holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Replace the AUTOHELPERS option with the HELPERS option.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-03 10:53:20 -07:00
parent 7689b1e84b
commit 72307df6d2
21 changed files with 349 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall-core/lib.cli
View File

@ -2024,7 +2024,7 @@ determine_capabilities() {
FTP_HELPER=
IRC_HELPER=
NETBIOS_NS_HELPER=
H323_HELPERS=
H323_HELPER=
PPTP_HELPER=
SANE_HELPER=
SIP_HELPER=
@ -2191,19 +2191,7 @@ determine_capabilities() {
qt $g_tool -t raw -X $chain
qt $g_tool -t raw -N $chain
if qt $g_tool -t raw -A $chain -j CT --notrack; then
CT_TARGET=Yes
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPERS=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
fi
qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes;
qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain
@ -2257,7 +2245,18 @@ determine_capabilities() {
fi
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda && HELPER_MATCH=Yes && AMANDA_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp && HELPER_MATCH=Yes && FTP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 1719 -m helper --helper RAS && HELPER_MATCH=Yes && H323_HELPER=Yes
$g_tool -A $chain -p tcp --dport 6667 -m helper --helper irc && HELPER_MATCH=Yes && IRC_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 137 -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 1729 -m helper --helper pptp && HELPER_MATCH=Yes && PPTP_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 6566 -m helper --helper sane && HELPER_MATCH=Yes && SANE_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 5060 -m helper --helper sip && HELPER_MATCH=Yes && SIP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 161 -m helper --helper snmp && HELPER_MATCH=Yes && SNMP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 69 -m helper --helper tftp && HELPER_MATCH=Yes && TFTP_HELPER=Yes
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@ -2389,7 +2388,7 @@ report_capabilities() {
report_capability "FTP Helper" $FTP_HELPER
report_capability "IRC Helper" $IRC_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
report_capability "H323 Helpers" H323_HELPERS
report_capability "H323 Helper" $H323_HELPER
report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER
report_capability "SIP Helper" $SIP_HELPER
@ -2495,7 +2494,7 @@ report_capabilities1() {
report_capability1 FTP_HELPER
report_capability1 IRC_HELPER
report_capability1 NETBIOS_NS_HELPER
report_capability1 H323_HELPERS
report_capability1 H323_HELPER
report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER
report_capability1 SNMP_HELPER

26
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -79,7 +79,6 @@ our @EXPORT = qw(
add_interface_options
%chain_table
%helpers
%targets
$raw_table
$rawpost_table
@ -331,19 +330,6 @@ our $rawpost_table;
our $nat_table;
our $mangle_table;
our $filter_table;
our %helpers = ( amanda => UDP,
ftp => TCP,
irc => TCP,
'netbios-ns' => UDP,
pptp => TCP,
'Q.931' => TCP,
RAS => UDP,
sane => TCP,
sip => UDP,
snmp => UDP,
tftp => UDP,
);
my $comment;
my @comments;
my $export;
@ -1885,7 +1871,7 @@ sub dnat_chain( $ )
#
sub notrack_chain( $ )
{
$_[0] . '_notrk';
$_[0] . '_ctrk';
}
#
@ -4339,12 +4325,20 @@ sub validate_helper( $;$ ) {
#
# Recognized helper
#
my $capability = $helpers_map{$helper};
my $external_helper = lc $capability;
$external_helper =~ s/_helper//;
$external_helper =~ s/_/-/;
fatal_error "The $external_helper helper is not enabled" unless $helpers_enabled{$external_helper};
if ( supplied $proto ) {
require_capability $helpers_map{$helper}, "Helper $helper", 's';
my $protonum = -1;
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
unless ( $protonum == $helper_proto ) {
fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );

196
Shorewall/Perl/Shorewall/Config.pm
View File

@ -144,13 +144,24 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%config_files
%shorewallrc
%helpers
%helpers_map
%helpers_enabled
@auditoptions
F_IPV4
F_IPV6
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
SCTP
GRE
MIN_VERBOSITY
MAX_VERBOSITY
@ -162,7 +173,18 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
CONFIG_CONTINUATION
DO_INCLUDE
NORMAL_READ
) ] );
) ] ,
protocols => [ qw (
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
SCTP
GRE
) ],
);
Exporter::export_ok_tags('internal');
@ -318,10 +340,10 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match',
AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper',
H323_HELPERS => 'H323 Helpers',
H323_HELPER => 'H323 Helpers',
IRC_HELPER => 'IRC Helper',
NETBIOS_NS_HELPER =>
'Amanda Helper',
'Netbios-ns Helper',
PPTP_HELPER => 'PPTP Helper',
SANE_HELPER => 'Amanda Helper',
SIP_HELPER => 'SIP Helper',
@ -335,19 +357,47 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
KERNELVERSION => 'Kernel Version',
);
use constant {
ICMP => 1,
TCP => 6,
UDP => 17,
DCCP => 33,
GRE => 47,
IPv6_ICMP => 58,
SCTP => 132,
UDPLITE => 136,
};
our %helpers = ( amanda => UDP,
ftp => TCP,
irc => TCP,
'netbios-ns' => UDP,
pptp => TCP,
'Q.931' => TCP,
RAS => UDP,
sane => TCP,
sip => UDP,
snmp => UDP,
tftp => UDP,
);
our %helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER',
irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPERS',
RAS => 'H323_HELPERS',
'Q.931' => 'H323_HELPER',
RAS => 'H323_HELPER',
sane => 'SANE_HELPER',
sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER',
);
our %helpers_names;
our %helpers_enabled;
our %config_files = ( #accounting => 1,
actions => 1,
blacklist => 1,
@ -682,7 +732,7 @@ sub initialize( $;$ ) {
EXPORTMODULES => undef,
LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef,
AUTOHELPERS => undef,
HELPERS => undef,
#
# Packet Disposition
#
@ -801,7 +851,7 @@ sub initialize( $;$ ) {
NFACCT_MATCH => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
H323_HELPERS => undef,
H323_HELPER => undef,
IRC_HELPER => undef,
NETBIOS_NS_HELPER => undef,
PPTP_HELPER => undef,
@ -849,6 +899,19 @@ sub initialize( $;$ ) {
CONFDIR => '/etc/',
);
%helpers_enabled = (
amanda => 1,
ftp => 1,
h323 => 1,
irc => 1,
'netbios-ns' => 1,
pptp => 1,
sane => 1,
sip => 1,
snmp => 1,
tftp => 1,
);
process_shorewallrc( $shorewallrc ) if $shorewallrc;
$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
@ -3165,8 +3228,54 @@ sub Realm_Match() {
qt1( "$iptables -A $sillyname -m realm --realm 1" );
}
sub Helper_Match() {
qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
sub Amanda_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{amanda} && qt1( "$iptables -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
}
sub FTP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{ftp} && qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
}
sub H323_Helpers() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{h323} && qt1( "$iptables -A $sillyname -p udp --dport 1719 -m helper --helper RAS" );
}
sub IRC_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{irc} && qt1( "$iptables -A $sillyname -p tcp --dport 6667 -m helper --helper irc" );
}
sub Netbios_ns_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{'netbios-ns'} && qt1( "$iptables -A $sillyname -p udp --dport 137 -m helper --helper netbios-ns" );
}
sub PPTP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{pptp} && qt1( "$iptables -A $sillyname -p tcp --dport 1729 -m helper --helper pptp" );
}
sub SANE_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{sane} && qt1( "$iptables -A $sillyname -p tcp --dport 6566 -m helper --helper sane" );
}
sub SIP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{sip} && qt1( "$iptables -A $sillyname -p udp --dport 5060 -m helper --helper sip" );
}
sub SNMP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{snmp} && qt1( "$iptables -A $sillyname -p udp --dport 161 -m helper --helper snmp" );
}
sub TFTP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{tftp} && qt1( "$iptables -A $sillyname -p udp --dport 69 -m helper --helper tftp" );
}
sub Connlimit_Match() {
@ -3248,46 +3357,6 @@ sub Ct_Target() {
$ct_target;
}
sub Amanda_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
}
sub FTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 21 -j CT --helper ftp" );
}
sub H323_Helpers() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 1719 -j CT --helper RAS" );
}
sub IRC_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6667 -j CT --helper irc" );
}
sub Netbios_ns_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 137 -j CT --helper netbios-ns" );
}
sub PPTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 1729 -j CT --helper pptp" );
}
sub SANE_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6566 -j CT --helper sane" );
}
sub SIP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 5060 -j CT --helper sip" );
}
sub SNMP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 161 -j CT --helper snmp" );
}
sub TFTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 69 -j CT --helper tftp" );
}
sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
}
@ -3348,10 +3417,9 @@ our %detect_capability =
FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target,
H323_HELPERS => \&H323_Helpers,
H323_HELPER => \&H323_Helpers,
HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match,
IMQ_TARGET => \&Imq_Target,
IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match,
@ -3502,7 +3570,6 @@ sub determine_capabilities() {
$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
$capabilities{IPMARK_TARGET} = detect_capability( 'IPMARK_TARGET' );
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
@ -3512,7 +3579,6 @@ sub determine_capabilities() {
$capabilities{TCPMSS_MATCH} = detect_capability( 'TCPMSS_MATCH' );
$capabilities{NFQUEUE_TARGET} = detect_capability( 'NFQUEUE_TARGET' );
$capabilities{REALM_MATCH} = detect_capability( 'REALM_MATCH' );
$capabilities{HELPER_MATCH} = detect_capability( 'HELPER_MATCH' );
$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
@ -4366,7 +4432,29 @@ sub get_configuration( $$$ ) {
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';
if ( supplied $config{HELPERS} ) {
my %helpers_temp = %helpers_enabled;
$helpers_temp{$_} = 0 for keys %helpers_temp;
for ( split_list $config{HELPERS} , 'helper' ) {
my $name = $_;
if ( exists $helpers_enabled{$name} ) {
s/-/_/;
require_capability( uc( $_ ) . '_HELPER' , "The $name helper", 's' );
$helpers_temp{$name} = 1;
} else {
fatal_error "Unknown Helper ($_)";
}
}
%helpers_enabled = %helpers_temp;
while ( my ( $helper, $enabled ) = each %helpers_enabled ) {
$capabilities{uc($helper) . '_HELPER'} = 0 unless $enabled;
}
}
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

