $TMP_DIR -} - -# -# Determine the value for a parameter that defaults to Yes -# -added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "Yes" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Determine the value for a parameter that defaults to No -# -added_param_value_no() # $1 = Parameter Name, $2 = Parameter value -{ - local val="$2" - - if [ -z "$val" ]; then - echo "" - else case $val in - [Yy][Ee][Ss]) - echo "Yes" - ;; - [Nn][Oo]) - echo "" - ;; - *) - startup_error "Invalid value ($val) for $1" - ;; - esac - fi -} - -# -# Initialize this program -# -do_initialize() { - - # Run all utility programs using the C locale - # - # Thanks to Vincent Planchenault for this tip # - - export LC_ALL=C - - # Make sure umask is sane - umask 177 - - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - # - # Establish termination function - # - terminator=startup_error - # - # Clear all configuration variables - # - version= - IPTABLES= - FW= - SUBSYSLOCK= - STATEDIR= - ALLOWRELATED=Yes - LOGRATE= - LOGBURST= - LOGPARMS= - LOGLIMIT= - ADD_IP_ALIASES= - ADD_SNAT_ALIASES= - TC_ENABLED= - BLACKLIST_DISPOSITION= - BLACKLIST_LOGLEVEL= - CLAMPMSS= - ROUTE_FILTER= - LOG_MARTIANS= - DETECT_DNAT_IPADDRS= - MUTEX_TIMEOUT= - NEWNOTSYN= - LOGNEWNOTSYN= - FORWARDPING= - MACLIST_DISPOSITION= - MACLIST_LOG_LEVEL= - TCP_FLAGS_DISPOSITION= - TCP_FLAGS_LOG_LEVEL= - RFC1918_LOG_LEVEL= - BOGON_LOG_LEVEL= - MARK_IN_FORWARD_CHAIN= - SHARED_DIR=/usr/share/shorewall - FUNCTIONS= - VERSION_FILE= - LOGFORMAT= - LOGRULENUMBERS= - ADMINISABSENTMINDED= - BLACKLISTNEWONLY= - MODULE_SUFFIX= - ACTIONS= - USEDACTIONS= - SMURF_LOG_LEVEL= - DISABLE_IPV6= - BRIDGING= - DYNAMIC_ZONES= - PKTTYPE= - RETAIN_ALIASES= - DELAYBLACKLISTLOAD= - LOGTAGONLY= - LOGALLNEW= - DROPINVALID= - RFC1918_STRICT= - MACLIST_TTL= - - RESTOREBASE= - TMP_DIR= - ALL_INTERFACES= - - stopping= - have_mutex= - masq_seq=1 - nonat_seq=1 - aliases_to_add= - - FUNCTIONS=$SHARED_DIR/functions - - if [ -f $FUNCTIONS ]; then - [ -n "$QUIET" ] || echo "Loading $FUNCTIONS..." - . $FUNCTIONS - else - startup_error "$FUNCTIONS does not exist!" - fi - - TMP_DIR=$(mktempdir) - - [ -n "$TMP_DIR" ] && chmod 700 $TMP_DIR || \ - startup_error "Can't create a temporary directory" - - trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - - ensure_config_path - - VERSION_FILE=$SHARED_DIR/version - - [ -f $VERSION_FILE ] && version=$(cat $VERSION_FILE) - - run_user_exit params - - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - [ -n "$QUIET" ] || echo "Processing $config..." - . $config - else - echo " ERROR: Cannot read $config (Hint: Are you root?)" - exit 2 - fi - else - echo "$config does not exist!" >&2 - exit 2 - fi - # - # Restore CONFIG_PATH if the shorewall.conf file cleared it - # - ensure_config_path - # - # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine - # capabilities when module autoloading isn't enabled. - # - - [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" - load_kernel_modules - - if [ -z "$IPTABLES" ]; then - IPTABLES=$(which iptables 2> /dev/null) - - [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" - else - [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" - fi - - determine_capabilities - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall - - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - [ -z "$FW" ] && FW=fw - - ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" - [ -n "$ALLOWRELATED" ] || \ - startup_error "ALLOWRELATED=No is not supported" - ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - TC_ENABLED="$(added_param_value_yes TC_ENABLED $TC_ENABLED)" - - if [ -n "${LOGRATE}${LOGBURST}" ]; then - LOGLIMIT="--match limit" - [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" - [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" - fi - - if [ -n "$IP_FORWARDING" ]; then - case "$IP_FORWARDING" in - [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) - ;; - *) - startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" - ;; - esac - else - IP_FORWARDING=On - fi - - if [ -n "$TC_ENABLED" -a -z "$MANGLE_ENABLED" ]; then - startup_error "Traffic Control requires Mangle" - fi - - [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP - - case "$CLAMPMSS" in - [0-9]*) - ;; - *) - CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) - ;; - esac - - ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) - ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) - LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) - DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) - FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) - [ -n "$FORWARDPING" ] && \ - startup_error "FORWARDPING=Yes is no longer supported" - - NEWNOTSYN=$(added_param_value_yes NEWNOTSYN $NEWNOTSYN) - - maclist_target=reject - - if [ -n "$MACLIST_DISPOSITION" ] ; then - case $MACLIST_DISPOSITION in - REJECT) - ;; - ACCEPT|DROP) - maclist_target=$MACLIST_DISPOSITION - ;; - *) - startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" - ;; - esac - else - MACLIST_DISPOSITION=REJECT - fi - - if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then - case $TCP_FLAGS_DISPOSITION in - REJECT|ACCEPT|DROP) - ;; - *) - startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" - ;; - esac - else - TCP_FLAGS_DISPOSITION=DROP - fi - - [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info - [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info - - MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre - if [ -n "$TC_ENABLED" ]; then - CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) - else - CLEAR_TC= - fi - - if [ -n "$LOGFORMAT" ]; then - if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then - LOGRULENUMBERS=Yes - temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - else - temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) - if [ $? -ne 0 ]; then - startup_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" - fi - fi - - [ ${#temp} -le 29 ] || startup_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" - else - LOGFORMAT="Shorewall:%s:%s:" - fi - ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) - BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) - DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) - BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) - DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) - PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) - STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) - RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) - DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) - LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) - DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) - RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) - - [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= - - if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" - fi - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts - # - # Check out the user's shell - # - [ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh - - temp=$(decodeaddr 192.168.1.1) - if [ $(encodeaddr $temp) != 192.168.1.1 ]; then - startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" - fi - - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange -} - -# -# Give Usage Information -# -usage() { - echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear|{add|delete} [:hosts] zone}}" - exit 1 -} - -# -# E X E C U T I O N B E G I N S H E R E -# -# -# Start trace if first arg is "debug" -# -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } - -nolock= - -[ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } - -trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 - -COMMAND="$1" - -case "$COMMAND" in - stop) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - # - # Don't want to do a 'stop' when startup is disabled - # - check_disabled_startup - echo -n "Stopping Shorewall..." - stop_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - start) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt $IPTABLES -L shorewall -n ; then - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - echo "Shorewall Already Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 0; - fi - define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; - - restart) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if qt $IPTABLES -L shorewall -n ; then - define_firewall "Restart" - else - echo "Shorewall Not Currently Running" - define_firewall "Start" - fi - - [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - my_mutex_off - ;; - - status) - [ $# -ne 1 ] && usage - echo "Shorewall-$version Status at $HOSTNAME - $(date)" - echo - $IPTABLES -L -n -v - ;; - - reset) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - $IPTABLES -Z - $IPTABLES -t nat -Z - $IPTABLES -t mangle -Z - report "Shorewall Counters Reset" - date > $STATEDIR/restarted - my_mutex_off - ;; - - refresh) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - refresh_firewall; - my_mutex_off - ;; - - clear) - [ $# -ne 1 ] && usage - do_initialize - my_mutex_on - echo -n "Clearing Shorewall..." - clear_firewall - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - echo "done." - my_mutex_off - ;; - - check) - [ $# -ne 1 ] && usage - do_initialize - check_config - ;; - - add) - [ $# -lt 3 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - shift - add_to_zone $@ - my_mutex_off - ;; - - delete) - [ $# -lt 3 ] && usage - do_initialize - my_mutex_on - if ! qt $IPTABLES -L shorewall -n ; then - echo "Shorewall Not Started" - [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR - my_mutex_off - exit 2; - fi - shift - delete_from_zone $@ - my_mutex_off - ;; - - call) - # - # Undocumented way to call functions in /usr/share/shorewall/firewall directly - # - shift; - do_initialize - EMPTY= - $@ - ;; - *) - usage - ;; - -esac diff --git a/LrpN/usr/share/shorewall/functions b/LrpN/usr/share/shorewall/functions deleted file mode 100644 index 80c5ef2d5..000000000 --- a/LrpN/usr/share/shorewall/functions +++ /dev/null @@ -1,808 +0,0 @@ -#!/bin/sh -# -# Shorewall 2.2 -- /usr/share/shorewall/functions - -# Function to truncate a string -- It uses 'cut -b -' -# rather than ${v:first:last} because light-weight shells like ash and -# dash do not support that form of expansion. -# - -truncate() # $1 = length -{ - cut -b -${1} -} - -# -# Split a colon-separated list into a space-separated list -# -split() { - local ifs=$IFS - IFS=: - set -- $1 - echo $* - IFS=$ifs -} - -# -# Search a list looking for a match -- returns zero if a match found -# 1 otherwise -# -list_search() # $1 = element to search for , $2-$n = list -{ - local e=$1 - - while [ $# -gt 1 ]; do - shift - [ "x$e" = "x$1" ] && return 0 - done - - return 1 -} - -# -# Functions to count list elements -# - - - - - - - - - - - - - - - - -# Whitespace-separated list -# -list_count1() { - echo $# -} -# -# Comma-separated list -# -list_count() { - list_count1 $(separate_list $1) -} - -# -# Conditionally produce message -# -progress_message() # $* = Message -{ - [ -n "$QUIET" ] || echo "$@" -} - -# -# Suppress all output for a command -# -qt() -{ - "$@" >/dev/null 2>&1 -} - -# -# Perform variable substitution on the passed argument and echo the result -# -expand() # $@ = contents of variable which may be the name of another variable -{ - eval echo \"$@\" -} - -# -# Perform variable substitition on the values of the passed list of variables -# -expandv() # $* = list of variable names -{ - local varval - - while [ $# -gt 0 ]; do - eval varval=\$${1} - eval $1=\"$varval\" - shift - done -} - -# -# Replace all leading "!" with "! " in the passed argument list -# - -fix_bang() { - local i; - - for i in $@; do - case $i in - !*) - echo "! ${i#!}" - ;; - *) - echo $i - ;; - esac - done -} - -# -# Set default config path -# -ensure_config_path() { - local F=/usr/share/shorewall/configpath - if [ -z "$CONFIG_PATH" ]; then - [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; } - . $F - fi -} - -# -# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall -# -find_file() -{ - local saveifs= directory - - case $1 in - /*) - echo $1 - ;; - *) - if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then - echo $SHOREWALL_DIR/$1 - else - saveifs=$IFS - IFS=: - for directory in $CONFIG_PATH; do - if [ -f $directory/$1 ]; then - echo $directory/$1 - IFS=$saveifs - return - fi - done - - IFS=$saveifs - - echo /etc/shorewall/$1 - fi - ;; - esac -} - -# -# Replace commas with spaces and echo the result -# -separate_list() { - local list - local part - local newlist - # - # There's been whining about us not catching embedded white space in - # comma-separated lists. This is an attempt to snag some of the cases. - # - # The 'terminator' function will be set by the 'firewall' script to - # either 'startup_error' or 'fatal_error' depending on the command and - # command phase - # - case "$@" in - *,|,*|*,,*|*[[:space:]]*) - [ -n "$terminator" ] && \ - $terminator "Invalid comma-separated list \"$@\"" - echo "Warning -- invalid comma-separated list \"$@\"" >&2 - ;; - esac - - list="$@" - part="${list%%,*}" - newlist="$part" - - while [ "x$part" != "x$list" ]; do - list="${list#*,}"; - part="${list%%,*}"; - newlist="$newlist $part"; - done - - echo "$newlist" -} - -# -# Load a Kernel Module -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename=$1 - local modulefile - local suffix - moduleloader=modprobe - - if ! qt which modprobe; then - moduleloader=insmod - fi - - if [ -z "$(lsmod | grep $modulename)" ]; then - shift - - for suffix in $MODULE_SUFFIX ; do - modulefile=$MODULESDIR/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename $* - ;; - esac - - return - fi - done - fi -} - -# -# Reload the Modules -# -reload_kernel_modules() { - - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - while read command; do - eval $command - done - -} - -# -# Find the zones -# -find_zones() # $1 = name of the zone file -{ - while read zone display comments; do - [ -n "$zone" ] && case "$zone" in - \#*) - ;; - $FW) - echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2 - ;; - *) - echo $zone - ;; - esac - done < $1 -} - -find_display() # $1 = zone, $2 = name of the zone file -{ - grep ^$1 $2 | while read z display comments; do - [ "x$1" = "x$z" ] && echo $display - done -} -# -# This function assumes that the TMP_DIR variable is set and that -# its value named an existing directory. -# -determine_zones() -{ - local zonefile=$(find_file zones) - - multi_display=Multi-zone - strip_file zones $zonefile - zones=$(find_zones $TMP_DIR/zones) - newzones= - - for zone in $zones; do - dsply=$(find_display $zone $TMP_DIR/zones) - [ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2 - eval ${zone}_display=\$dsply - newzones="$newzones $zone" - done - - zones=${newzones# } -} - -# -# The following functions may be used by apps that wish to ensure that -# the state of Shorewall isn't changing -# -# This function loads the STATEDIR variable (directory where Shorewall is to -# store state files). If your application supports alternate Shorewall -# configurations then the name of the alternate configuration directory should -# be in $SHOREWALL_DIR at the time of the call. -# -# If the shorewall.conf file does not exist, this function does not return -# -get_statedir() -{ - MUTEX_TIMEOUT= - - local config=$(find_file shorewall.conf) - - if [ -f $config ]; then - . $config - else - echo "/etc/shorewall/shorewall.conf does not exist!" >&2 - exit 2 - fi - - [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -} - -# -# Call this function to assert MUTEX with Shorewall. If you invoke the -# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" -# -# This function uses the lockfile utility from procmail if it exists. -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the -# behavior of lockfile. -# -mutex_on() -{ - local try=0 - local lockf=$STATEDIR/lock - - MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} - - if [ $MUTEX_TIMEOUT -gt 0 ]; then - - [ -d $STATEDIR ] || mkdir -p $STATEDIR - - if qt which lockfile; then - lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} - else - while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do - sleep 1 - try=$((${try} + 1)) - done - - if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then - # Create the lockfile - echo $$ > ${lockf} - else - echo "Giving up on lock file ${lockf}" >&2 - fi - fi - fi -} - -# -# Call this function to release MUTEX -# -mutex_off() -{ - rm -f $STATEDIR/lock -} - -# -# Determine which version of mktemp is present (if any) and set MKTEMP accortingly: -# -# None - No mktemp -# BSD - BSD mktemp (Mandrake) -# STD - mktemp.org mktemp -# -find_mktemp() { - local mktemp=`which mktemp 2> /dev/null` - - if [ -n "$mktemp" ]; then - if qt mktemp -V ; then - MKTEMP=STD - else - MKTEMP=BSD - fi - else - MKTEMP=None - fi -} - -# -# create a temporary file. If a directory name is passed, the file will be created in -# that directory. Otherwise, it will be created in a temporary directory. -# -mktempfile() { - - [ -z "$MKTEMP" ] && find_mktemp - - if [ $# -gt 0 ]; then - case "$MKTEMP" in - BSD) - mktemp $1/shorewall.XXXXXX - ;; - STD) - mktemp -p $1 shorewall.XXXXXX - ;; - None) - > $1/shorewall-$$ && echo $1/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempfile" >&2 - ;; - esac - else - case "$MKTEMP" in - BSD) - mktemp /tmp/shorewall.XXXXXX - ;; - STD) - mktemp -t shorewall.XXXXXX - ;; - None) - rm -f /tmp/shorewall-$$ - > /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempfile" >&2 - ;; - esac - fi -} - -# -# create a temporary directory -# -mktempdir() { - - [ -z "$MKTEMP" ] && find_mktemp - - case "$MKTEMP" in - STD) - mktemp -td shorewall.XXXXXX - ;; - None|BSD) - # - # Not all versions of the BSD mktemp support the -d option under Linux - # - mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ - ;; - *) - echo " ERROR:Internal error in mktempdir" >&2 - ;; - esac -} - -# -# Read a file and handle "INCLUDE" directives -# - -read_file() # $1 = file name, $2 = nest count -{ - local first rest - - if [ -f $1 ]; then - while read first rest; do - if [ "x$first" = "xINCLUDE" ]; then - if [ $2 -lt 4 ]; then - read_file $(find_file $(expand ${rest%#*})) $(($2 + 1)) - else - echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2 - fi - else - echo "$first $rest" - fi - done < $1 - else - [ -n "$terminator" ] && $terminator "No such file: $1" - echo "Warning -- No such file: $1" - fi -} - -# -# Function for including one file into another -# -INCLUDE() { - . $(find_file $(expand $@)) -} - -# -# Strip