holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Initial revision

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@10 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-04-30 23:13:15 +00:00
parent af87d30b67
commit 7c78bb16a7
30 changed files with 6304 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
Shorewall/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

43
Shorewall/INSTALL Normal file
View File

@ -0,0 +1,43 @@
Shoreline Firewall (Shorewall) Version 1.2 - 12/21/2001
----- ----
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General Public License
as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
---------------------------------------------------------------------------
If your system supports rpm, I recommend that you install the Shorewall
.rpm. If you want to install from the tarball:
o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Edit the files policy, interfaces, rules, nat, proxyarp and masq to
fit your environment.
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh".
o For other distributions, determine where your distribution installs
init scripts and type "./install.sh <init script directory>"
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start audomatically at boot, see the HTML documentation contains in the
"documentation" directory.
Upgrade:
o run the install script as described above.
o shorewall restart

19
Shorewall/blacklist Executable file
View File

@ -0,0 +1,19 @@
#
# Shorewall 1.2 -- Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

17
Shorewall/changelog.txt Executable file
View File

@ -0,0 +1,17 @@
Changes since 1.2.12
1. Added whitelist support
2. Added SYN Flood Protection

34
Shorewall/common.def Normal file
View File

@ -0,0 +1,34 @@
############################################################################
# Shorewall 1.1 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP

112
Shorewall/fallback.sh Executable file
View File

@ -0,0 +1,112 @@
#!/bin/sh
#
# Script to back out the installation of Shoreline Firewall and to restore the previous version of
# the program
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2001,2002 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# You may only use this script to back out the installation of the version
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.2.13
usage() # $1 = exit status
{
echo "usage: `basename $0`"
exit $1
}
restore_file() # $1 = file to restore
{
if [ -f ${1}-${VERSION}.bkout ]; then
if (mv -f ${1}-${VERSION}.bkout $1); then
echo
echo "$1 restored"
else
echo "ERROR: Could not restore $1"
exit 1
fi
fi
}
if [ ! -f /etc/shorewall/version-${VERSION}.bkout ]; then
echo "Seattle Firewall Version $VERSION is not installed"
exit 1
fi
echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /etc/shorewall/firewall ]; then
FIREWALL=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
fi
restore_file /sbin/shorewall
[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION
restore_file /etc/shorewall/shorewall.conf
restore_file /etc/shorewall/functions
restore_file /etc/shorewall/common.def
restore_file /etc/shorewall/icmp.def
restore_file /etc/shorewall/zones
restore_file /etc/shorewall/policy
restore_file /etc/shorewall/interfaces
restore_file /etc/shorewall/hosts
restore_file /etc/shorewall/rules
restore_file /etc/shorewall/nat
restore_file /etc/shorewall/params
restore_file /etc/shorewall/proxyarp
restore_file /etc/shorewall/masq
restore_file /etc/shorewall/modules
restore_file /etc/shorewall/tcrules
restore_file /etc/shorewall/tos
restore_file /etc/shorewall/tunnels
restore_file /etc/shorewall/blacklist
restore_file /etc/shorewall/whitelist
restore_file /etc/shorewall/version
oldversion="`cat /etc/shorewall/version`"
echo "Shorewall Restored to Version $oldversion"

3074
Shorewall/firewall Executable file
View File

File diff suppressed because it is too large Load Diff

167
Shorewall/functions Executable file
View File

@ -0,0 +1,167 @@
#
# Shorewall 1.2 -- /etc/shorewall/functions
#
# Suppress all output for a command
#
qt()
{
"$@" >/dev/null 2>&1
}
#
# Find a File -- Look first in $SHOREWALL_DIR then in /etc/shorewall
#
find_file()
{
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
echo /etc/shorewall/$1
fi
}
#
# Replace commas with spaces and echo the result
#
separate_list()
{
echo $1 | sed 's/,/ /g'
}
#
# Find the zones
#
find_zones() # $1 = name of the zone file
{
while read zone display comments; do
[ -n "$zone" ] && case "$zone" in
\#*)
;;
$FW|multi)
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
echo $zone
;;
esac
done < $1
}
find_display() # $1 = zone, $2 = name of the zone file
{
grep ^$1 $2 | while read z display comments; do
[ "x$1" = "x$z" ] && echo $display
done
}
determine_zones()
{
local zonefile=`find_file zones`
multi_display=Multi-zone
if [ -f $zonefile ]; then
zones=`find_zones $zonefile`
zones=`echo $zones` # Remove extra trash
for zone in $zones; do
dsply=`find_display $zone $zonefile`
eval ${zone}_display=\$dsply
done
else
zones="net local dmz gw"
net_display=Net
local_display=Local
dmz_display=DMZ
gw_display=Gateway
fi
}
###############################################################################
# The following functions may be used by apps that wish to ensure that
# the state of Shorewall isn't changing
#------------------------------------------------------------------------------
# This function loads the STATEDIR variable (directory where Shorewall is to
# store state files). If your application supports alternate Shorewall
# configurations then the name of the alternate configuration directory should
# be in $SHOREWALL_DIR at the time of the call.
#
# If the shorewall.conf file does not exist, this function does not return
###############################################################################
get_statedir()
{
local config=`find_file shorewall.conf`
if [ -f $config ]; then
. $config
else
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
}
###############################################################################
# Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
#
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile.
###############################################################################
mutex_on()
{
local try=0
local max=15
local int=2
local lockf=$STATEDIR/lock
[ -d $STATEDIR ] || mkdir -p $STATEDIR
if qt which lockfile; then
lockfile -030 -r1 ${lockf} || exit 2
else
while [ -f ${lockf} -a ${try} -lt ${max} ] ; do
sleep ${int}
try=$((${try} + 1))
done
if [ ${try} -lt ${max} ] ; then
# Create the lockfile
echo $$ > ${lockf}
else
echo "Giving up on lock file ${lockf}" >&2
exit 2
fi
fi
}
###############################################################################
# Call this function to release MUTEX
###############################################################################
mutex_off()
{
rm -f $STATEDIR/lock
}
###############################################################################
# Strip comments and blank lines from a file and place the result in the #
# temporary directory #
###############################################################################
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname
[ $# = 1 ] && fname=`find_file $1` || fname=$2
if [ -f $fname ]; then
cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else
> $TMP_DIR/$1
fi
}

