holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 2.0.3 Beta 1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1396 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-12 16:39:54 +00:00
parent 1fc8ddbc82
commit 68571cbbdc
9 changed files with 360 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Lrp2/etc/shorewall/shorewall.conf
View File

@ -258,6 +258,24 @@ MODULESDIR=
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################ ################################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
################################################################################ ################################################################################

155
Lrp2/sbin/shorewall
View File

@ -76,14 +76,17 @@
# listed address(es) # listed address(es)
# shorewall allow <address> ... Reenable address(es) previously # shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject" # disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and # shorewall save [ <file> ] Save the list of "rejected" and
# "dropped" addresses so that it will # "dropped" addresses so that it will
# be automatically reinstated the # be automatically reinstated the
# next time that Shorewall starts. # next time that Shorewall starts.
# Save the current state so that 'shorewall # Save the current state so that 'shorewall
# restore' can be used. # restore' can be used.
# #
# shorewall forget Discard the data saved by 'shorewall save' # shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
# #
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ] # shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
# #
@ -131,6 +134,19 @@ showchain() # $1 = name of chain
fi fi
} }
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
}
# #
# Set the configuration variables from shorewall.conf # Set the configuration variables from shorewall.conf
# #
@ -160,11 +176,17 @@ get_config() {
if [ -n "$SHOREWALL_SHELL" ]; then if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2 exit 2
fi fi
fi fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
} }
# #
@ -535,7 +557,7 @@ help()
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -543,7 +565,7 @@ usage() # $1 = exit status
echo " clear" echo " clear"
echo " delete <interface>[:<host>] <zone>" echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " forget" echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]" echo " help [ <command > | host | address ]"
echo " hits" echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]" echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -554,8 +576,8 @@ usage() # $1 = exit status
echo " reject <address> ..." echo " reject <address> ..."
echo " reset" echo " reset"
echo " restart" echo " restart"
echo " restore" echo " restore [ <file name> ]"
echo " save" echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]" echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start"
echo " stop" echo " stop"
@ -735,11 +757,14 @@ case "$1" in
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
if [ -f /var/lib/shorewall/restore ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall... echo Restoring Shorewall...
. /var/lib/shorewall/restore $RESTOREPATH
date > $STATEDIR/restarted date > $STATEDIR/restarted
echo Shorewall restored echo Shorewall restored from $RESTOREPATH
else else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi fi
@ -963,28 +988,57 @@ case "$1" in
;; ;;
save) save)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " Dynamic Rules Saved" echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo EOF >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
chmod +x /var/lib/shorewall/restore
echo " Currently-running Configuration Saved"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
fi
else else
echo "Error Saving the Dynamic Rules" case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: save"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi fi
else else
echo "Shorewall isn't started" echo "Shorewall isn't started"
@ -992,9 +1046,28 @@ case "$1" in
mutex_off mutex_off
;; ;;
forget) forget)
rm -f /var/lib/shorewall/restore get_config
rm -f /var/lib/shorewall/save case $# in
echo " Previously saved information discarded" 1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH is not a restore script"
fi
;; ;;
ipcalc) ipcalc)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
@ -1032,12 +1105,26 @@ case "$1" in
esac esac
;; ;;
restore) restore)
if [ -f /var/lib/shorewall/restore ]; then get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall... echo Restoring Shorewall...
. /var/lib/shorewall/restore $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
echo Shorewall restored
else else
echo "File /var/lib/shorewall/restore: file not found" echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
exit 2 exit 2
fi fi
;; ;;

2
Lrp2/usr/share/shorewall/action.Drop
View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast dropBcast
DropSMB DropSMB
DropUPnP DropUPnP
dropNonSyn dropNotSyn
DropDNSrep DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Lrp2/usr/share/shorewall/action.Reject
View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast dropBcast
RejectSMB RejectSMB
DropUPnP DropUPnP
dropNonSyn dropNotSyn
DropDNSrep DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Lrp2/usr/share/shorewall/actions.std
View File

@ -6,6 +6,13 @@
# #
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
# #
#ACTION #ACTION

