holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

1) Cosmetic change to compiler.pl

Browse Source 
2) Make 'purge_jump' handle '-g <target>' correctly
3) Minor effeciency changes to Chains.pm
This commit is contained in:
Tom Eastep 2009-06-26 09:46:15 -07:00
parent 40bb8283d2
commit 900cfa0def
5 changed files with 8 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Samples/one-interface/policy
View File

@ -16,7 +16,6 @@
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT $FW net ACCEPT
net $FW DROP info
net all DROP info net all DROP info
# The FOLLOWING POLICY MUST BE LAST # The FOLLOWING POLICY MUST BE LAST
all all REJECT info all all REJECT info

58
Samples/three-interfaces/policy
View File

@ -16,65 +16,7 @@
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems. The policies below are logically
# equivalent to:
#
# loc net ACCEPT
# net all DROP info
# all all REJECT info
#
# The Shorewall-perl compiler will generate the individual policies
# below from the above general policies if you set
# EXPAND_POLICIES=Yes in shorewall.conf.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info net all DROP info
# THE FOLLOWING POLICY MUST BE LAST # THE FOLLOWING POLICY MUST BE LAST
all all REJECT info all all REJECT info

41
Samples/two-interfaces/policy
View File

@ -16,49 +16,8 @@
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems. The policies below are logically
# equivalent to:
#
# loc net ACCEPT
# net all DROP info
# all all REJECT info
#
# The Shorewall-perl compiler will generate the individual policies
# below from the above general policies if you set
# EXPAND_POLICIES=Yes in shorewall.conf.
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info net all DROP info
# THE FOLLOWING POLICY MUST BE LAST # THE FOLLOWING POLICY MUST BE LAST
all all REJECT info all all REJECT info

13
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -421,11 +421,11 @@ sub add_command($$)
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
} }
sub add_commands { sub add_commands ( $$;@ ) {
my $chainref = shift @_; my $chainref = shift @_;
for my $command ( @_ ) { for ( @_ ) {
push @{$chainref->{rules}}, join ('', ' ' x $chainref->{cmdlevel} , $command ); push @{$chainref->{rules}}, join ('', ' ' x $chainref->{cmdlevel} , $_ );
} }
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
@ -546,7 +546,7 @@ sub handle_dport_list( $$$$$ ) {
# #
# Add a rule to a chain. Arguments are: # Add a rule to a chain. Arguments are:
# #
# Chain reference , Rule [, Expand-long-dest-port-lists ] # Chain reference , Rule [, Expand-long-port-lists ]
# #
sub add_rule($$;$) sub add_rule($$;$)
{ {
@ -627,7 +627,7 @@ sub purge_jump ( $$ ) {
my $to = $toref->{name}; my $to = $toref->{name};
for ( @{$fromref->{rules}} ) { for ( @{$fromref->{rules}} ) {
$_ = undef if / -j ${to}\b/; $_ = undef if / -[gj] ${to}\b/;
} }
$toref->{referenced} = 0 unless @{$toref->{rules}}; $toref->{referenced} = 0 unless @{$toref->{rules}};
@ -770,7 +770,7 @@ sub use_input_chain($) {
# #
# We must use the interfaces's chain if the interface is associated with multiple zone nets or # We must use the interfaces's chain if the interface is associated with multiple zone nets or
# if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain # if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain
# run-time code which currently cannot be transferred to a zone-oriented chain by move_rules(). # run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
# #
return 1 if $nets > 1 || $interfaceref->{options}{upnpclient}; return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
# #
@ -1167,6 +1167,7 @@ sub initialize_chain_table()
} }
} }
} }
# #
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain # Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
# #

2
Shorewall/Perl/compiler.pl
View File

@ -82,7 +82,7 @@ my $family = 4; # F_IPV4
Getopt::Long::Configure ('bundling'); Getopt::Long::Configure ('bundling');
my $result = GetOptions('h' => \$help, my $result = GetOptions('h' => \$help,
'help' => \$help, 'help' => \$help,
'export' => \$export, 'export' => \$export,
'e' => \$export, 'e' => \$export,
'directory=s' => \$shorewall_dir, 'directory=s' => \$shorewall_dir,