36
Shorewall/hosts Normal file
View File

@ -0,0 +1,36 @@
#
# Shorewall 1.2 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it
# wrong. Unless you are ABSOLUTELY SURE that you need entries
# in this file, don't touch it!
#
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# routestopped - route messages to and from this
# member when the firewall is in the
# stopped state
#
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

17
Shorewall/icmp.def Normal file
View File

@ -0,0 +1,17 @@
##############################################################################
# Shorewall 1.2 /etc/shorewall/icmp.def
#
# This file defines the default rules for accepting ICMP packets.
#
# Do not modify this file -- if you want to change these rules, copy this
# file to /etc/shorewall/icmpdef and modify that file.
#
# In particular, if you want to accept 'ping' everywhere then add
#
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
#
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT

478
Shorewall/install.sh Executable file
View File

@ -0,0 +1,478 @@
#!/bin/sh
#
# Script to install Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
#
# Seawall documentation is available at http://seawall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# If you are running a distribution that has a directory called /etc/rc.d/init.d or one
# called /etc/init.d or you are running Slackware then simply cd to the directory
# containing this script and run it.
#
# ./install.sh
#
# If you don't have either of those directories, you will need to determine where the
# SysVInit scripts are kept on your system and pass the name of that directory.
#
# ./install.sh /etc/rc.d/scripts
#
# The default is that the firewall will be started in run levels 2-5 starting at
# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian,
# Caldera and Corel.
#
# If you wish to change that, you can pass -r "<levels startpos stoppos>".
#
# Example 1: You wish to start your firewall in runlevels 2 and three, start at position
# 15 and stop at position 90
#
# ./install.sh -r "23 15 90"
#
# Example 2: You wish to start your firewall only in run level 3, start at position 5
# and stop at position 95.
#
# ./install.sh -r "3 5 95" /etc/rc.d/scripts
#
# For distributions that don't include chkconfig (Slackware, for example), the
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.2.13
usage() # $1 = exit status
{
ME=`basename $0`
echo "usage: $ME [ -r \"<chkconfig parameters>\" ] [ <init scripts directory> ]"
echo " $ME [ -v ]"
echo " $ME [ -h ]"
exit $1
}
run_install()
{
if ! install $*; then
echo -e "\nERROR: Failed to install $*"
exit 1
fi
}
cant_autostart()
{
echo -e "\nWARNING: Unable to configure Shorewall to start"
echo " automatically at boot"
}
backup_file() # $1 = file to backup
{
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if (cp $1 ${1}-${VERSION}.bkout); then
echo
echo "$1 saved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
modify_rclocal()
{
if [ -f /etc/rc.d/rc.local ]; then
if [ -z "`grep shorewall /etc/rc.d/rc.local`" ]; then
cp -f /etc/rc.d/rc.local /etc/rc.d/rc.local-shorewall.bkout
echo >> /etc/rc.d/rc.local
echo "/sbin/shorewall start" >> /etc/rc.d/rc.local
echo "/etc/rc.d/rc.local modified to start Shorewall"
fi
else
cant_autostart
fi
}
install_file_with_backup() # $1 = source $2 = target $3 = mode
{
backup_file $2
run_install -o $OWNER -g $GROUP -m $3 $1 ${2}
}
#
# Parse the run line
#
# DEST is the SysVInit script directory
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
DEST=""
RUNLEVELS=""
ARGS=""
if [ -z "$OWNER" ] ; then
OWNER=root
fi
if [ -z "$GROUP" ] ; then
GROUP=root
fi
while [ $# -gt 0 ] ; do
case "$1" in
-h|help|?)
if [ -n "$ARGS" ]; then
usage 1
fi
usage 0
;;
-r)
if [ -n "$RUNLEVELS" -o $# -eq 1 ]; then
usage 1
fi
RUNLEVELS="$2";
shift
;;
-v)
if [ -n "$ARGS" ]; then
usage 1
fi
echo "Seattle Firewall Installer Version $VERSION"
exit 0
;;
*)
if [ -n "$DEST" ]; then
usage 1
fi
DEST="$1"
;;
esac
shift
ARGS="yes"
done
#
# Determine where to install the firewall script
#
if [ -n "$PREFIX" ]; then
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin
install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST}
fi
FIREWALL="shorewall"
if [ -z "$DEST" ]; then
#
# We make this first test so that on RedHat systems that have Seawall installed,
# we can still use PREFIX (the code that reads the existing symbolic link
# fails dreadfully if the link is relative and PREFIX is non-null).
#
if [ -x /etc/rc.d/init.d/firewall ]; then
DEST=/etc/rc.d/init.d
elif [ -L /etc/shorewall/firewall ]; then
TEMP=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
DEST=`dirname $TEMP`
FIREWALL=`basename $TEMP`
elif [ -d /etc/rc.d/init.d ]; then
DEST=/etc/rc.d/init.d
elif [ -d /etc/init.d ]; then
DEST=/etc/init.d
elif [ -f /etc/rc.d/rc.local ]; then
DEST=/etc/rc.d
FIREWALL="rc.shorewall"
else
echo "ERROR: Can't determine where to install the firewall script"
echo " Rerun $0 passing the name of the SysVInit script directory"
echo " on your system"
exit 1
fi
fi
#
# Change to the directory containing this script
#
cd "`dirname $0`"
echo "Installing Shorewall Version $VERSION"
#
# Check for /etc/shorewall
#
if [ -d ${PREFIX}/etc/shorewall ]; then
first_install=""
else
first_install="Yes"
fi
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
echo -e "\nShorewall control program installed in ${PREFIX}/sbin/shorewall"
#
# Install the Firewall Script
#
if [ -n "$RUNLEVELS" ]; then
#
# User specified chkconfig parameters -- build an awk script to install them
# in the firewall script
#
echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp
echo "{ print }" >> awk.temp
awk -f awk.temp firewall > firewall.temp
if [ $? -ne 0 ]; then
echo -e "\nERROR: Error running awk."
echo " You must run `basename $0` without the "-r" option then edit"
echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')"
exit 1
fi
install_file_with_backup firewall.temp ${PREFIX}${DEST}/$FIREWALL 0544
rm -f firewall.temp awk.tmp
else
install_file_with_backup firewall ${PREFIX}${DEST}/$FIREWALL 0544
fi
echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
#
# Create /etc/shorewall if needed
#
if [ ! -d ${PREFIX}/etc/shorewall ]; then
mkdir ${PREFIX}/etc/shorewall
fi
#
# Install the config file
#
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
backup_file /etc/shorewall/shorewall.conf
else
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo -e "\nConfig file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi
#
# Install the zones file
#
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones
else
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/policy"
fi
#
# Install the functions file
#
install_file_with_backup functions ${PREFIX}/etc/shorewall/functions 0444
echo -e "\nCommon functions installed in ${PREFIX}/etc/shorewall/functions"
#
# Install the common.def file
#
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
echo -e "\nCommon rules installed in ${PREFIX}/etc/shorewall/common.def"
#
# Install the icmp.def file
#
install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
echo -e "\nCommon ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
#
# Install the policy file
#
if [ -f ${PREFIX}/etc/shorewall/policy ]; then
backup_file /etc/shorewall/policy
else
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo -e "\nPolicy file installed as ${PREFIX}/etc/shorewall/policy"
fi
#
# Install the interfaces file
#
if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
backup_file /etc/shorewall/interfaces
else
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo -e "\nInterfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi
#
# Install the hosts file
#
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
backup_file /etc/shorewall/hosts
else
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo -e "\nHosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi
#
# Install the rules file
#
if [ -f ${PREFIX}/etc/shorewall/rules ]; then
backup_file /etc/shorewall/rules
else
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo -e "\nRules file installed as ${PREFIX}/etc/shorewall/rules"
fi
#
# Install the NAT file
#
if [ -f ${PREFIX}/etc/shorewall/nat ]; then
backup_file /etc/shorewall/nat
else
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo -e "\nNAT file installed as ${PREFIX}/etc/shorewall/nat"
fi
#
# Install the Parameters file
#
if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params
else
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
echo -e "\nParameter file installed as ${PREFIX}/etc/shorewall/params"
fi
#
# Install the proxy ARP file
#
if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
backup_file /etc/shorewall/proxyarp
else
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo -e "\nProxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi
#
# Install the Masq file
#
if [ -f ${PREFIX}/etc/shorewall/masq ]; then
backup_file /etc/shorewall/masq
else
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo -e "\nMasquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi
#
# Install the Modules file
#
if [ -f ${PREFIX}/etc/shorewall/modules ]; then
backup_file /etc/shorewall/modules
else
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
echo -e "\nModules file installed as ${PREFIX}/etc/shorewall/modules"
fi
#
# Install the TC Rules file
#
if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
backup_file /etc/shorewall/tcrules
else
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo -e "\nTC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi
#
# Install the TOS file
#
if [ -f ${PREFIX}/etc/shorewall/tos ]; then
backup_file /etc/shorewall/tos
else
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo -e "\nTOS file installed as ${PREFIX}/etc/shorewall/tos"
fi
#
# Install the Tunnels file
#
if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
backup_file /etc/shorewall/tunnels
else
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo -e "\nTunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi
#
# Install the blacklist file
#
if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
backup_file /etc/shorewall/blacklist
else
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Install the whitelist file
#
if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then
backup_file /etc/shorewall/whitelist
else
run_install -o $OWNER -g $GROUP -m 0600 whitelist ${PREFIX}/etc/shorewall/whitelist
echo -e "\nWhitelist file installed as ${PREFIX}/etc/shorewall/whitelist"
fi
#
# Backup the version file
#
if [ -z "$PREFIX" ]; then
if [ -f /etc/shorewall/version ]; then
backup_file /etc/shorewall/version
elif [ -n "$oldversion" ]; then
echo $oldversion > /etc/shorewall/version-${VERSION}.bkout
else
echo "Unknown" > /etc/shorewall/version-${VERSION}.bkout
fi
fi
#
# Create the version file
#
echo "$VERSION" > ${PREFIX}/etc/shorewall/version
chmod 644 ${PREFIX}/etc/shorewall/version
#
# Remove and create the symbolic link to the firewall script
#
if [ -z "$PREFIX" ]; then
rm -f /etc/shorewall/firewall
ln -s ${DEST}/${FIREWALL} /etc/shorewall/firewall
else
pushd ${PREFIX}/etc/shorewall/ >> /dev/null && ln -s ../..${DEST}/${FIREWALL} firewall && popd >> /dev/null
fi
echo -e "\n${PREFIX}/etc/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL"
if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then
echo -e "\nFirewall will start automatically at boot"
else
cant_autostart
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add $FIREWALL ; then
echo -e "\nFirewall will automatically start in run levels as follows:"
chkconfig --list $FIREWALL
else
cant_autostart
fi
else
modify_rclocal
fi
fi
#
# Report Success
#
echo -e "\nShorewall Version $VERSION Installed"