264
Lrp2/usr/share/shorewall/firewall
View File

@ -51,11 +51,6 @@ my_mutex_off() {
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; } [ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
} }
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
# #
# Message to stderr # Message to stderr
# #
@ -108,6 +103,17 @@ save_command()
echo "$@" >> /var/lib/shorewall/restore-$$ echo "$@" >> /var/lib/shorewall/restore-$$
} }
#
# Write a progress_message command to /var/lib/shorewall/restore-$$
#
save_progress_message()
{
echo >> /var/lib/shorewall/restore-$$
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
echo >> /var/lib/shorewall/restore-$$
}
# #
# Save the passed command in the restore script then run it -- returns the status of the command # Save the passed command in the restore script then run it -- returns the status of the command
# If the command involves file redirection then it must be enclosed in quotes as in: # If the command involves file redirection then it must be enclosed in quotes as in:
@ -133,12 +139,13 @@ ensure_and_save_command()
} }
# #
# Append a file to /var/lib/shorewall/restore-$$ # Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
# #
append_file() { append_file() # $1 = File Name
save_command "cat > $STATEDIR/$1 << EOF" {
save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
save_command EOF save_command __EOF__
} }
# #
@ -576,7 +583,7 @@ known_interface() # $1 = interface name
match_source_dev() match_source_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
else else
echo -i $1 echo -i $1
fi fi
@ -585,12 +592,17 @@ match_source_dev()
match_dest_dev() match_dest_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
else else
echo -o $1 echo -o $1
fi fi
} }
verify_interface()
{
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
# #
# #
# Find hosts in a given zone # Find hosts in a given zone
@ -765,7 +777,7 @@ validate_interfaces_file() {
if [ -z "$found_obsolete_option" ]; then if [ -z "$found_obsolete_option" ]; then
found_obsolete_option=yes found_obsolete_option=yes
error_message \ error_message \
"Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0" "WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
error_message \ error_message \
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..." " PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
sleep 5 sleep 5
@ -798,6 +810,13 @@ validate_interfaces_file() {
validate_hosts_file() { validate_hosts_file() {
local z hosts options r interface host option port ports local z hosts options r interface host option port ports
check_bridge_port()
{
list_search $1 $ports || ports="$ports $1"
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $all_ports || all_ports="$all_ports $1"
}
while read z hosts options; do while read z hosts options; do
expandv z hosts options expandv z hosts options
r="$z $hosts $options" r="$z $hosts $options"
@ -820,17 +839,14 @@ validate_hosts_file() {
*:*) *:*)
known_interface ${host%:*} && \ known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
port=${host%%:*} check_bridge_port ${host%%:*}
list_search $port $ports || ports="$ports $port"
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
;; ;;
*.*.*.*) *.*.*.*)
;; ;;
*) *)
known_interface $host && \ known_interface $host && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
list_search $host $ports || ports="$ports $host" check_bridge_port $host
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
;; ;;
esac esac
@ -855,6 +871,8 @@ validate_hosts_file() {
fi fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
} }
# #
@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
# #
setup_forwarding() { setup_forwarding() {
save_progress_message "Restoring IP Forwarding..."
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1198,6 +1219,7 @@ disable_ipv6() {
if [ -n "$foo" ]; then if [ -n "$foo" ]; then
if qt which ip6tables; then if qt which ip6tables; then
save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
@ -1226,10 +1248,15 @@ stop_firewall() {
;; ;;
*) *)
set +x set +x
if [ -f /var/lib/shorewall/restore ]; then
[ -z "$RESTOREFILE" ] && RESTOREFILE=restore
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall... echo Restoring Shorewall...
. /var/lib/shorewall/restore $RESTOREPATH
echo Shorewall restored echo "Shorewall restored from $RESTOREPATH"
my_mutex_off my_mutex_off
kill $$ kill $$
exit 2 exit 2
@ -1640,6 +1667,8 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp > ${STATEDIR}/proxyarp
save_progress_message "Restoring Proxy ARP..."
while read address interface external haveroute persistent; do while read address interface external haveroute persistent; do
expandv address interface external haveroute persistent expandv address interface external haveroute persistent
setup_one_proxy_arp setup_one_proxy_arp
@ -1840,6 +1869,8 @@ setup_nat() {
# #
> ${STATEDIR}/nat > ${STATEDIR}/nat
save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
@ -1995,10 +2026,8 @@ process_tc_rule()
chain=tcout chain=tcout
;; ;;
*) *)
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\""
fi
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
esac esac
@ -2023,7 +2052,11 @@ process_tc_rule()
esac esac
fi fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " if [ "x$dest" != "x-" ]; then
