forked from extern/shorewall_code
Move 2.2.0+ to STABLE2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1939 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d356631782
commit
a32c5eb849
@ -1,4 +1,4 @@
|
|||||||
Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
|
Shoreline Firewall (Shorewall) Version 2.2
|
||||||
----- ----
|
----- ----
|
||||||
|
|
||||||
-----------------------------------------------------------------------------
|
-----------------------------------------------------------------------------
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.0 - Accounting File
|
# Shorewall version 2.2 - Accounting File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/accounting
|
# /etc/shorewall/accounting
|
||||||
#
|
#
|
||||||
@ -47,9 +47,12 @@
|
|||||||
# Format the same as the SOURCE column.
|
# Format the same as the SOURCE column.
|
||||||
#
|
#
|
||||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||||
# number.
|
# number, or "ipp2p"
|
||||||
#
|
#
|
||||||
# DEST PORT Destination Port number
|
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
|
||||||
|
# this column must contain an ipp2p option ("iptables -m
|
||||||
|
# ipp2p --help") without the leading "--". If no option
|
||||||
|
# is given in this column, "ipp2p" is assumed.
|
||||||
#
|
#
|
||||||
# Service name from /etc/services or port number. May
|
# Service name from /etc/services or port number. May
|
||||||
# only be specified if the protocol is TCP or UDP (6
|
# only be specified if the protocol is TCP or UDP (6
|
||||||
@ -61,13 +64,33 @@
|
|||||||
# only be specified if the protocol is TCP or UDP (6
|
# only be specified if the protocol is TCP or UDP (6
|
||||||
# or 17).
|
# or 17).
|
||||||
#
|
#
|
||||||
|
# USER/GROUP This column may only be non-empty if the CHAIN is
|
||||||
|
# OUTPUT.
|
||||||
|
#
|
||||||
|
# The column may contain:
|
||||||
|
#
|
||||||
|
# [!][<user name or number>][:<group name or number>]
|
||||||
|
#
|
||||||
|
# When this column is non-empty, the rule applies only
|
||||||
|
# if the program generating the output is running under
|
||||||
|
# the effective <user> and/or <group> specified (or is
|
||||||
|
# NOT running under that id if "!" is given).
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# joe #program must be run by joe
|
||||||
|
# :kids #program must be run by a member of
|
||||||
|
# #the 'kids' group
|
||||||
|
# !:kids #program must not be run by a member
|
||||||
|
# #of the 'kids' group
|
||||||
|
#
|
||||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||||
# "any" and "all" may be used as wildcards
|
# "any" and "all" may be used as wildcards
|
||||||
#
|
#
|
||||||
# Please see http://shorewall.net/Accounting.html for examples and
|
# Please see http://shorewall.net/Accounting.html for examples and
|
||||||
# additional information about how to use this file.
|
# additional information about how to use this file.
|
||||||
#
|
#
|
||||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
|
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||||
# PORT PORT
|
# PORT PORT GROUP
|
||||||
#
|
#
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
|
||||||
#
|
#
|
||||||
# This action accepts Auth (identd) traffic.
|
# This action accepts Auth (identd) traffic.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
|
||||||
#
|
#
|
||||||
# This action accepts DNS traffic.
|
# This action accepts DNS traffic.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
|
||||||
#
|
#
|
||||||
# This action accepts FTP traffic. See
|
# This action accepts FTP traffic. See
|
||||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||||
|
11
STABLE2/action.AllowICMPs
Normal file
11
STABLE2/action.AllowICMPs
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#
|
||||||
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
|
||||||
|
#
|
||||||
|
# ACCEPT needed ICMP types
|
||||||
|
#
|
||||||
|
######################################################################################