94
Shorewall/interfaces Normal file
View File

@ -0,0 +1,94 @@
#
# Shorewall 1.2 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# place "-" in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure).
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27 and you want pings from the internet
# to be ignored. You interface a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 noping,dhcp
# local eth1 192.168.1.255 routestopped
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect noping,dhcp
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests.
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

81
Shorewall/masq Executable file
View File

@ -0,0 +1,81 @@
#
# Shorewall 1.2 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add the following entry to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176.
#
# eth0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET ADDRESS
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

14
Shorewall/modules Normal file
View File

@ -0,0 +1,14 @@
##############################################################################
# Shorewall 1.2 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_irc

30
Shorewall/nat Executable file
View File

@ -0,0 +1,30 @@
##############################################################################
#
# Shorewall 1.2 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
# This file is used to define static Network Address Translation (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that static NAT.
#
# Columns must be separated by white space and are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column
# INTERFACE Interface that we want to EXTERNAL address to appear
# on
# INTERNAL Internal Address
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE
# column
# LOCAL If Yes or yes and the ALL INTERFACES column contains
# Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

43
Shorewall/params Normal file
View File

@ -0,0 +1,43 @@
#
# Shorewall 1.2 /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=noping,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 noping,norfc1918
#
# Variables can be used in the following places in the other configuration
# files:
#
# /etc/shorewall/interfaces:
# /etc/shorewall/hosts
#
# All except the first column.
#
# /etc/shorewall/rules
#
# First column after ":".
# All remaining columns
#
# /etc/shorewall/tunnels
# /etc/shorewall/proxyarp
# /etc/shorewall/nat
#
# All columns
##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

47
Shorewall/policy Normal file
View File

@ -0,0 +1,47 @@
#
# Shorewall 1.2 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each client/server pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# CLIENT Location of client. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# SERVER Location of server. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the network are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#CLIENT SERVER POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

30
Shorewall/proxyarp Normal file
View File

@ -0,0 +1,30 @@
##############################################################################
#
# Shorewall 1.2 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
#
# ADDRESS IP Address
# INTERFACE Local interface where system is connected. If the
# local interface is obvious from the subnetting,
# you may enter "-" in this column.
# EXTERNAL External Interface to be used to access this system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty.
#
# Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL HAVEROUTE
# 155.186.235.6 eth1 eth0 No
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Shorewall/releasenotes.txt Executable file
View File

@ -0,0 +1,16 @@
This is a minor release of Shorewall.
In this release:
1. Whitelist support has been added.
2. Optional SYN Flood protection is now available

151
Shorewall/rules Executable file
View File

@ -0,0 +1,151 @@
#
# Shorewall version 1.2 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# If any of the following columns contain the word "none" then the rule
# is ignored:
#
# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or $FW to indicate the
# firewall itself.
#
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# SERVER Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER. The value "all" is
# intended to be used when your internet IP address is
# dynamic and you want to do port forwarding or you want
# to do proxy redirection. IT SHOULD NOT BE USED IN ANY
# OTHER SITUATION.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,http - all
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)except when the destination address is 192.168.2.2
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc $FW::8080 tcp www - !192.168.2.2
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Allow SSH from the local network
#
ACCEPT loc $FW tcp ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT net $FW tcp ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT $FW net udp ntp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