19
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -26,7 +26,7 @@
#
package Shorewall::IPAddrs;
require Exporter;
use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
use Socket;
use strict;
@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
ALLIP
NILIP
ALL
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
SCTP
GRE
validate_address
validate_net
@ -115,14 +107,7 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
IPv6_LINK_ALLRTRS => 'ff01::2' ,
IPv6_SITE_ALLNODES => 'ff02::1' ,
IPv6_SITE_ALLRTRS => 'ff02::2' ,
ICMP => 1,
TCP => 6,
UDP => 17,
DCCP => 33,
GRE => 47,
IPv6_ICMP => 58,
SCTP => 132,
UDPLITE => 136 };
};
my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

12
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -20,7 +20,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This module contains the code that handles the /etc/shorewall/notrack file.
# This module contains the code that handles the /etc/shorewall/conntrack file.
#
package Shorewall::Raw;
require Exporter;
@ -55,7 +55,7 @@ sub process_notrack_rule( $$$$$$$ ) {
my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
require_capability 'RAW_TABLE', 'Notrack rules', '';
require_capability 'RAW_TABLE', 'conntrack rules', '';
my $target = $action;
my $exception_rule = '';
@ -66,10 +66,10 @@ sub process_notrack_rule( $$$$$$$ ) {
fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
if ( $option eq 'notrack' ) {
fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
$action = 'CT --notrack';
} else {
fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
@ -158,7 +158,7 @@ sub setup_notrack() {
my ( $source, $dest, $proto, $ports, $sports, $user );
if ( $format == 1 ) {
( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'FORMAT' ) {
$format = process_format( $dest );
@ -170,7 +170,7 @@ sub setup_notrack() {
next;
}
} else {
( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
if ( $action eq 'FORMAT' ) {
$format = process_format( $source );

