forked from extern/shorewall_code
Getting started on a 3.2.x-compatible release
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4027 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5588635046
commit
888f9351b5
@ -1,6 +1 @@
|
|||||||
Sat Apr 24 23:10:10 EST 2004:
|
None known at present.
|
||||||
|
|
||||||
- The "minimal" in "Only the minimal information necessary for operation is
|
|
||||||
stored on each firewall" is a bit of an overstatement. This could
|
|
||||||
probably use some work.
|
|
||||||
|
|
||||||
|
14
contrib/shoregen/ChangeLog
Normal file
14
contrib/shoregen/ChangeLog
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
0.1.1 Paul Gear <paul@gear.dyndns.org> No idea when
|
||||||
|
- Initial release.
|
||||||
|
|
||||||
|
0.1.2 Paul Gear <paul@gear.dyndns.org> No idea when
|
||||||
|
- Removed filtering of zones that are on the same interface.
|
||||||
|
This caused problems when a zone was accessible via more than
|
||||||
|
one interface.
|
||||||
|
|
||||||
|
0.1.3 Paul Gear <paul@gear.dyndns.org> No idea when
|
||||||
|
- Optimisation to detect whether system is a router and remove
|
||||||
|
redundant zones from rules and policies if so.
|
||||||
|
|
||||||
|
3.2.0-beta1 Paul Gear <paul@gear.dyndns.org>
|
||||||
|
- First attempt at compatibility with Shorewall 3.2.x.
|
@ -1,6 +1,5 @@
|
|||||||
shoregen 0.1
|
|
||||||
Shoreline Firewall configuration generator
|
Shoreline Firewall configuration generator
|
||||||
(c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
|
(c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
@ -21,7 +20,7 @@ SHOREWALL
|
|||||||
|
|
||||||
The quick plug:
|
The quick plug:
|
||||||
|
|
||||||
- I love shorewall. Shorewall is the only firewall i trust.
|
- Shorewall is the only firewall i trust.
|
||||||
|
|
||||||
The IT Manager plug:
|
The IT Manager plug:
|
||||||
|
|
||||||
@ -69,10 +68,10 @@ you're probably not reading this document. :-)
|
|||||||
DESIGN
|
DESIGN
|
||||||
|
|
||||||
Shoregen distinguishes between two different types of shorewall
|
Shoregen distinguishes between two different types of shorewall
|
||||||
configurations. Most shorewall configuration files are simply concatenated
|
configuration files. Most shorewall configuration files are simply
|
||||||
together from parts constructed from common and host-specific parts. These
|
concatenated together from parts constructed from common and host-specific
|
||||||
are called simple configs, and shoregen doesn't substantially alter them,
|
parts. These are called simple configs; shoregen doesn't substantially
|
||||||
and uses little information from them.
|
alter them, and uses little information from them.
|
||||||
|
|
||||||
Configs with which shoregen is more concerned are treated separately, and
|
Configs with which shoregen is more concerned are treated separately, and
|
||||||
additional features beyond the scope of shorewall itself are implemented.
|
additional features beyond the scope of shorewall itself are implemented.
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
As at Wed Apr 21 22:30:12 EST 2004:
|
|
||||||
|
|
||||||
- Need to make it possible for a host to have the same $FW name as the zone
|
- Make it possible for a host to have the same $FW name as the zone in
|
||||||
in which it belongs, and have shoregen automatically create appropriate
|
which it belongs, and have shoregen automatically create appropriate
|
||||||
rules.
|
rules.
|
||||||
|
|
||||||
- At the moment, if a fully-expanded policy file (such as is shown
|
- At the moment, if a fully-expanded policy file (such as is shown
|
||||||
|
|
||||||
- Better documentation & samples. I'm sure there is room for improvement.
|
- Better rule & policy sanitisation.
|
||||||
|
|
||||||
- Better rule & policy sanitisation. Again, there is room for improvement.
|
- Hosts and interfaces could be reduced based on what's used in the policy
|
||||||
|
and rules files.
|
||||||
|
|
||||||
- The Makefile could be improved to detect changes in the lower level
|
- The Makefile could be improved to detect changes in the lower level
|
||||||
config files and call shoregen automatically when they are out-of-date.
|
config files and call shoregen automatically when they are out-of-date.
|
||||||
|
@ -6,5 +6,5 @@ default: $(HOSTS)
|
|||||||
$(HOSTS):
|
$(HOSTS):
|
||||||
shoregen $@
|
shoregen $@
|
||||||
|
|
||||||
install:
|
install: $(HOSTS)
|
||||||
install_shoregen -c -r $(HOSTS)
|
install_shoregen -c -r $(HOSTS)
|
||||||
|
@ -48,23 +48,28 @@ my $dir = "$spool/$host";
|
|||||||
# usual perl 'die' or 'warn' functions.
|
# usual perl 'die' or 'warn' functions.
|
||||||
#
|
#
|
||||||
|
|
||||||
|
sub info
|
||||||
|
{
|
||||||
|
print "$0: @_\n";
|
||||||
|
}
|
||||||
|
|
||||||
sub mesg
|
sub mesg
|
||||||
{
|
{
|
||||||
my $type = shift;
|
my $type = shift;
|
||||||
print STDERR "$0: $type - @_\n";
|
print STDERR "$0: $type - @_\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub warning
|
||||||
|
{
|
||||||
|
mesg "WARNING", @_;
|
||||||
|
}
|
||||||
|
|
||||||
sub error
|
sub error
|
||||||
{
|
{
|
||||||
mesg "ERROR", @_;
|
mesg "ERROR", @_;
|
||||||
++$ret;
|
++$ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub warning
|
|
||||||
{
|
|
||||||
mesg "WARNING", @_;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub fatal
|
sub fatal
|
||||||
{
|
{
|
||||||
mesg "FATAL", @_;
|
mesg "FATAL", @_;
|
||||||
@ -72,11 +77,6 @@ sub fatal
|
|||||||
exit $ret;
|
exit $ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub message
|
|
||||||
{
|
|
||||||
print "$0: @_\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# These bits make the files that actually get copied to the target host
|
# These bits make the files that actually get copied to the target host
|
||||||
@ -105,7 +105,7 @@ sub constructfile
|
|||||||
my $dst = shift;
|
my $dst = shift;
|
||||||
my $foundone = 0;
|
my $foundone = 0;
|
||||||
|
|
||||||
message "Constructing $confname" if $VERBOSE > 1;
|
info "Constructing $confname" if $VERBOSE > 1;
|
||||||
|
|
||||||
open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
|
open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
|
||||||
printf $DST $HEADER, $confname;
|
printf $DST $HEADER, $confname;
|
||||||
@ -275,8 +275,8 @@ undef %tmpzones;
|
|||||||
|
|
||||||
|
|
||||||
my @tmp = sort keys %hostzones;
|
my @tmp = sort keys %hostzones;
|
||||||
message "FW zone for $host: $fw" if $VERBOSE > 0;
|
info "FW zone for $host: $fw" if $VERBOSE > 0;
|
||||||
message "Other zones for $host: @tmp" if $VERBOSE > 0;
|
info "Other zones for $host: @tmp" if $VERBOSE > 0;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add 'all' as a valid source or destination. Added here so it doesn't get
|
# Add 'all' as a valid source or destination. Added here so it doesn't get
|
||||||
|
Loading…
Reference in New Issue
Block a user