561
Shorewall/shorewall Executable file
View File

@ -0,0 +1,561 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V1.2 - 12/21/2001
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
#
#
# This file should be placed in /sbin/shorewall.
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# The firewall uses configuration files in /etc/shorewall/ - skeleton
# files is included with the firewall.
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
# plus the last 20 "interesting"
# packets
# shorewall status Displays firewall status
# shorewall reset Resets iptables packet and
# byte counts
# shorewall clear Open the floodgates by
# removing all iptables rules
# and setting the three permanent
# chain policies to ACCEPT
# shorewall refresh Rebuild the common chain to
# compensate for a change of
# broadcast address on any "detect"
# interface.
# shorewall show <chain> Display the rules in a <chain>
# shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection
# tracking table
# shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info
# shorewall version Display the installed version id
# shorewall check Verify the more heavily-used
# configuration files.
# shorewall try <directory> [ <timeout> ] Try a new configuration and if
# it doesn't work, revert to the
# standard one. If a timeout is supplied
# the command reverts back to the
# standard configuration after that many
# seconds have elapsed after successfully
# starting the new configuration.
#
# Display a chain if it exists
#
showfirstchain() # $1 = name of chain
{
awk \
'BEGIN {prnt=0;}; \
/^$/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\
/Chain '$1'/ { prnt=1; }; \
{ if (prnt == 1) print; }' /tmp/chains-$$
}
showchain() # $1 = name of chain
{
if [ "$firstchain" = "Yes" ]; then
showfirstchain $1
firstchain=
else
awk \
'BEGIN {prnt=0;};\
/^$|^ pkts/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\
/Chain '$1'/ { prnt=1; };\
{ if (prnt == 1) print; }' /tmp/chains-$$
fi
}
#################################################################################
# Set the configuration variables from shorewall.conf #
#################################################################################
get_config() {
get_statedir
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if [ ! -f $LOGFILE ]; then
echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2
fi
#
# See if we have a real version of "tail" -- use separate redirection so
# that ash (aka /bin/sh on LRP) doesn't crap
#
if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then
realtail="Yes"
else
realtail=""
fi
[ -n "$FW" ] || FW=fw
}
#################################################################################
# Display IPTABLES rules -- we used to store them in a variable but ash #
# dies when trying to display large sets of rules #
#################################################################################
display_chains()
{
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then
#
# Send the output to a temporary file since ash craps if we try to store
# the output in a variable.
#
iptables -L -n -v > /tmp/chains-$$
clear
echo -e "$banner `date`\\n"
echo -e "Standard Chains\\n"
firstchain="Yes"
showchain INPUT
showchain OUTPUT
showchain FORWARD
timed_read
for zone in $zones multi; do
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
clear
echo -e "$banner `date`\\n"
firstchain=Yes
eval display=\$${zone}_display
echo -e "$display Chains\\n"
for zone1 in $FW $zones; do
showchain ${zone}2$zone1
showchain @${zone}2$zone1
[ "$zone" != "$zone1" ] && \
showchain ${zone1}2${zone} && \
showchain @${zone1}2${zone}
done
timed_read
fi
done
clear
echo -e "$banner `date`\\n"
firstchain=Yes
echo -e "Policy Chains\\n"
showchain badpkt
showchain common
showchain icmpdef
showchain rfc1918
showchain blacklst
showchain reject
for zone in $zones all; do
showchain ${zone}2all
showchain @${zone}2all
[ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; }
done
timed_read
qt rm -f /tmp/chains-$$
else
iptables -L -n -v
timed_read
fi
trap - 1 2 3 4 5 6 9
}
#################################################################################
# Delay $timeout seconds -- if we're running on a recent bash2 then allow #
# <enter> to terminate the delay #
#################################################################################
timed_read ()
{
read -t $timeout foo 2> /dev/null
test $? -eq 2 && sleep $timeout
}
#################################################################################
# Display the last 20 packets logged #
#################################################################################
packet_log()
{
local options
[ -n "$realtail" ] && options="-n20"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
sed s/" $host kernel: Shorewall:"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \
tail $options
}
#################################################################################
# Show traffic control information #
#################################################################################
show_tc() {
show_one_tc() {
local device=${1%@*}
qdisc=`tc qdisc list dev $device`
if [ -n "$qdisc" ]; then
echo Device $device:
tc -s -d qdisc show dev $device
tc -s -d class show dev $device
echo
fi
}
ip link list | \
while read inx interface details; do
case $inx in