4
Shorewall/Samples/Universal/shorewall.conf
View File

@ -116,8 +116,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -146,6 +144,8 @@ FASTACCEPT=Yes
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

4
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -127,8 +127,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -157,6 +155,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

4
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -125,8 +125,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -155,6 +153,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

4
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -128,8 +128,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -158,6 +156,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

26
Shorewall/configfiles/conntrack
View File

@ -7,40 +7,34 @@
FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET
COMMENT AUTOHELPERS
?IF __AMANDA_HELPER
?IF __CT_TARGET && __AMANDA_HELPER
CT:helper:amanda all - udp 10080
?ENDIF
?IF __FTP_HELPER
?IF __CT_TARGET && __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
?IF __H323_HELPERS
COMMENT AUTOHELPERS - H323
?IF __CT_TARGET && __H323_HELPER
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS
?ENDIF
?IF __IRC_HELPER
?IF __CT_TARGET && __IRC_HELPER
CT:helper:irc all - tcp 6667
?ENDIF
?IF __NETBIOS_NS_HELPER
?IF __CT_TARGET && __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
?ENDIF
?IF __PPTP_HELPER
?IF __CT_TARGET && __PPTP_HELPER
CT:helper:pptp all - tcp 1729
?ENDIF
?IF __SANE_HELPER
?IF __CT_TARGET && __SANE_HELPER
CT:helper:sane all - tcp 6566
?ENDIF
?IF __SIP_HELPER
?IF __CT_TARGET && __SIP_HELPER
CT:helper:sip all - udp 5060
?ENDIF
?IF __SNMP_HELPER
?IF __CT_TARGET && __SNMP_HELPER
CT:helper:snmp all - udp 161
?ENDIF
?IF __TFTP_HELPER
?IF __CT_TARGET && __TFTP_HELPER
CT:helper:tftp all - udp 69
?ENDIF
COMMENT
?ENDIF

4
Shorewall/configfiles/shorewall.conf
View File

@ -116,8 +116,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -146,6 +144,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

17
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -46,6 +46,13 @@
<para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
word COMMENT; the remainder of the line is treated as a comment which is
attached to subsequent rules until another COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
@ -222,13 +229,9 @@
url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of COMMENT lines. These lines
begin with the word COMMENT; the remainder of the line is treated as
a comment which is attached to subsequent rules until another
COMMENT line is found or until the end of the file is reached. To
stop adding comments to rules, use a line with only the word
COMMENT.</para>
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
</listitem>
</varlistentry>

80
Shorewall/manpages/shorewall.conf.xml
View File

@ -299,30 +299,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7.</para>
<para>In Linux 3.5, the Netfilter team announced that the automatic
association of helpers with connections based on protocol and port
would no longer be supported after a certain point. This means that
explicit rules must be added in shorewall-conntrack (5) in order for
applications like FTP that require a helper to continue to work
correctly. To work around this problem, the AUTOHELPERS option was
added with a default value of Yes.</para>
<para>If set to Yes and the CT Target capability is present in the
kernel and iptables, then Shorewall will automatically create the
same associations that were made by the modules themselves prior to
removal of the automatic association feature. The associations are
actually in shorewall-conntrack (5) so you can modify them to suit
your particular needs. </para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -708,6 +684,62 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
<listitem>
<para>Added in Shorewall 4.5.7. This option lists the Netfilter
application helps that are to be enabled. If not specified, the
default is to enable all helpers.</para>
<para>Possible values for <replaceable>helper</replaceable>
are:</para>
<itemizedlist>
<listitem>
<para>amanda</para>
</listitem>
<listitem>
<para>ftp</para>
</listitem>
<listitem>
<para>h323</para>
</listitem>
<listitem>
<para>irc</para>
</listitem>
<listitem>
<para>netbios-ns</para>
</listitem>
<listitem>
<para>pptp</para>
</listitem>
<listitem>
<para>sane</para>
</listitem>
<listitem>
<para>sip</para>
</listitem>
<listitem>
<para>snmp</para>
</listitem>
<listitem>
<para>tftp</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