|
||||||
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
|
# PORT PORT(S) LIMIT GROUP
|
||||||
|
#
|
||||||
|
ACCEPT - - icmp fragmentation-needed
|
||||||
|
ACCEPT - - icmp time-exceeded
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
|
||||||
#
|
#
|
||||||
# This action accepts IMAP traffic (secure and insecure):
|
# This action accepts IMAP traffic (secure and insecure):
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
|
||||||
#
|
#
|
||||||
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
|
||||||
#
|
#
|
||||||
# This action accepts NTP traffic (ntpd).
|
# This action accepts NTP traffic (ntpd).
|
||||||
#
|
#
|
||||||
@ -7,4 +7,5 @@
|
|||||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
# PORT PORT(S) DEST LIMIT
|
# PORT PORT(S) DEST LIMIT
|
||||||
ACCEPT - - udp 123
|
ACCEPT - - udp 123
|
||||||
|
ACCEPT - - udp 1024: 123
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
|
||||||
#
|
#
|
||||||
# This action accepts PCAnywere (tm)
|
# This action accepts PCAnywere (tm)
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
|
||||||
#
|
#
|
||||||
# This action accepts POP3 traffic (secure and insecure):
|
# This action accepts POP3 traffic (secure and insecure):
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowPing
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
|
||||||
#
|
#
|
||||||
# This action accepts 'ping' requests.
|
# This action accepts 'ping' requests.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
|
||||||
#
|
#
|
||||||
# This action accepts remote time retrieval (rdate).
|
# This action accepts remote time retrieval (rdate).
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
|
||||||
#
|
#
|
||||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||||
# both directions.
|
# both directions.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
|
||||||
#
|
#
|
||||||
# This action accepts SMTP (email) traffic.
|
# This action accepts SMTP (email) traffic.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
|
||||||
#
|
#
|
||||||
# This action accepts SNMP traffic (including traps):
|
# This action accepts SNMP traffic (including traps):
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
|
||||||
#
|
#
|
||||||
# This action accepts secure shell (SSH) traffic.
|
# This action accepts secure shell (SSH) traffic.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
|
||||||
#
|
#
|
||||||
# This action accepts Telnet traffic. For traffic over the
|
# This action accepts Telnet traffic. For traffic over the
|
||||||
# internet, telnet is inappropriate; use SSH instead
|
# internet, telnet is inappropriate; use SSH instead
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
|
||||||
#
|
#
|
||||||
# This action accepts Traceroute (for up to 30 hops):
|
# This action accepts Traceroute (for up to 30 hops):
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
|
||||||
#
|
#
|
||||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
|
||||||
#
|
#
|
||||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
|
||||||
#
|
#
|
||||||
# This action accepts WWW traffic (secure and insecure):
|
# This action accepts WWW traffic (secure and insecure):
|
||||||
#
|
#
|
||||||
@ -7,5 +7,5 @@
|
|||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT PORT(S) LIMIT GROUP
|
# PORT PORT(S) LIMIT GROUP
|
||||||
ACCEPT - - tcp 80
|
ACCEPT - - tcp 80
|
||||||
ACCEPT - - TCP 443
|
ACCEPT - - tcp 443
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,16 +1,49 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.Drop
|
# Shorewall 2.2 /usr/share/shorewall/action.Drop
|
||||||
#
|
#
|
||||||
# The default DROP common rules
|
# The default DROP common rules
|
||||||
#
|
#
|
||||||
|
# This action is invoked before a DROP policy is enforced. The purpose of the action
|
||||||
|
# is:
|
||||||
|
#
|
||||||
|
# a) Avoid logging lots of useless cruft.
|
||||||
|
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
|
||||||
|
# Otherwise, you may experience problems establishing connections with
|
||||||
|
# servers that use auth.
|
||||||
|
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||||
|
# internet operation are always ACCEPTed.
|
||||||
|
#
|
||||||
|
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||||
######################################################################################
|
######################################################################################
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#TARGET SOURCE DEST PROTO
|
||||||
# PORT PORT(S) LIMIT GROUP
|
#
|
||||||
|
# Reject 'auth'
|
||||||
|
#
|
||||||
RejectAuth
|
RejectAuth
|
||||||
|
#
|
||||||
|
# Don't log broadcasts
|
||||||
|
#
|
||||||
dropBcast
|
dropBcast
|
||||||
|
#
|
||||||
|
# ACCEPT critical ICMP types
|
||||||
|
#
|
||||||
|
AllowICMPs - - icmp
|
||||||
|
#
|
||||||
|
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||||
|
# confuse people when they appear in the log.
|
||||||
|
#
|
||||||
dropInvalid
|
dropInvalid
|
||||||
|
#
|
||||||
|
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||||
|
#
|
||||||
DropSMB
|
DropSMB
|
||||||
DropUPnP
|
DropUPnP
|
||||||
dropNotSyn
|
#
|
||||||
|
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||||
|
#
|
||||||
|
dropNotSyn - - tcp
|
||||||
|
#
|
||||||
|
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||||
|
#
|
||||||
DropDNSrep
|
DropDNSrep
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
|
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
|
||||||
#
|
#
|
||||||
# This action silently drops DNS UDP replies
|
# This action silently drops DNS UDP replies
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropPing
|
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
|
||||||
#
|
#
|
||||||
# This action silently drops 'ping' requests.
|
# This action silently drops 'ping' requests.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropSMB
|
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
|
||||||
#
|
#
|
||||||
# This action silently drops Microsoft SMB traffic
|
# This action silently drops Microsoft SMB traffic
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
|
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
|
||||||
#
|
#
|
||||||
# This action silently drops UPnP probes on UDP port 1900
|
# This action silently drops UPnP probes on UDP port 1900
|
||||||
#
|
#
|
||||||
|
@ -1,16 +1,46 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.Reject
|
# Shorewall 2.2 /usr/share/shorewall/action.Reject
|
||||||
#
|
#
|
||||||
# The default REJECT action common rules
|
# The default REJECT action common rules
|
||||||
#
|
#
|
||||||
|
# This action is invoked before a REJECT policy is enforced. The purpose of the action
|
||||||
|
# is:
|
||||||
|
#
|
||||||
|
# a) Avoid logging lots of useless cruft.
|
||||||
|
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||||
|
# internet operation are always ACCEPTed.
|
||||||
|
#
|
||||||
|
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||||
######################################################################################
|
######################################################################################