[0-9]*)
show_one_tc ${interface%:}
;;
*)
;;
esac
done
}
#################################################################################
# Monitor the Firewall #
#################################################################################
monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
get_config
host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then
let "timeout=- $1"
pause="Yes"
else
pause="No"
timeout=$1
fi
qt which awk && { haveawk=Yes; determine_zones; } || haveawk=
while true; do
display_chains
clear
echo -e "$banner `date`\\n"
echo -e "Dropped/Rejected Packet Log\\n"
rejects=`iptables -L -v -n | grep 'LOG'`
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
echo -e '\a'
packet_log
if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: '
read foo
else
timed_read
fi
else
if [ "$pause" != "Yes" ]; then
echo
packet_log
fi
timed_read
fi
clear
echo -e "$banner `date`\\n"
echo -e "NAT Status\\n"
iptables -t nat -L -n -v
echo -e "\\nTOS/MARK Status\\n"
iptables -t mangle -L -n -v
timed_read
clear
echo -e "$banner `date`\\n"
echo -e "\\nTracked Connections\\n"
cat /proc/net/ip_conntrack
timed_read
clear
echo -e "$banner `date`\\n"
echo -e "\\nTraffic Shaping/Control\\n"
show_tc
timed_read
done
}
#################################################################################
# Give Usage Information #
#################################################################################
usage() # $1 = exit status
{
echo "Usage: `basename $0` [debug] [nolock] [-c <directory>] <command>"
echo "where <command> is one of:"
echo " show [<chain>|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
echo " reset"
echo " restart"
echo " status"
echo " clear"
echo " refresh"
echo " hits"
echo " monitor [<refresh interval>]"
echo " version"
echo " check"
echo " try <directory> [ <timeout> ]"
exit $1
}
#################################################################################
# Execution begins here #
#################################################################################
debugging=
if [ $# -gt 0 ] && [ "$1" = "debug" ]; then
debugging=debug
shift
fi
nolock=
if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
nolock=nolock
shift
fi
SHOREWALL_DIR=
done=0
while [ $done -eq 0 ]; do
[ $# -eq 0 ] && usage 1
case $1 in
-c)
[ $# -eq 1 ] && usage 1
if [ ! -d $2 ]; then
if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2
else
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
shift
shift
;;
*)
done=1
;;
esac
done
if [ $# -eq 0 ] || [ $# -gt 3 ]; then
usage 1
fi
functions=/etc/shorewall/functions
if [ -n "$SHOREWALL_DIR" ]; then
export SHOREWALL_DIR
[ -f $SHOREWALL_DIR/functions ] && functions=$SHOREWALL_DIR/functions
fi
if [ -f $functions ]; then
. $functions
else
echo "/etc/shorewall/functions does not exist!" >&2
exit 2
fi
firewall=`find_file firewall`
if [ ! -f $firewall ]; then
echo "ERROR: Shorewall is not properly installed"
if [ -L $firewall ]; then
echo " $firewall is a symbolic link to a"
echo " non-existant file"
else
echo " The file /etc/shorewall/firewall does not exist"
fi
exit 2
fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
version_file=`find_file version`
if [ -f $version_file ]; then
version=`cat $version_file`
else
echo "ERROR: Shoreline Firewall is not properly installed"
echo " The file /etc/shorewall/version does not exist"
exit 1
fi
banner="Shorewall-$version Status at $HOSTNAME -"
case "$1" in
start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1
;;
show)
[ $# -gt 2 ] && usage 1
case "$2" in
connections)
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
cat /proc/net/ip_conntrack
;;
nat)
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
iptables -t nat -L -n -v
;;
tos|mangle)
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
iptables -t mangle -L -n -v
;;
log)
get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log
;;
tc)
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
show_tc
;;
*)
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
iptables -L $2 -n -v
;;
esac
;;
monitor)
if [ $# -eq 2 ]; then
monitor_firewall $2
elif [ $# -eq 1 ]; then
monitor_firewall 30
else
usage 1
fi
;;
status)
[ $# -eq 1 ] || usage 1
get_config
clear
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v
echo
packet_log
echo
iptables -t nat -L -n -v
echo
iptables -t mangle -L -n -v
echo
cat /proc/net/ip_conntrack
;;
hits)
[ $# -eq 1 ] || usage 1
get_config
clear
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
echo " HITS IP DATE"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
echo ""
echo " HITS IP"
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.* \)\(DST=.*\)/\2/' | sort | uniq -c | sort -rn
echo ""
echo " HITS DATE"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
echo ""
echo " HITS PORT SERVICE(S)"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do
# List all services defined for the given port
srv=`grep "\\b$port/" /etc/services | cut -f 1 | sort -u`
srv=`echo $srv | sed 's/ /,/g'`
if [ -n "$srv" ] ; then
printf '%7d %5d %s\n' $count $port $srv
else
printf '%7d %5d\n' $count $port
fi
done
fi
;;
version)
echo $version
;;
try)
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1
$0 -c $2 restart
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
$0 start
elif [ $# -eq 3 ]; then
sleep $3
$0 restart
fi
;;
*)
usage 1
;;
esac