comments and blank lines from a file and place the result in the -# temporary directory -# -strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) -{ - local fname - - [ $# = 1 ] && fname=$(find_file $1) || fname=$2 - - if [ -f $fname ]; then - read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 - else - > $TMP_DIR/$1 - fi -} - -# -# Note: The following set of IP address manipulation functions have anomalous -# behavior when the shell only supports 32-bit signed arithmatic and -# the IP address is 128.0.0.0 or 128.0.0.1. -# -# -# So that emacs doesn't get lost, we use $LEFTSHIFT rather than << -# -LEFTSHIFT='<<' - -# -# Convert an IP address in dot quad format to an integer -# -decodeaddr() { - local x - local temp=0 - local ifs=$IFS - - IFS=. - - for x in $1; do - temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x )) - done - - echo $temp - - IFS=$ifs -} - -# -# convert an integer to dot quad format -# -encodeaddr() { - addr=$1 - local x - local y=$(($addr & 255)) - - for x in 1 2 3 ; do - addr=$(($addr >> 8)) - y=$(($addr & 255)).$y - done - - echo $y -} - -# -# Enumerate the members of an IP range -- When using a shell supporting only -# 32-bit signed arithmetic, the range cannot span 128.0.0.0. -# -# Comes in two flavors: -# -# ip_range() - produces a mimimal list of network/host addresses that spans -# the range. -# -# ip_range_explicit() - explicitly enumerates the range. -# -ip_range() { - local first last l x y z vlsm - - case $1 in - !*) - # - # Let iptables complain if it's a range - # - echo $1 - return - ;; - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if [ $first -gt $last ]; then - fatal_error "Invalid IP address range: $1" - fi - - l=$(( $last + 1 )) - - while [ $first -le $last ]; do - vlsm= - x=31 - y=2 - z=1 - - while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do - vlsm=/$x - x=$(( $x - 1 )) - z=$y - y=$(( $y * 2 )) - done - - echo $(encodeaddr $first)$vlsm - first=$(($first + $z)) - done -} - -ip_range_explicit() { - local first last - - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; - esac - - first=$(decodeaddr ${1%-*}) - last=$(decodeaddr ${1#*-}) - - if [ $first -gt $last ]; then - fatal_error "Invalid IP address range: $1" - fi - - while [ $first -le $last ]; do - echo $(encodeaddr $first) - first=$(($first + 1)) - done -} - -# -# Netmask from CIDR -# -ip_netmask() { - local vlsm=${1#*/} - - [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) )) -} - -# -# Network address from CIDR -# -ip_network() { - local decodedaddr=$(decodeaddr ${1%/*}) - local netmask=$(ip_netmask $1) - - echo $(encodeaddr $(($decodedaddr & $netmask))) -} - -# -# The following hack is supplied to compensate for the fact that many of -# the popular light-weight Bourne shell derivatives don't support XOR ("^"). -# - -ip_broadcast() { - local x=$(( 32 - ${1#*/} )) - - [ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 )) -} - -# -# Calculate broadcast address from CIDR -# -broadcastaddress() { - local decodedaddr=$(decodeaddr ${1%/*}) - local netmask=$(ip_netmask $1) - local broadcast=$(ip_broadcast $1) - - echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))) -} - -# -# Test for network membership -# -in_network() # $1 = IP address, $2 = CIDR network -{ - local netmask=$(ip_netmask $2) - - test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask )) -} - -# -# Netmask to VLSM -# -ip_vlsm() { - local mask=$(decodeaddr $1) - local vlsm=0 - local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000 - - while [ $(( $x & $mask )) -ne 0 ]; do - [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly. - vlsm=$(($vlsm + 1)) - done - - if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff - echo "Invalid net mask: $1" >&2 - else - echo $vlsm - fi -} - - -# -# Chain name base for an interface -- replace all periods with underscores in the passed name. -# The result is echoed (less trailing "+"). -# -chain_base() #$1 = interface -{ - local c=${1%%+} - - while true; do - case $c in - *.*) - c="${c%.*}_${c##*.