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
fi
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -2095,6 +2128,8 @@ setup_tc1() {
run_iptables -t mangle -A OUTPUT -j tcout run_iptables -t mangle -A OUTPUT -j tcout
run_user_exit tcstart run_user_exit tcstart
save_progress_message "Restoring Traffic Control..."
save_command . $(find_file tcstart) save_command . $(find_file tcstart)
} }
@ -2118,6 +2153,8 @@ delete_tc()
} }
save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear run_user_exit tcclear
run_ip link list | \ run_ip link list | \
@ -2144,6 +2181,14 @@ process_accounting_rule() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
} }
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() { jump_to_chain() {
if ! havechain $jumpchain; then if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then if ! createchain2 $jumpchain No; then
@ -2157,6 +2202,7 @@ process_accounting_rule() {
case $source in case $source in
*:*) *:*)
accounting_interface_verify ${source%:*}
rule="-s ${source#*:} $(match_source_dev ${source%:*})" rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2165,12 +2211,16 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
[ -n "$source" ] && rule="$(match_source_dev $source)" if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;; ;;
esac esac
[ -n "$dest" ] && case $dest in [ -n "$dest" ] && case $dest in
*:*) *:*)
accounting_interface_verify ${dest%:*}
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2179,6 +2229,7 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)" rule="$rule $(match_dest_dev $dest)"
;; ;;
esac esac
@ -2233,8 +2284,8 @@ process_accounting_rule() {
ensurechain1 $chain ensurechain1 $chain
if iptables -A $chain $rule ; then if iptables -A $chain $(fix_bang $rule) ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else else
accounting_error accounting_error
@ -2409,6 +2460,16 @@ add_an_action()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -2417,6 +2478,7 @@ add_an_action()
-) -)
;; ;;
*:*) *:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -2426,7 +2488,10 @@ add_an_action()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -2445,7 +2510,10 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;; ;;
*) *)
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)" if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;; ;;
esac esac
@ -2496,9 +2564,8 @@ add_an_action()
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
[ "$logtarget" = LOG ] || \ run_iptables2 -A $action $proto $multiport $cli $sports \
run_iptables2 -A $action $proto $multiport $cli $sports \ -d $srv $dports $ratelimit $userandgroup -j $target
-d $srv $dports $ratelimit $userandgroup -j $target
done done
done done
else else
@ -2507,9 +2574,8 @@ add_an_action()
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
[ "$logtarget" = LOG ] || \ run_iptables2 -A $action $proto $multiport $cli $sports \
run_iptables2 -A $action $proto $multiport $cli $sports \ $dports $ratelimit $userandgroup -j $target
$dports $ratelimit $userandgroup -j $target
fi fi
fi fi
} }
@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
# #
process_actions1() { process_actions1() {
#
# Add the builtin actions
#
add_builtin_actions() {
if [ "$COMMAND" != check ]; then ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
createchain dropBcast no USEDACTIONS=
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
createchain dropNonSyn no
run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
fi
ACTIONS="dropBcast dropNonSyn"
USEDACTIONS="dropBcast dropNonSyn"
}
add_builtin_actions
strip_file actions strip_file actions
@ -2821,6 +2863,10 @@ process_actions2() {
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
} }
log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
}
# #
# Generate the transitive closure of $USEDACTIONS # Generate the transitive closure of $USEDACTIONS
# #
@ -2844,7 +2890,38 @@ process_actions2() {
# #
for xaction in $USEDACTIONS; do for xaction in $USEDACTIONS; do
case $xaction in case $xaction in
dropNonSyn|dropBcast) dropBcast)
if [ "$COMMAND" != check ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
fi
;;
dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
;;
dropNotSyn)
[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
;;
rejNotSyn)
[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
;;
logNotSyn)
log_action logNotSyn LOG
;;
rLogNotSyn)
log_action rLogNotSyn REJECT
;;
dLogNotSyn)
log_action dLogNotSyn DROP
;; ;;
*) *)
f=action.$xaction f=action.$xaction
@ -3091,6 +3168,16 @@ add_a_rule()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -3099,6 +3186,7 @@ add_a_rule()
-) -)
;; ;;
*:*) *:*)
rule_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -3108,7 +3196,10 @@ add_a_rule()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
rule_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -3128,7 +3219,8 @@ add_a_rule()
;; ;;
*) *)
if [ -n "$server" ]; then if [ -n "$server" ]; then
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
rule_interface_verify $server
dest_interface="$(match_dest_dev $server)" dest_interface="$(match_dest_dev $server)"
fi fi
;; ;;
@ -3708,6 +3800,11 @@ process_tos_rule() {
# #
# Assume that this is a device name # Assume that this is a device name
# #
if ! verify_interface $src ; then
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
return
fi
src="$(match_source_dev $src)" src="$(match_source_dev $src)"
;; ;;
esac esac
@ -4285,7 +4382,7 @@ setup_masq()
strip_file masq $1 strip_file masq $1
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do while read fullinterface networks addresses proto ports; do
expandv fullinterface networks addresses proto ports expandv fullinterface networks addresses proto ports
@ -4507,6 +4604,8 @@ add_ip_aliases()
set -- $aliases_to_add set -- $aliases_to_add
save_progress_message "Restoring IP Addresses..."
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
external=$1 external=$1
interface=$2 interface=$2
@ -4529,7 +4628,7 @@ add_ip_aliases()
# #
load_kernel_modules() load_kernel_modules()
{ {
local save_modules_dir=$MODULESDIR save_modules_dir=$MODULESDIR
[ -z "$MODULESDIR" ] && \ [ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
@ -4537,7 +4636,7 @@ load_kernel_modules()
modules=$(find_file modules) modules=$(find_file modules)
if [ -f $modules -a -d $MODULESDIR ]; then if [ -f $modules -a -d $MODULESDIR ]; then
echo "Loading Modules..." progress_message "Loading Modules..."
. $modules . $modules
fi fi
@ -4547,12 +4646,10 @@ load_kernel_modules()
save_load_kernel_modules() save_load_kernel_modules()
{ {
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
modules=$(find_file modules) modules=$(find_file modules)
save_command "reload_kernel_modules <<EOF" save_progress_message "Loading kernel modules..."
save_command "reload_kernel_modules <<__EOF__"
while read command; do while read command; do
case "$command" in case "$command" in
@ -4562,7 +4659,7 @@ save_load_kernel_modules()
esac esac
done < $modules done < $modules
save_command EOF save_command __EOF__
} }
@ -4721,7 +4818,7 @@ initialize_netfilter () {
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
done done
run_user_exit newnotsyn run_user_exit newnotsyn
@ -5028,6 +5125,8 @@ add_common_rules() {
# #
# ARP Filtering # ARP Filtering
# #
save_progress_message "Restoring ARP filtering..."
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
done done
@ -5055,6 +5154,8 @@ add_common_rules() {
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..." echo "Setting up Kernel Route Filtering..."
save_progress_message "Restoring Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
done done
@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
echo '#bin/sh' > /var/lib/shorewall/restore-$$ echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ save_command "#"
save_command "# Restore base file generated by Shorewall $version - $(date)"
save_command "#"
save_command ". /usr/share/shorewall/functions"
save_command "MODULESDIR=\"$MODULESDIR\"" save_command "MODULESDIR=\"$MODULESDIR\""
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
save_command "date > $STATEDIR/restarted" save_command "date > $STATEDIR/restarted"
save_command 'iptables-restore << EOF' save_progress_message "Restoring Netfilter Configuration..."
# 'shorewall save' appends the iptables-save output and 'EOF' save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
@ -5948,10 +6054,10 @@ do_initialize() {
ensure_config_path ensure_config_path
# #
# Determine the capabilities of the installed iptables/netfilter # Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules so that capabilities can be # We load the kernel modules here to acurately determine
# accurately detected when kernel module autoloading is not # capabilities when module autoloading isn't enabled.
# enabled.
# #
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
load_kernel_modules load_kernel_modules
determine_capabilities determine_capabilities

8
Lrp2/usr/share/shorewall/functions
View File

@ -33,6 +33,14 @@ list_count() {
list_count1 $(separate_list $1) list_count1 $(separate_list $1)
} }
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
# #
# Suppress all output for a command # Suppress all output for a command
# #

27
Lrp2/usr/share/shorewall/help
View File

@ -117,9 +117,9 @@ drop)
;; ;;
forget) forget)
echo "forget: forget echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
files are created by the 'shorewall save' command the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\"" See also \"help save\""
;; ;;
@ -194,18 +194,22 @@ restart)
;; ;;
restore) restore)
echo "restore: restore echo "restore: restore [ <file name> ]
Restore Shorewall to its last state saved using the 'save' command Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\"" See also \"help save\" and \"help forget\""
;; ;;
save) save)
echo "save: save echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore' firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting. Shorewall allow, drop, rejct and save implement dynamic blacklisting.
@ -240,8 +244,9 @@ start)
Start shorewall. Existing connections through shorewall managed Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies. if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the last saved configuraton if any will be restored" If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;; ;;
stop) stop)

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.0.2f 2.0.3-Beta1