189
Shorewall/shorewall.conf Executable file
View File

@ -0,0 +1,189 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set -this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED="yes"
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=""
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATE=""
LOGBURST=""
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
LOGUNCLEAN=info
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/FAQ.htm#faq6
LOGFILE="/var/log/messages"
#
# Enable nat support.
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED="Yes"
#
# Enable mangle support.
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED="Yes"
#
# Enable IP Forwarding
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING="On"
#
# Automatically add IP Aliases
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES="Yes"
#
# Automatically add SNAT Aliases
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_SNAT_ALIASES="No"
#
# Enable Traffic Shaping
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above.
#
TC_ENABLED="No"
#
# Blacklisting
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# Blacklist Logging
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
BLACKLIST_LOGLEVEL=
#
# MSS Clamping
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS="No"
#
# Route Filtering
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure).
#
ROUTE_FILTER="No"
#
# NAT before RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
NAT_BEFORE_RULES="Yes"
#LAST LINE -- DO NOT REMOVE

215
Shorewall/shorewall.spec Normal file
View File

@ -0,0 +1,215 @@
%define name shorewall
%define version 1.2
%define release 13
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
Version: %{version}
Release: %{release}
Prefix: %{prefix}
License: GPL
Packager: Tom Eastep <teastep@shorewall.net>
Group: Networking/Utilities
Source: %{name}-%{version}.%{release}.tgz
URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: /%{_tmppath}/%{name}-%{version}-%{release}-root
Requires: iptables
Conflicts: kernel <= 2.2
Provides: shorewall
%description
Shoreline Firewall is an iptables-based firewall for Linux systems. The firewall
is designed to be used on:
a) Single systems attached to the internet via dial-in POP or ISDN.
b) Single systems attached full-time to the internet (ASDL, Cable, etc.)
c) Linux system used as a Masquerading gateway for one or more client and/or
server systems.
%prep
%setup -n %name-%version.%release
%build
%install
export PREFIX=$RPM_BUILD_ROOT ; \
export OWNER=`id -n -u` ; \
export GROUP=`id -n -g` ;\
./install.sh /etc/init.d
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ -x /sbin/insserv ]; then /sbin/insserv /etc/rc.d/shorewall; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add shorewall; fi
%preun
if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/shorewall ; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --del shorewall; fi ; fi
%files
/etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall
%attr(0600,root,root) /etc/shorewall/version
%attr(0600,root,root) /etc/shorewall/common.def
%attr(0600,root,root) /etc/shorewall/icmp.def
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
%attr(0600,root,root) %config(noreplace) /etc/shorewall/params
%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp
%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq
%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos
%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels
%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts
%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist
%attr(0600,root,root) %config(noreplace) /etc/shorewall/whitelist
%attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /etc/shorewall/functions
/etc/shorewall/firewall
%doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
- changed version to 13
- Added whitelist file.
* Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
- changed version to 12
* Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
- Merged Stefan's changes to create single RPM
* Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
- changed to SuSE Linux 7.3
* Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 11
* Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 10
* Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 9
* Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 8
* Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 7
* Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 6
* Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 5
* Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 4
- Merged Ajay's change to allow build by non-root
* Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 3
* Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
- changed Version to 2
- Updated URL
- Added blacklist file
* Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
- changed Version to 1
* Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
- changed Version to 0
* Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
- changed Version to Rc1
* Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
- changed Version to Beta2
* Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
- changed Version to 1.2
- added tcrules file
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
- changed release to 17
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
- changed release to 16
* Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- changed release to 15
* Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- changed release to 14
* Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- changed release to 13
- added params file
* Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 12
* Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 11
* Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
- reorganized spec file
- s/Copyright/License/
- now will build fron rpm -tb
* Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 10
* Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 9
- Added tunnel file
- Readded tunnels file
* Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 8
* Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 7
- Changed iptables dependency.
* Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 6
- Added tunnels file
* Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 5
- Added modules and tos files
* Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 4
- Added changelog.txt and releasenotes.txt
* Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed release to 3
* Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Added files common.def and icmpdef.def
- Changed release to 2
* Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
- Changed the release to 1.
* Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changed the version to 1.1
- Added hosts file
* Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changed the release to 4
- Added Zones and Functions files
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change ipchains dependency to an iptables dependency and
changed the release to 3
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Add additional files.
* Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
- Change version to 1.0.2
* Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 1.0.1
* Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changes for Shorewall
* Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 4.1.0
* Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 4.0.4
* Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Change version to 4.0.2
* Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
- Changed version to 4.0
* Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
- Added dmzclients file
* Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
- Added ftpserver file
* Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
- Added "nat" and "proxyarp" files for 4.0
* Mon May 20 2000 Tom Eastep <teastep@evergo.net>
- added updown file
* Sat May 20 2000 Simon Piette <spiette@generation.net>
- Corrected the group - Networking/Utilities
- Added "noreplace" attributes to config files, so current confis is not
changed.
- Added the version file.
* Sat May 20 2000 Tom Eastep <teastep@evergo.net>
- Converted Simon's patch to version 3.1
* Sat May 20 2000 Simon Piette <spiette@generation.net>
- 3.0.2 Initial RPM
Patched the install script so it can take a PREFIX variable

47
Shorewall/tcrules Executable file
View File

@ -0,0 +1,47 @@
#
# Shorewall version 1.2 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control.
#
# Columns are:
#
#
# MARK The mark value which is an
# integer in the range 1-255
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on
# the firewall.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# or "all".
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

52
Shorewall/tos Executable file
View File

@ -0,0 +1,52 @@
#
# Shorewall 1.2 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
# Columns are:
#
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address or a subnet specification
#
# Example: loc:192.168.2.3
#
# PROTOCOL Protocol.
#
# SOURCE PORTS Source port or port range. If all ports, use "-".
#
# DEST PORTS Destination port or port range. If all ports, use "-"
#
# TOS Type of service. Must be one of the following:
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp ftp-data - 8
all all tcp - ftp-data 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE

159
Shorewall/tunnel Executable file
View File

@ -0,0 +1,159 @@
#!/bin/sh
RCDLINKS="2,S45 3,S45 6,K45"
################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 1.2
#
# Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
#
# Modify the following variables to match your configuration
#
# chkconfig: 2345 26 89
# description: GRE/IP Tunnel
#
################################################################################
#
# Type of tunnel (gre or ipip)
#
tunnel_type=gre
# Name of the tunnel
#
tunnel="dfwbos"
#
# Address of your External Interface (only required for gre tunnels)
#
myrealip="x.x.x.x"
# Address of the local system -- this is the address of one of your
# local interfaces (or for a mobile host, the address that this system has
# when attached to the local network).
#
myip="192.168.1.254"
# Address of the Remote system -- this is the address of one of the
# remote system's local interfaces (or if the remote system is a mobile host,
# the address that it uses when attached to the local network).
hisip="192.168.9.1"
# Internet address of the Remote system
#
gateway="x.x.x.x"
# Remote sub-network -- if the remote system is a gateway for a
# private subnetwork that you wish to
# access, enter it here. If the remote
# system is a stand-alone/mobile host, leave this
# empty
subnet="192.168.9.0/24"
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
load_modules () {
case $tunnel_type in
ipip)
echo "Loading IP-ENCAP Module"
modprobe ipip
;;
gre)
echo "Loading GRE Module"
modprobe ip_gre
;;
esac
}
do_stop() {
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
echo "Stopping $tunnel"
ip link set dev $tunnel down
fi
if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then
echo "Deleting $tunnel"
ip tunnel del $tunnel
fi
}
do_start() {
#NOTE: Comment out the next line if you have built gre/ipip into your kernel
load_modules
if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then
do_stop
fi
echo "Adding $tunnel"
case $tunnel_type in
gre)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
;;
*)
ip tunnel add $tunnel mode ipip remote $gateway
;;
esac
echo "Starting $tunnel"
ip link set dev $tunnel up
case $tunnel_type in
gre)
ip addr add $myip dev $tunnel
;;
*)
ip addr add $myip peer $hisip dev $tunnel
;;
esac
#
# As with all interfaces, the 2.4 kernels will add the obvious host
# route for this point-to-point interface
#
if [ -n "$subnet" ]; then
echo "Adding Routes"
case $tunnel_type in
gre)
ip route add $subnet dev $tunnel
;;
ipip)
ip route add $subnet via $gateway dev $tunnel onlink
;;
esac
fi
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