4
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=Yes
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

4
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

4
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

4
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

26
Shorewall6/configfiles/conntrack
View File

@ -7,40 +7,34 @@
FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET
COMMENT AUTOHELPERS
?IF __AMANDA_HELPER
?IF __CT_TARGET && __AMANDA_HELPER
CT:helper:amanda all - udp 10080
?ENDIF
?IF __FTP_HELPER
?IF __CT_TARGET && __FTP_HELPER
CT:helper:ftp all - tcp 21
?ENDIF
?IF __H323_HELPERS
COMMENT AUTOHELPERS - H323
?IF __CT_TARGET && __H323_HELPER
CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS
?ENDIF
?IF __IRC_HELPER
?IF __CT_TARGET && __IRC_HELPER
CT:helper:irc all - tcp 6667
?ENDIF
?IF __NETBIOS_NS_HELPER
?IF __CT_TARGET && __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137
?ENDIF
?IF __PPTP_HELPER
?IF __CT_TARGET && __PPTP_HELPER
CT:helper:pptp all - tcp 1729
?ENDIF
?IF __SANE_HELPER
?IF __CT_TARGET && __SANE_HELPER
CT:helper:sane all - tcp 6566
?ENDIF
?IF __SIP_HELPER
?IF __CT_TARGET && __SIP_HELPER
CT:helper:sip all - udp 5060
?ENDIF
?IF __SNMP_HELPER
?IF __CT_TARGET && __SNMP_HELPER
CT:helper:snmp all - udp 161
?ENDIF
?IF __TFTP_HELPER
?IF __CT_TARGET && __TFTP_HELPER
CT:helper:tftp all - udp 69
?ENDIF
COMMENT
?ENDIF

4
Shorewall6/configfiles/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=Yes
HELPERS=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes

11
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -45,6 +45,13 @@
<para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
word COMMENT; the remainder of the line is treated as a comment which is
attached to subsequent rules until another COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
@ -124,6 +131,10 @@
list of addresses (may contain exclusion - see <ulink
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
</listitem>
</varlistentry>

80
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -228,30 +228,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7.</para>
<para>In Linux 3.5, the Netfilter team announced that the automatic
association of helpers with connections based on protocol and port
would no longer be supported after a certain point. This means that
explicit rules must be added in shorewall-conntrack (5) in order for
applications like FTP that require a helper to continue to work
correctly. To work around this problem, the AUTOHELPERS option was
added with a default value of Yes.</para>
<para>If set to Yes and the CT Target capability is present in the
kernel and iptables, then Shorewall will automatically create the
same associations that were made by the modules themselves prior to
removal of the automatic association feature. The associations are
actually in shorewall-conntrack (5) so you can modify them to suit
your particular needs.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -617,6 +593,62 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
<listitem>
<para>Added in Shorewall 4.5.7. This option lists the Netfilter
application helps that are to be enabled. If not specified, the
default is to enable all helpers.</para>
<para>Possible values for <replaceable>helper</replaceable>
are:</para>
<itemizedlist>
<listitem>
<para>amanda</para>
</listitem>
<listitem>
<para>ftp</para>
</listitem>
<listitem>
<para>h323</para>
</listitem>
<listitem>
<para>irc</para>
</listitem>
<listitem>
<para>netbios-ns</para>
</listitem>
<listitem>
<para>pptp</para>
</listitem>
<listitem>
<para>sane</para>
</listitem>
<listitem>
<para>sip</para>
</listitem>
<listitem>
<para>snmp</para>
</listitem>
<listitem>
<para>tftp</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>