}" - ;; - *-*) - c="${c%-*}_${c##*-}" - ;; - *%*) - c="${c%\%*}_${c##*%}" - ;; - *) - echo ${c:=common} - return - ;; - esac - done -} - -# -# Loosly Match the name of an interface -# - -if_match() # $1 = Name in interfaces file - may end in "+" - # $2 = Full interface name - may also end in "+" -{ - local pattern=${1%+} - - case $1 in - *+) - test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" - ;; - *) - test "x$1" = "x$2" - ;; - esac -} - -# -# Find the value 'dev' in the passed arguments then echo the next value -# - -find_device() { - while [ $# -gt 1 ]; do - [ "x$1" = xdev ] && echo $2 && return - shift - done -} - -# -# Find the interfaces that have a route to the passed address - the default -# route is not used. -# - -find_rt_interface() { - ip route ls | while read addr rest; do - case $addr in - */*) - in_network ${1%/*} $addr && echo $(find_device $rest) - ;; - default) - ;; - *) - if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then - echo $(find_device $rest) - fi - ;; - esac - done -} - -# -# Find the default route's interface -# -find_default_interface() { - ip route ls | while read first rest; do - [ "$first" = default ] && echo $(find_device $rest) && return - done -} - -# -# Echo the name of the interface(s) that will be used to send to the -# passed address -# - -find_interface_by_address() { - local dev="$(find_rt_interface $1)" - local first rest - - [ -z "$dev" ] && dev=$(find_default_interface) - - [ -n "$dev" ] && echo $dev -} - -# -# Find interface addresses--returns the set of addresses assigned to the passed -# device -# -find_interface_addresses() # $1 = interface -{ - ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' -} diff --git a/LrpN/usr/share/shorewall/help b/LrpN/usr/share/shorewall/help deleted file mode 100755 index 56d8de5e3..000000000 --- a/LrpN/usr/share/shorewall/help +++ /dev/null @@ -1,329 +0,0 @@ -#!/bin/sh -# -# Shorewall help subsystem - V2.2 -# -# -# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] -# -# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net) -# Steve Herber (herber@thing.com) -# -# This file should be placed in /usr/share/shorewall/help -# -# Shorewall documentation is available at http://shorewall.sourceforge.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA -################################################################################## - -case $1 in - -add) - echo "add: add [:] ... - Adds a list of hosts or subnets to a dynamic zone usually used with VPN's. - - shorewall add interface:host-list ... zone - Adds the specified interface - (and host-list if included) to the specified zone. - - A host-list is a comma-separated list whose elements are: - - A host or network address - The name of a bridge port - The name of a bridge port followed by a colon (":") and a host or - network address. - - Example: - - shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 - from interface ipsec0 to the zone vpn1. - - See also \"help host\"" - ;; - -address|host) - echo "<$1>: - May be either a host IP address such as 192.168.1.4 or a network address in - CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange - match support then IP address ranges of the form - - are also permitted." - ;; - -allow) - echo "allow: allow
... - Re-enables receipt of packets from hosts previously blacklisted - by a drop or reject command. - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -check) - echo "check: check [ ] - Performs a cursory validation of the zones, interfaces, hosts, - rules and policy files. Use this if you are unsure of any edits - you have made to the shorewall configuration. See the try command - examples for a recommended way to make changes." - ;; - -clear) - echo "clear: clear - Clear will remove all rules and chains installed by Shoreline. - The firewall is then wide open and unprotected. Existing - connections are untouched. Clear is often used to see if the - firewall is causing connection problems." - ;; - -debug) - echo "debug: debug - If you include the keyword debug as the first argument to any - of these commands: - - start|stop|restart|reset|clear|refresh|check|add|delete - - then a shell trace of the command is produced. For example: - - shorewall debug start 2> /tmp/trace - - The above command would trace the 'start' command and - place the trace information in the file /tmp/trace. - - The word 'trace' is a synonym for 'debug'." - ;; - -delete) - echo "delete: delete [:] ... - Deletes a list of hosts or networks from a dynamic zone usually used with VPN's. - - shorewall delete interface[:host-list] ... zone - Deletes the specified - interfaces (and host list if included) from the specified zone. - - A host-list is a comma-separated list whose elements are: - - A host or network address - The name of a bridge port - The name of a bridge port followed by a colon (":") and a host or - network address. - - Example: - - shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address - 192.0.2.24 from interface ipsec0 from zone vpn1 - - See also \"help host\"" - ;; - -drop) - echo "$1: $1
... - Causes packets from the specified
to be ignored - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -forget) - echo "forget: forget [ ] - Deletes /var/lib/shorewall/. If no is given then - the file specified by RESTOREFILE in shorewall.conf is removed. - - See also \"help save\"" - ;; - -help) - echo "help: help [ | host | address ] - Display helpful information about the shorewall commands." - ;; - -hits) - echo "hits: hits - Produces several reports about the Shorewall packet log messages - in the current /var/log/messages file." - ;; - -ipcalc) - echo "ipcalc: ipcalc [ address mask | address/vlsm ] - Ipcalc displays the network address, broadcast address, - network in CIDR notation and netmask corresponding to the input[s]." - ;; - -iprange) - echo "iprange: iprange address1-address2 - Iprange decomposes the specified range of IP addresses into the - equivalent list of network/host addresses." - ;; - -logwatch) - echo "logwatch: logwatch [] - Monitors the LOGFILE, $LOGFILE, - and produces an audible alarm when new Shorewall messages are logged." - ;; - -monitor) - echo "monitor: monitor [] - - shorewall [-x] monitor [] - - Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -refresh) - echo "refresh: [ -q ] refresh - The rules involving the broadcast addresses of firewall interfaces, - the black list, traffic control rules and ECN control rules are recreated - to reflect any changes made. Existing connections are untouched - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" - ;; - -reject) - echo "$1: $1
... - Causes packets from the specified
to be rejected - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help address\"" - ;; - -reset) - echo "reset: reset - All the packet and byte counters in the firewall are reset." - ;; - -restart) - echo "restart: [ -q ] restart [ ] - Restart is the same as a shorewall stop && shorewall start. - Existing connections are maintained. - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" - ;; - -restore) - echo "restore: restore [ ] - Restore Shorewall to a state saved using the 'save' command - Existing connections are maintained. The names a restore file in - /var/lib/shorewall created using "shorewall save"; if no is given - then Shorewall will be restored from the file specified by the RESTOREFILE - option in shorewall.conf. - - See also \"help save\" and \"help forget\"" - ;; - -save) - echo "save: save [ ] - The dynamic data is stored in /var/lib/shorewall/save. The state of the - firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' - and 'shorewall -f start' commands. If is not given then the state is saved - in the file specified by the RESTOREFILE option in shorewall.conf. - - Shorewall allow, drop, rejct and save implement dynamic blacklisting. - - See also \"help restore\" and \"help forget\"" - ;; - -show) - echo "show: show [ [ ...] |classifiers|connections|log|nat|tc|tos|zones] - - shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). - (iptables -L chain -n -v) - - shorewall [-x] show nat - produce a verbose report about the nat table. - (iptables -t nat -L -n -v) - - shorewall [-x] show tos - produce a verbose report about the mangle table. - (iptables -t mangle -L -n -v) - - shorewall show log - display the last 20 packet log entries. - - shorewall show connections - displays the IP connections currently - being tracked by the firewall. - - shorewall show tc - displays information about the traffic - control/shaping configuration. - - shorewall show zones - displays the contents of all zones. - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -start) - echo "start: [ -q ] [ -f ] start [ ] - Start shorewall. Existing connections through shorewall managed - interfaces are untouched. New connections will be allowed only - if they are allowed by the firewall rules or policies. - If \"-q\" is specified, less detail is displayed making it easier to spot warnings - If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option - in shorewall.conf will be restored if that saved configuration exists. In that - case, a may not be specified". - ;; - -stop) - echo "stop: stop - Stops the firewall. All existing connections, except those - listed in /etc/shorewall/routestopped, are taken down. - The only new traffic permitted through the firewall - is from systems listed in /etc/shorewall/routestopped." - ;; - -status) - echo "status: status - - shorewall [-x] status - - Produce a verbose report about the firewall. - - (iptables -L -n -) - - When -x is given, that option is also passed to iptables to display actual packet and byte counts." - ;; - -trace) - echo "trace: trace - If you include the keyword trace as the first argument to any - of these commands: - - start|stop|restart|reset|clear|refresh|check|add|delete - - then a shell trace of the command is produced. For example: - - shorewall trace start 2> /tmp/trace - - The above command would trace the 'start' command and - place the trace information in the file /tmp/trace. - - The word 'debug' is a synonym for 'trace'." - ;; - -try) - echo "try: try [ ] - Restart shorewall using the specified configuration. If an error - occurs during the restart, then another shorewall restart is performed - using the default configuration. If a timeout is specified then - the restart is always performed after the timeout occurs and uses - the default configuration." - ;; - -version) - echo "version: version - Show the current shorewall version which is: $version" - ;; - -*) - echo "$1: $1 is not recognized by the help command" - ;; - -esac - -exit 0 # always ok - diff --git a/LrpN/usr/share/shorewall/rfc1918 b/LrpN/usr/share/shorewall/rfc1918 deleted file mode 100644 index 038525465..000000000 --- a/LrpN/usr/share/shorewall/rfc1918 +++ /dev/null @@ -1,29 +0,0 @@ -# -# Shorewall 2.2 -- RFC1918 File -# -# /etc/shorewall/rfc1918 -# -# Lists the subnetworks that are blocked by the 'norfc1918' interface option. -# -# The default list includes those IP addresses listed in RFC 1918. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNETS A comma-separated list of subnet addresses -# (host addresses also allowed as are IP -# address ranges provided that your kernel and iptables -# have iprange match support). -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -############################################################################### -#SUBNETS TARGET -172.16.0.0/12 logdrop # RFC 1918 -192.168.0.0/16 logdrop # RFC 1918 -10.0.0.0/8 logdrop # RFC 1918 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version deleted file mode 100644 index 530cdd91a..000000000 --- a/LrpN/usr/share/shorewall/version +++ /dev/null @@ -1 +0,0 @@ -2.2.4 diff --git a/LrpN/var/lib/lrpkg/shorwall.conf b/LrpN/var/lib/lrpkg/shorwall.conf deleted file mode 100644 index 8b94e5dd3..000000000 --- a/LrpN/var/lib/lrpkg/shorwall.conf +++ /dev/null @@ -1,28 +0,0 @@ -/etc/shorewall/params Params Assign parameter values -/etc/shorewall/zones Zones Partition the network into Zones -/etc/shorewall/interfaces Ifaces Shorewall Networking Interfaces -/etc/shorewall/ipsec Ipsec Define Zone IPSEC Properties -/etc/shorewall/hosts Hosts Define specific zones -/etc/shorewall/policy Policy Firewall high-level policy -/etc/shorewall/rules Rules Exceptions to policy -/etc/shorewall/maclist Maclist MAC Verification -/etc/shorewall/masq Masq Internal MASQ Server Configuration -/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration -/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop' -/etc/shorewall/nat Nat Static NAT Configuration -/etc/shorewall/tunnels Tunnels Tunnel Definition (ipsec) -/etc/shorewall/tcrules TCRules FWMark Rules -/etc/shorewall/shorewall.conf Config Shorewall Global Parameters -/etc/shorewall/modules Modules Netfilter modules to load -/etc/shorewall/tos TOS Type of Service policy -/etc/shorewall/blacklist Blacklist Blacklisted hosts -/etc/shorewall/ecn ECN Disable ECN to hosts and networks -/etc/shorewall/init Init Commands executed before [re]start -/etc/shorewall/start Start Commands executed after [re]start -/etc/shorewall/stop Stop Commands executed before stop -/etc/shorewall/stopped Stopped Commands executed after stop -/etc/shorewall/accounting Account Traffic Accounting Rules -/etc/shorewall/netmap Netmap Network address mapping -/etc/shorewall/actions Actions Define user actions -/etc/shorewall/continue Continue Commands executed early in [re]start - diff --git a/LrpN/var/lib/lrpkg/shorwall.exclude.list b/LrpN/var/lib/lrpkg/shorwall.exclude.list deleted file mode 100644 index cca3782fb..000000000 --- a/LrpN/var/lib/lrpkg/shorwall.exclude.list +++ /dev/null @@ -1 +0,0 @@ -var/lib/shorewall/* diff --git a/LrpN/var/lib/lrpkg/shorwall.help b/LrpN/var/lib/lrpkg/shorwall.help deleted file mode 100644 index 61523f806..000000000 --- a/LrpN/var/lib/lrpkg/shorwall.help +++ /dev/null @@ -1,3 +0,0 @@ -Shoreline Firewall (Shorewall) -Homepage: http://www.shorewall.net -Requires: iptables.lrp diff --git a/LrpN/var/lib/lrpkg/shorwall.list b/LrpN/var/lib/lrpkg/shorwall.list deleted file mode 100644 index 04bd7a15b..000000000 --- a/LrpN/var/lib/lrpkg/shorwall.list +++ /dev/null @@ -1,6 +0,0 @@ -etc/init.d/shorewall -etc/shorewall -sbin/shorewall -usr/share/shorewall -var/lib/shorewall -var/lib/lrpkg/shorwall.* diff --git a/LrpN/var/lib/lrpkg/shorwall.version b/LrpN/var/lib/lrpkg/shorwall.version deleted file mode 100644 index 530cdd91a..000000000 --- a/LrpN/var/lib/lrpkg/shorwall.version +++ /dev/null @@ -1 +0,0 @@ -2.2.4