51
Shorewall/tunnels Normal file
View File

@ -0,0 +1,51 @@
#
# Shorewall 1.2 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE and IPIP tunnels.
#
# IPIP and GRE tunnels must be configured on the firewall/gateway itself.
# IPSEC endpoints may be defined on the firewall/gateway or on an
# internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre"
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY ZONE-- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain the name of the zone that the host is in. This
# column only applies to IPSEC tunnels.
#
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24
#
# ipsec net 4.33.99.124
#
# Example 2:
#
# Road Warrior (LapTop that may connect from anywhere)
# where the "gw" zone is used to represent the remote
# LapTop.
#
# ipsec net 0.0.0.0/0 gw
#
# Example 3:
#
# Host 4.33.99.124 is a standalone system connected
# via an ipsec tunnel to the firewall system. The host
# is in zone gw.
#
# ipsec net 4.33.99.124 gw
#
# TYPE ZONE GATEWAY GATEWAY ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

155
Shorewall/uninstall.sh Executable file
View File

@ -0,0 +1,155 @@
#!/bin/sh
#
# Script to back uninstall Shoreline Firewall
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# Usage:
#
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.2.13
usage() # $1 = exit status
{
ME=`basename $0`
echo "usage: $ME"
exit $1
}
restore_file() # $1 = file to restore
{
if [ -f ${1}-shorewall.bkout ]; then
if (mv -f ${1}-shorewall.bkout $1); then
echo
echo "$1 restored"
else
exit 1
fi
fi
}
remove_file() # $1 = file to restore
{
if [ -f $1 -o -L $1 ] ; then
rm -f $1
echo "$1 Removed"
fi
}
if [ -f /etc/shorewall/version ]; then
INSTALLED_VERSION="`cat /etc/shorewall/version`"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: Shoreline Firewall Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
VERSION="$INSTALLED_VERSION"
fi
else
echo "WARNING: Shoreline Firewall Version $VERSION is not installed"
VERSION=""
fi
echo "Uninstalling Shoreline Firewall $VERSION"
if [ -L /etc/shorewall/firewall ]; then
FIREWALL=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'`
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
insserv -r $FIREWALL
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
chkconfig --del `basename $FIREWALL`
fi
remove_file $FIREWALL
fi
remove_file /sbin/shorewall
if [ -n "$VERSION" ]; then
restore_file /etc/rc.d/rc.local
remove_file /etc/shorewall/shorewall.conf-${VERSION}.bkout
remove_file /etc/shorewall/zones-${VERSION}.bkout
remove_file /etc/shorewall/policy-${VERSION}.bkout
remove_file /etc/shorewall/interfaces-${VERSION}.bkout
remove_file /etc/shorewall/rules-${VERSION}.bkout
remove_file /etc/shorewall/nat-${VERSION}.bkout
remove_file /etc/shorewall/params-${VERSION}.bkout
remove_file /etc/shorewall/proxyarp-${VERSION}.bkout
remove_file /etc/shorewall/masq-${VERSION}.bkout
remove_file /etc/shorewall/version-${VERSION}.bkout
remove_file /etc/shorewall/functions-${VERSION}.bkout
remove_file /etc/shorewall/common.def-${VERSION}.bkout
remove_file /etc/shorewall/icmp.def-${VERSION}.bkout
remove_file /etc/shorewall/tunnels-${VERSION}.bkout
remove_file /etc/shorewall/tcrules-${VERSION}.bkout
remove_file /etc/shorewall/tos-${VERSION}.bkout
remove_file /etc/shorewall/modules-${VERSION}.bkout
remove_file /etc/shorewall/blacklist-${VERSION}.bkout
remove_file /etc/shorewall/whitelist-${VERSION}.bkout
fi
remove_file /etc/shorewall/firewall
remove_file /etc/shorewall/functions
remove_file /etc/shorewall/common.def
remove_file /etc/shorewall/icmp.def
remove_file /etc/shorewall/zones
remove_file /etc/shorewall/policy
remove_file /etc/shorewall/interfaces
remove_file /etc/shorewall/hosts
remove_file /etc/shorewall/rules
remove_file /etc/shorewall/nat
remove_file /etc/shorewall/params
remove_file /etc/shorewall/proxyarp
remove_file /etc/shorewall/masq
remove_file /etc/shorewall/modules
remove_file /etc/shorewall/tcrules
remove_file /etc/shorewall/tos
remove_file /etc/shorewall/tunnels
remove_file /etc/shorewall/blacklist
remove_file /etc/shorewall/whitelist
remove_file /etc/shorewall/shorewall.conf
remove_file /etc/shorewall/version
rmdir /etc/shorewall
echo "Shoreline Firewall Uninstalled"

18
Shorewall/whitelist Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall 1.2 -- Whitelist File
#
# /etc/shorewall/whitelist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# If a connection request fails to match any of the rules defined in
# /etc/shorewall/rules then the connection source is compared against this
# list; if a match is found, the connection request is accepted.
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/zones Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall 1.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE