holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Replace the AUTOHELPERS option with the HELPERS option.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-03 10:53:20 -07:00
parent 7689b1e84b
commit 72307df6d2
21 changed files with 349 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall-core/lib.cli
View File

@ -2024,7 +2024,7 @@ determine_capabilities() {
FTP_HELPER= FTP_HELPER=
IRC_HELPER= IRC_HELPER=
NETBIOS_NS_HELPER= NETBIOS_NS_HELPER=
H323_HELPERS= H323_HELPER=
PPTP_HELPER= PPTP_HELPER=
SANE_HELPER= SANE_HELPER=
SIP_HELPER= SIP_HELPER=
@ -2191,19 +2191,7 @@ determine_capabilities() {
qt $g_tool -t raw -X $chain qt $g_tool -t raw -X $chain
qt $g_tool -t raw -N $chain qt $g_tool -t raw -N $chain
if qt $g_tool -t raw -A $chain -j CT --notrack; then qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes;
CT_TARGET=Yes
qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda && AMANDA_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 21 -j CT --helper ftp && FTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 1719 -j CT --helper RAS && H323_HELPERS=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6667 -j CT --helper irc && IRC_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 137 -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 1729 -j CT --helper pptp && PPTP_HELPER=Yes
qt $g_tool -t raw -A $chain -p tcp --dport 6566 -j CT --helper sane && SANE_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 5060 -j CT --helper sip && SIP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 161 -j CT --helper snmp && SNMP_HELPER=Yes
qt $g_tool -t raw -A $chain -p udp --dport 69 -j CT --helper tftp && TFTP_HELPER=Yes
fi
qt $g_tool -t raw -F $chain qt $g_tool -t raw -F $chain
qt $g_tool -t raw -X $chain qt $g_tool -t raw -X $chain
@ -2257,7 +2245,18 @@ determine_capabilities() {
fi fi
qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $g_tool -A $chain -p udp --dport 10080 -m helper --helper amanda && HELPER_MATCH=Yes && AMANDA_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp && HELPER_MATCH=Yes && FTP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 1719 -m helper --helper RAS && HELPER_MATCH=Yes && H323_HELPER=Yes
$g_tool -A $chain -p tcp --dport 6667 -m helper --helper irc && HELPER_MATCH=Yes && IRC_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 137 -m helper --helper netbios-ns && HELPER_MATCH=Yes && NETBIOS_NS_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 1729 -m helper --helper pptp && HELPER_MATCH=Yes && PPTP_HELPER=Yes
qt $g_tool -A $chain -p tcp --dport 6566 -m helper --helper sane && HELPER_MATCH=Yes && SANE_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 5060 -m helper --helper sip && HELPER_MATCH=Yes && SIP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 161 -m helper --helper snmp && HELPER_MATCH=Yes && SNMP_HELPER=Yes
qt $g_tool -A $chain -p udp --dport 69 -m helper --helper tftp && HELPER_MATCH=Yes && TFTP_HELPER=Yes
qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@ -2389,7 +2388,7 @@ report_capabilities() {
report_capability "FTP Helper" $FTP_HELPER report_capability "FTP Helper" $FTP_HELPER
report_capability "IRC Helper" $IRC_HELPER report_capability "IRC Helper" $IRC_HELPER
report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
report_capability "H323 Helpers" H323_HELPERS report_capability "H323 Helper" $H323_HELPER
report_capability "PPTP Helper" $PPTP_HELPER report_capability "PPTP Helper" $PPTP_HELPER
report_capability "SANE Helper" $SANE_HELPER report_capability "SANE Helper" $SANE_HELPER
report_capability "SIP Helper" $SIP_HELPER report_capability "SIP Helper" $SIP_HELPER
@ -2495,7 +2494,7 @@ report_capabilities1() {
report_capability1 FTP_HELPER report_capability1 FTP_HELPER
report_capability1 IRC_HELPER report_capability1 IRC_HELPER
report_capability1 NETBIOS_NS_HELPER report_capability1 NETBIOS_NS_HELPER
report_capability1 H323_HELPERS report_capability1 H323_HELPER
report_capability1 PPTP_HELPER report_capability1 PPTP_HELPER
report_capability1 SANE_HELPER report_capability1 SANE_HELPER
report_capability1 SNMP_HELPER report_capability1 SNMP_HELPER

26
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -79,7 +79,6 @@ our @EXPORT = qw(
add_interface_options add_interface_options
%chain_table %chain_table
%helpers
%targets %targets
$raw_table $raw_table
$rawpost_table $rawpost_table
@ -331,19 +330,6 @@ our $rawpost_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
our %helpers = ( amanda => UDP,
ftp => TCP,
irc => TCP,
'netbios-ns' => UDP,
pptp => TCP,
'Q.931' => TCP,
RAS => UDP,
sane => TCP,
sip => UDP,
snmp => UDP,
tftp => UDP,
);
my $comment; my $comment;
my @comments; my @comments;
my $export; my $export;
@ -1885,7 +1871,7 @@ sub dnat_chain( $ )
# #
sub notrack_chain( $ ) sub notrack_chain( $ )
{ {
$_[0] . '_notrk'; $_[0] . '_ctrk';
} }
# #
@ -4339,12 +4325,20 @@ sub validate_helper( $;$ ) {
# #
# Recognized helper # Recognized helper
# #
my $capability = $helpers_map{$helper};
my $external_helper = lc $capability;
$external_helper =~ s/_helper//;
$external_helper =~ s/_/-/;
fatal_error "The $external_helper helper is not enabled" unless $helpers_enabled{$external_helper};
if ( supplied $proto ) { if ( supplied $proto ) {
require_capability $helpers_map{$helper}, "Helper $helper", 's'; require_capability $helpers_map{$helper}, "Helper $helper", 's';
my $protonum = -1; my $protonum = -1;
fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) ); fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
unless ( $protonum == $helper_proto ) { unless ( $protonum == $helper_proto ) {
fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto ); fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );

196
Shorewall/Perl/Shorewall/Config.pm
View File

@ -144,13 +144,24 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
%config_files %config_files
%shorewallrc %shorewallrc
%helpers
%helpers_map %helpers_map
%helpers_enabled
@auditoptions @auditoptions
F_IPV4 F_IPV4
F_IPV6 F_IPV6
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
SCTP
GRE
MIN_VERBOSITY MIN_VERBOSITY
MAX_VERBOSITY MAX_VERBOSITY
@ -162,7 +173,18 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
CONFIG_CONTINUATION CONFIG_CONTINUATION
DO_INCLUDE DO_INCLUDE
NORMAL_READ NORMAL_READ
) ] ); ) ] ,
protocols => [ qw (
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
SCTP
GRE
) ],
);
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
@ -318,10 +340,10 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match', NFACCT_MATCH => 'NFAcct Match',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
H323_HELPERS => 'H323 Helpers', H323_HELPER => 'H323 Helpers',
IRC_HELPER => 'IRC Helper', IRC_HELPER => 'IRC Helper',
NETBIOS_NS_HELPER => NETBIOS_NS_HELPER =>
'Amanda Helper', 'Netbios-ns Helper',
PPTP_HELPER => 'PPTP Helper', PPTP_HELPER => 'PPTP Helper',
SANE_HELPER => 'Amanda Helper', SANE_HELPER => 'Amanda Helper',
SIP_HELPER => 'SIP Helper', SIP_HELPER => 'SIP Helper',
@ -335,19 +357,47 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
use constant {
ICMP => 1,
TCP => 6,
UDP => 17,
DCCP => 33,
GRE => 47,
IPv6_ICMP => 58,
SCTP => 132,
UDPLITE => 136,
};
our %helpers = ( amanda => UDP,
ftp => TCP,
irc => TCP,
'netbios-ns' => UDP,
pptp => TCP,
'Q.931' => TCP,
RAS => UDP,
sane => TCP,
sip => UDP,
snmp => UDP,
tftp => UDP,
);
our %helpers_map = ( amanda => 'AMANDA_HELPER', our %helpers_map = ( amanda => 'AMANDA_HELPER',
ftp => 'FTP_HELPER', ftp => 'FTP_HELPER',
irc => 'IRC_HELPER', irc => 'IRC_HELPER',
'netbios-ns' => 'NETBIOS_NS_HELPER', 'netbios-ns' => 'NETBIOS_NS_HELPER',
pptp => 'PPTP_HELPER', pptp => 'PPTP_HELPER',
'Q.931' => 'H323_HELPERS', 'Q.931' => 'H323_HELPER',
RAS => 'H323_HELPERS', RAS => 'H323_HELPER',
sane => 'SANE_HELPER', sane => 'SANE_HELPER',
sip => 'SIP_HELPER', sip => 'SIP_HELPER',
snmp => 'SNMP_HELPER', snmp => 'SNMP_HELPER',
tftp => 'TFTP_HELPER', tftp => 'TFTP_HELPER',
); );
our %helpers_names;
our %helpers_enabled;
our %config_files = ( #accounting => 1, our %config_files = ( #accounting => 1,
actions => 1, actions => 1,
blacklist => 1, blacklist => 1,
@ -682,7 +732,7 @@ sub initialize( $;$ ) {
EXPORTMODULES => undef, EXPORTMODULES => undef,
LEGACY_FASTSTART => undef, LEGACY_FASTSTART => undef,
USE_PHYSICAL_NAMES => undef, USE_PHYSICAL_NAMES => undef,
AUTOHELPERS => undef, HELPERS => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -801,7 +851,7 @@ sub initialize( $;$ ) {
NFACCT_MATCH => undef, NFACCT_MATCH => undef,
AMANDA_HELPER => undef, AMANDA_HELPER => undef,
FTP_HELPER => undef, FTP_HELPER => undef,
H323_HELPERS => undef, H323_HELPER => undef,
IRC_HELPER => undef, IRC_HELPER => undef,
NETBIOS_NS_HELPER => undef, NETBIOS_NS_HELPER => undef,
PPTP_HELPER => undef, PPTP_HELPER => undef,
@ -849,6 +899,19 @@ sub initialize( $;$ ) {
CONFDIR => '/etc/', CONFDIR => '/etc/',
); );
%helpers_enabled = (
amanda => 1,
ftp => 1,
h323 => 1,
irc => 1,
'netbios-ns' => 1,
pptp => 1,
sane => 1,
sip => 1,
snmp => 1,
tftp => 1,
);
process_shorewallrc( $shorewallrc ) if $shorewallrc; process_shorewallrc( $shorewallrc ) if $shorewallrc;
$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/"; $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
@ -3165,8 +3228,54 @@ sub Realm_Match() {
qt1( "$iptables -A $sillyname -m realm --realm 1" ); qt1( "$iptables -A $sillyname -m realm --realm 1" );
} }
sub Helper_Match() { sub Amanda_Helper() {
qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); $capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{amanda} && qt1( "$iptables -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
}
sub FTP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{ftp} && qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
}
sub H323_Helpers() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{h323} && qt1( "$iptables -A $sillyname -p udp --dport 1719 -m helper --helper RAS" );
}
sub IRC_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{irc} && qt1( "$iptables -A $sillyname -p tcp --dport 6667 -m helper --helper irc" );
}
sub Netbios_ns_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{'netbios-ns'} && qt1( "$iptables -A $sillyname -p udp --dport 137 -m helper --helper netbios-ns" );
}
sub PPTP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{pptp} && qt1( "$iptables -A $sillyname -p tcp --dport 1729 -m helper --helper pptp" );
}
sub SANE_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{sane} && qt1( "$iptables -A $sillyname -p tcp --dport 6566 -m helper --helper sane" );
}
sub SIP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{sip} && qt1( "$iptables -A $sillyname -p udp --dport 5060 -m helper --helper sip" );
}
sub SNMP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{snmp} && qt1( "$iptables -A $sillyname -p udp --dport 161 -m helper --helper snmp" );
}
sub TFTP_Helper() {
$capabilities{HELPER_MATCH} = 1 if
$helpers_enabled{tftp} && qt1( "$iptables -A $sillyname -p udp --dport 69 -m helper --helper tftp" );
} }
sub Connlimit_Match() { sub Connlimit_Match() {
@ -3248,46 +3357,6 @@ sub Ct_Target() {
$ct_target; $ct_target;
} }
sub Amanda_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 10080 -j CT --helper amanda" );
}
sub FTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 21 -j CT --helper ftp" );
}
sub H323_Helpers() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 1719 -j CT --helper RAS" );
}
sub IRC_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6667 -j CT --helper irc" );
}
sub Netbios_ns_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 137 -j CT --helper netbios-ns" );
}
sub PPTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 1729 -j CT --helper pptp" );
}
sub SANE_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p tcp --dport 6566 -j CT --helper sane" );
}
sub SIP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 5060 -j CT --helper sip" );
}
sub SNMP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 161 -j CT --helper snmp" );
}
sub TFTP_Helper() {
have_capability 'CT_TARGET' && qt1( "$iptables -t raw -A $sillyname -p udp --dport 69 -j CT --helper tftp" );
}
sub Statistic_Match() { sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" ); qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
} }
@ -3348,10 +3417,9 @@ our %detect_capability =
FWMARK_RT_MASK => \&Fwmark_Rt_Mask, FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
GEOIP_MATCH => \&GeoIP_Match, GEOIP_MATCH => \&GeoIP_Match,
GOTO_TARGET => \&Goto_Target, GOTO_TARGET => \&Goto_Target,
H323_HELPERS => \&H323_Helpers, H323_HELPER => \&H323_Helpers,
HASHLIMIT_MATCH => \&Hashlimit_Match, HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match, HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match,
IMQ_TARGET => \&Imq_Target, IMQ_TARGET => \&Imq_Target,
IPMARK_TARGET => \&IPMark_Target, IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match, IPP2P_MATCH => \&Ipp2p_Match,
@ -3502,7 +3570,6 @@ sub determine_capabilities() {
$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' ); $capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
$capabilities{IPMARK_TARGET} = detect_capability( 'IPMARK_TARGET' ); $capabilities{IPMARK_TARGET} = detect_capability( 'IPMARK_TARGET' );
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' ); $capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' ); $capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' ); $capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' ); $capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
@ -3512,7 +3579,6 @@ sub determine_capabilities() {
$capabilities{TCPMSS_MATCH} = detect_capability( 'TCPMSS_MATCH' ); $capabilities{TCPMSS_MATCH} = detect_capability( 'TCPMSS_MATCH' );
$capabilities{NFQUEUE_TARGET} = detect_capability( 'NFQUEUE_TARGET' ); $capabilities{NFQUEUE_TARGET} = detect_capability( 'NFQUEUE_TARGET' );
$capabilities{REALM_MATCH} = detect_capability( 'REALM_MATCH' ); $capabilities{REALM_MATCH} = detect_capability( 'REALM_MATCH' );
$capabilities{HELPER_MATCH} = detect_capability( 'HELPER_MATCH' );
$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' ); $capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
$capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' ); $capabilities{TIME_MATCH} = detect_capability( 'TIME_MATCH' );
$capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' ); $capabilities{GOTO_TARGET} = detect_capability( 'GOTO_TARGET' );
@ -4366,7 +4432,29 @@ sub get_configuration( $$$ ) {
default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , ''; default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes'; default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';
if ( supplied $config{HELPERS} ) {
my %helpers_temp = %helpers_enabled;
$helpers_temp{$_} = 0 for keys %helpers_temp;
for ( split_list $config{HELPERS} , 'helper' ) {
my $name = $_;
if ( exists $helpers_enabled{$name} ) {
s/-/_/;
require_capability( uc( $_ ) . '_HELPER' , "The $name helper", 's' );
$helpers_temp{$name} = 1;
} else {
fatal_error "Unknown Helper ($_)";
}
}
%helpers_enabled = %helpers_temp;
while ( my ( $helper, $enabled ) = each %helpers_enabled ) {
$capabilities{uc($helper) . '_HELPER'} = 0 unless $enabled;
}
}
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

19
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -26,7 +26,7 @@
# #
package Shorewall::IPAddrs; package Shorewall::IPAddrs;
require Exporter; require Exporter;
use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 ); use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
use Socket; use Socket;
use strict; use strict;
@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
ALLIP ALLIP
NILIP NILIP
ALL ALL
TCP
UDP
UDPLITE
ICMP
DCCP
IPv6_ICMP
SCTP
GRE
validate_address validate_address
validate_net validate_net
@ -115,14 +107,7 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
IPv6_LINK_ALLRTRS => 'ff01::2' , IPv6_LINK_ALLRTRS => 'ff01::2' ,
IPv6_SITE_ALLNODES => 'ff02::1' , IPv6_SITE_ALLNODES => 'ff02::1' ,
IPv6_SITE_ALLRTRS => 'ff02::2' , IPv6_SITE_ALLRTRS => 'ff02::2' ,
ICMP => 1, };
TCP => 6,
UDP => 17,
DCCP => 33,
GRE => 47,
IPv6_ICMP => 58,
SCTP => 132,
UDPLITE => 136 };
my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

12
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -20,7 +20,7 @@
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
# This module contains the code that handles the /etc/shorewall/notrack file. # This module contains the code that handles the /etc/shorewall/conntrack file.
# #
package Shorewall::Raw; package Shorewall::Raw;
require Exporter; require Exporter;
@ -55,7 +55,7 @@ sub process_notrack_rule( $$$$$$$ ) {
my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT; my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT; fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
require_capability 'RAW_TABLE', 'Notrack rules', ''; require_capability 'RAW_TABLE', 'conntrack rules', '';
my $target = $action; my $target = $action;
my $exception_rule = ''; my $exception_rule = '';
@ -66,10 +66,10 @@ sub process_notrack_rule( $$$$$$$ ) {
fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT'; fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
require_capability 'CT_TARGET', 'CT entries in the notrack file', ''; require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
if ( $option eq 'notrack' ) { if ( $option eq 'notrack' ) {
fatal_error "Invalid notrack ACTION ( $action )" if supplied $args; fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
$action = 'CT --notrack'; $action = 'CT --notrack';
} else { } else {
fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args; fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
@ -158,7 +158,7 @@ sub setup_notrack() {
my ( $source, $dest, $proto, $ports, $sports, $user ); my ( $source, $dest, $proto, $ports, $sports, $user );
if ( $format == 1 ) { if ( $format == 1 ) {
( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 }; ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'FORMAT' ) { if ( $source eq 'FORMAT' ) {
$format = process_format( $dest ); $format = process_format( $dest );
@ -170,7 +170,7 @@ sub setup_notrack() {
next; next;
} }
} else { } else {
( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 }; ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
if ( $action eq 'FORMAT' ) { if ( $action eq 'FORMAT' ) {
$format = process_format( $source ); $format = process_format( $source );

4
Shorewall/Samples/Universal/shorewall.conf
View File

@ -116,8 +116,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -146,6 +144,8 @@ FASTACCEPT=Yes
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

4
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -127,8 +127,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -157,6 +155,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

4
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -125,8 +125,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -155,6 +153,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

4
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -128,8 +128,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -158,6 +156,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

26
Shorewall/configfiles/conntrack
View File

@ -7,40 +7,34 @@
FORMAT 2 FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET ?IF __CT_TARGET && __AMANDA_HELPER
COMMENT AUTOHELPERS
?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080 CT:helper:amanda all - udp 10080
?ENDIF ?ENDIF
?IF __FTP_HELPER ?IF __CT_TARGET && __FTP_HELPER
CT:helper:ftp all - tcp 21 CT:helper:ftp all - tcp 21
?ENDIF ?ENDIF
?IF __H323_HELPERS ?IF __CT_TARGET && __H323_HELPER
COMMENT AUTOHELPERS - H323
CT:helper:RAS all - udp 1719 CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720 CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS
?ENDIF ?ENDIF
?IF __IRC_HELPER ?IF __CT_TARGET && __IRC_HELPER
CT:helper:irc all - tcp 6667 CT:helper:irc all - tcp 6667
?ENDIF ?ENDIF
?IF __NETBIOS_NS_HELPER ?IF __CT_TARGET && __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137 CT:helper:netbios-ns all - udp 137
?ENDIF ?ENDIF
?IF __PPTP_HELPER ?IF __CT_TARGET && __PPTP_HELPER
CT:helper:pptp all - tcp 1729 CT:helper:pptp all - tcp 1729
?ENDIF ?ENDIF
?IF __SANE_HELPER ?IF __CT_TARGET && __SANE_HELPER
CT:helper:sane all - tcp 6566 CT:helper:sane all - tcp 6566
?ENDIF ?ENDIF
?IF __SIP_HELPER ?IF __CT_TARGET && __SIP_HELPER
CT:helper:sip all - udp 5060 CT:helper:sip all - udp 5060
?ENDIF ?ENDIF
?IF __SNMP_HELPER ?IF __CT_TARGET && __SNMP_HELPER
CT:helper:snmp all - udp 161 CT:helper:snmp all - udp 161
?ENDIF ?ENDIF
?IF __TFTP_HELPER ?IF __CT_TARGET && __TFTP_HELPER
CT:helper:tftp all - udp 69 CT:helper:tftp all - udp 69
?ENDIF ?ENDIF
COMMENT
?ENDIF

4
Shorewall/configfiles/shorewall.conf
View File

@ -116,8 +116,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -146,6 +144,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

17
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -46,6 +46,13 @@
<para>where <replaceable>format</replaceable> is either <emphasis <para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para> role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
word COMMENT; the remainder of the line is treated as a comment which is
attached to subsequent rules until another COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para> the alternate specification syntax).</para>
@ -222,13 +229,9 @@
url="shorewall-exclusion.html">shorewall-exclusion</ulink> url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para> (5)).</para>
<para>Comments may be attached to Netfilter rules generated from <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
entries in this file through the use of COMMENT lines. These lines used as the <replaceable>zone</replaceable> name to mean
begin with the word COMMENT; the remainder of the line is treated as <firstterm>all zones</firstterm>.</para>
a comment which is attached to subsequent rules until another
COMMENT line is found or until the end of the file is reached. To
stop adding comments to rules, use a line with only the word
COMMENT.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

80
Shorewall/manpages/shorewall.conf.xml
View File

@ -299,30 +299,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7.</para>
<para>In Linux 3.5, the Netfilter team announced that the automatic
association of helpers with connections based on protocol and port
would no longer be supported after a certain point. This means that
explicit rules must be added in shorewall-conntrack (5) in order for
applications like FTP that require a helper to continue to work
correctly. To work around this problem, the AUTOHELPERS option was
added with a default value of Yes.</para>
<para>If set to Yes and the CT Target capability is present in the
kernel and iptables, then Shorewall will automatically create the
same associations that were made by the modules themselves prior to
removal of the automatic association feature. The associations are
actually in shorewall-conntrack (5) so you can modify them to suit
your particular needs. </para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -708,6 +684,62 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
<listitem>
<para>Added in Shorewall 4.5.7. This option lists the Netfilter
application helps that are to be enabled. If not specified, the
default is to enable all helpers.</para>
<para>Possible values for <replaceable>helper</replaceable>
are:</para>
<itemizedlist>
<listitem>
<para>amanda</para>
</listitem>
<listitem>
<para>ftp</para>
</listitem>
<listitem>
<para>h323</para>
</listitem>
<listitem>
<para>irc</para>
</listitem>
<listitem>
<para>netbios-ns</para>
</listitem>
<listitem>
<para>pptp</para>
</listitem>
<listitem>
<para>sane</para>
</listitem>
<listitem>
<para>sip</para>
</listitem>
<listitem>
<para>snmp</para>
</listitem>
<listitem>
<para>tftp</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

4
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=Yes
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

4
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

4
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

4
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

26
Shorewall6/configfiles/conntrack
View File

@ -7,40 +7,34 @@
FORMAT 2 FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
?IF $AUTOHELPERS && __CT_TARGET ?IF __CT_TARGET && __AMANDA_HELPER
COMMENT AUTOHELPERS
?IF __AMANDA_HELPER
CT:helper:amanda all - udp 10080 CT:helper:amanda all - udp 10080
?ENDIF ?ENDIF
?IF __FTP_HELPER ?IF __CT_TARGET && __FTP_HELPER
CT:helper:ftp all - tcp 21 CT:helper:ftp all - tcp 21
?ENDIF ?ENDIF
?IF __H323_HELPERS ?IF __CT_TARGET && __H323_HELPER
COMMENT AUTOHELPERS - H323
CT:helper:RAS all - udp 1719 CT:helper:RAS all - udp 1719
CT:helper:Q.931 all - tcp 1720 CT:helper:Q.931 all - tcp 1720
COMMENT AUTOHELPERS
?ENDIF ?ENDIF
?IF __IRC_HELPER ?IF __CT_TARGET && __IRC_HELPER
CT:helper:irc all - tcp 6667 CT:helper:irc all - tcp 6667
?ENDIF ?ENDIF
?IF __NETBIOS_NS_HELPER ?IF __CT_TARGET && __NETBIOS_NS_HELPER
CT:helper:netbios-ns all - udp 137 CT:helper:netbios-ns all - udp 137
?ENDIF ?ENDIF
?IF __PPTP_HELPER ?IF __CT_TARGET && __PPTP_HELPER
CT:helper:pptp all - tcp 1729 CT:helper:pptp all - tcp 1729
?ENDIF ?ENDIF
?IF __SANE_HELPER ?IF __CT_TARGET && __SANE_HELPER
CT:helper:sane all - tcp 6566 CT:helper:sane all - tcp 6566
?ENDIF ?ENDIF
?IF __SIP_HELPER ?IF __CT_TARGET && __SIP_HELPER
CT:helper:sip all - udp 5060 CT:helper:sip all - udp 5060
?ENDIF ?ENDIF
?IF __SNMP_HELPER ?IF __CT_TARGET && __SNMP_HELPER
CT:helper:snmp all - udp 161 CT:helper:snmp all - udp 161
?ENDIF ?ENDIF
?IF __TFTP_HELPER ?IF __CT_TARGET && __TFTP_HELPER
CT:helper:tftp all - udp 69 CT:helper:tftp all - udp 69
?ENDIF ?ENDIF
COMMENT
?ENDIF

4
Shorewall6/configfiles/shorewall6.conf
View File

@ -111,8 +111,6 @@ ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
@ -137,6 +135,8 @@ FASTACCEPT=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes
HELPERS=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes

11
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -45,6 +45,13 @@
<para>where <replaceable>format</replaceable> is either <emphasis <para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para> role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
word COMMENT; the remainder of the line is treated as a comment which is
attached to subsequent rules until another COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para> the alternate specification syntax).</para>
@ -124,6 +131,10 @@
list of addresses (may contain exclusion - see <ulink list of addresses (may contain exclusion - see <ulink
url="shorewall-exclusion.html">shorewall6-exclusion</ulink> url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para> (5)).</para>
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

80
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -228,30 +228,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7.</para>
<para>In Linux 3.5, the Netfilter team announced that the automatic
association of helpers with connections based on protocol and port
would no longer be supported after a certain point. This means that
explicit rules must be added in shorewall-conntrack (5) in order for
applications like FTP that require a helper to continue to work
correctly. To work around this problem, the AUTOHELPERS option was
added with a default value of Yes.</para>
<para>If set to Yes and the CT Target capability is present in the
kernel and iptables, then Shorewall will automatically create the
same associations that were made by the modules themselves prior to
removal of the automatic association feature. The associations are
actually in shorewall-conntrack (5) so you can modify them to suit
your particular needs.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -617,6 +593,62 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
<listitem>
<para>Added in Shorewall 4.5.7. This option lists the Netfilter
application helps that are to be enabled. If not specified, the
default is to enable all helpers.</para>
<para>Possible values for <replaceable>helper</replaceable>
are:</para>
<itemizedlist>
<listitem>
<para>amanda</para>
</listitem>
<listitem>
<para>ftp</para>
</listitem>
<listitem>
<para>h323</para>
</listitem>
<listitem>
<para>irc</para>
</listitem>
<listitem>
<para>netbios-ns</para>
</listitem>
<listitem>
<para>pptp</para>
</listitem>
<listitem>
<para>sane</para>
</listitem>
<listitem>
<para>sip</para>
</listitem>
<listitem>
<para>snmp</para>
</listitem>
<listitem>
<para>tftp</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>