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#TARGET SOURCE DEST PROTO
|
||||||
# PORT PORT(S) LIMIT GROUP
|
#
|
||||||
|
# Don't log 'auth' REJECT
|
||||||
|
#
|
||||||
RejectAuth
|
RejectAuth
|
||||||
|
#
|
||||||
|
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
|
||||||
|
#
|
||||||
dropBcast
|
dropBcast
|
||||||
|
#
|
||||||
|
# ACCEPT critical ICMP types
|
||||||
|
#
|
||||||
|
AllowICMPs - - icmp
|
||||||
|
#
|
||||||
|
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||||
|
# confuse people when they appear in the log (these ICMPs cannot be rejected).
|
||||||
|
#
|
||||||
dropInvalid
|
dropInvalid
|
||||||
|
#
|
||||||
|
# Drop Microsoft noise so that it doesn't clutter up the lot.
|
||||||
|
#
|
||||||
RejectSMB
|
RejectSMB
|
||||||
DropUPnP
|
DropUPnP
|
||||||
dropNotSyn
|
#
|
||||||
|
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||||
|
#
|
||||||
|
dropNotSyn - - tcp
|
||||||
|
#
|
||||||
|
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||||
|
#
|
||||||
DropDNSrep
|
DropDNSrep
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
|
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
|
||||||
#
|
#
|
||||||
# This action silently rejects Auth (tcp 113) traffic
|
# This action silently rejects Auth (tcp 113) traffic
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
|
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
|
||||||
#
|
#
|
||||||
# This action silently rejects Microsoft SMB traffic
|
# This action silently rejects Microsoft SMB traffic
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/action.template
|
# Shorewall 2.2 /etc/shorewall/action.template
|
||||||
#
|
#
|
||||||
# This file is a template for files with names of the form
|
# This file is a template for files with names of the form
|
||||||
# /etc/shorewall/action.<action-name> where <action> is an
|
# /etc/shorewall/action.<action-name> where <action> is an
|
||||||
@ -37,6 +37,10 @@
|
|||||||
# ACCEPT:debugging). This causes the packet to be
|
# ACCEPT:debugging). This causes the packet to be
|
||||||
# logged at the specified level.
|
# logged at the specified level.
|
||||||
#
|
#
|
||||||
|
# The special log level 'none' does not result in logging
|
||||||
|
# but rather exempts the rule from being overridden by a
|
||||||
|
# non-forcing log level when the action is invoked.
|
||||||
|
#
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
# log level.This will log to the ULOG target for routing
|
# log level.This will log to the ULOG target for routing
|
||||||
# to a separate log through use of ulogd
|
# to a separate log through use of ulogd
|
||||||
@ -61,6 +65,10 @@
|
|||||||
#
|
#
|
||||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
||||||
#
|
#
|
||||||
|
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
||||||
|
# kernel and iptables must have
|
||||||
|
# iprange match support.
|
||||||
|
#
|
||||||
# 192.168.1.1,192.168.1.2
|
# 192.168.1.1,192.168.1.2
|
||||||
# Hosts 192.168.1.1 and
|
# Hosts 192.168.1.1 and
|
||||||
# 192.168.1.2.
|
# 192.168.1.2.
|
||||||
@ -77,10 +85,6 @@
|
|||||||
# DEST Location of Server. Same as above with the exception that
|
# DEST Location of Server. Same as above with the exception that
|
||||||
# MAC addresses are not allowed.
|
# MAC addresses are not allowed.
|
||||||
#
|
#
|
||||||
# Unlike in the SOURCE column, you may specify a range of
|
|
||||||
# up to 256 IP addresses using the syntax
|
|
||||||
# <first ip>-<last ip>.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||||
# "all".
|
# "all".
|
||||||
#
|
#
|
||||||
@ -155,6 +159,6 @@
|
|||||||
# #of the 'kids' group
|
# #of the 'kids' group
|
||||||
#
|
#
|
||||||
######################################################################################
|
######################################################################################
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT PORT(S) LIMIT
|
# PORT PORT(S) LIMIT GROUP
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/actions
|
# Shorewall 2.2 /etc/shorewall/actions
|
||||||
#
|
#
|
||||||
# This file allows you to define new ACTIONS for use in rules
|
# This file allows you to define new ACTIONS for use in rules
|
||||||
# (/etc/shorewall/rules). You define the iptables rules to
|
# (/etc/shorewall/rules). You define the iptables rules to
|
||||||
|
@ -1,19 +1,17 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
|
# allowBcast #Silently Allow Broadcast/multicast
|
||||||
# dropBcast #Silently Drop Broadcast/multicast
|
# dropBcast #Silently Drop Broadcast/multicast
|
||||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
|
||||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
|
||||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
|
||||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
# allowInvalid #Accept packets that are in the INVALID conntrack
|
# allowInvalid #Accept packets that are in the INVALID
|
||||||
# #state
|
# #conntrack state.
|
||||||
#
|
#
|
||||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||||
@ -36,6 +34,7 @@ AllowSMB #Allow MS Networking
|
|||||||
AllowAuth #Allow Auth (identd)
|
AllowAuth #Allow Auth (identd)
|
||||||
AllowSMTP #Allow SMTP (Email)
|
AllowSMTP #Allow SMTP (Email)
|
||||||
AllowPOP3 #Allow reading mail via POP3
|
AllowPOP3 #Allow reading mail via POP3
|
||||||
|
AllowICMPs #Allows critical ICMP types
|
||||||
AllowIMAP #Allow reading mail via IMAP
|
AllowIMAP #Allow reading mail via IMAP
|
||||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||||
#Internet)
|
#Internet)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Blacklist File
|
# Shorewall 2.2 -- Blacklist File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/blacklist
|
# /etc/shorewall/blacklist
|
||||||
#
|
#
|
||||||
@ -7,7 +7,9 @@
|
|||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
|
||||||
|
# range (if your kernel and iptables contain iprange
|
||||||
|
# match support).
|
||||||
#
|
#
|
||||||
# MAC addresses must be prefixed with "~" and use "-"
|
# MAC addresses must be prefixed with "~" and use "-"
|
||||||
# as a separator.
|
# as a separator.
|
||||||
@ -21,10 +23,10 @@
|
|||||||
# is TCP (6) or UDP (17). A comma-separated list
|
# is TCP (6) or UDP (17). A comma-separated list
|
||||||
# of port numbers or service names from /etc/services.
|
# of port numbers or service names from /etc/services.
|
||||||
#
|
#
|
||||||
# When a packet arrives on in interface that has the 'blacklist' option
|
# When a packet arrives on an interface that has the 'blacklist' option
|
||||||
# specified, its source IP address is checked against this file and disposed of
|
# specified in /etc/shorewall/interfaces, its source IP address is checked
|
||||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
|
||||||
# /etc/shorewall/shorewall.conf
|
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
|
||||||
#
|
#
|
||||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0-- Bogons File
|
# Shorewall 2.2-- Bogons File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/bogons
|
# /etc/shorewall/bogons
|
||||||
#
|
#
|
||||||
@ -14,7 +14,9 @@
|
|||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# SUBNET The subnet (host addresses also allowed)
|
# SUBNET The subnet (host addresses also allowed as are IP
|
||||||
|
# address ranges provided that your kernel and iptables
|
||||||
|
# include iprange match support).
|
||||||
# TARGET Where to send packets to/from this subnet
|
# TARGET Where to send packets to/from this subnet
|
||||||
# RETURN - let the packet be processed normally
|
# RETURN - let the packet be processed normally
|
||||||
# DROP - silently drop the packet
|
# DROP - silently drop the packet
|
||||||
|
@ -1,121 +1,222 @@
|
|||||||
Changes in 2.0.4
|
Changes in 2.2.1
|
||||||
|
|
||||||
1) Fix DNAT logging with 'fw' as the source zone.
|
1) Add examples to the zones and policy files.
|
||||||
|
|
||||||
Change in 2.0.5
|
2) Simon Matter's patch for umask.
|
||||||
|
|
||||||
1) Eradicate more RESTOREBASE messages.
|
Changes since 2.0.3
|
||||||
|
|
||||||
2) Remove 'mangle' reference from shorewall.conf.
|
1) Fix security vulnerability involving temporary files/directories.
|
||||||
|
|
||||||
Change in 2.0.6
|
2) Hack security fix so that it works under Slackware.
|
||||||
|
|
||||||
1) Add PKTTYPE option.
|
3) Correct mktempfile() for case where mktemp isn't installed.
|
||||||
|
|
||||||
shorewall.conf
|
4) Implement 'dropInvalid' builtin action.
|
||||||
firewall
|
|
||||||
|
|
||||||
2) Sanitized some correct but confusing code in determine_hosts().
|
5) Fix logging nat rules.
|
||||||
|
|
||||||
There was a loop:
|
6) Fix COMMAND typos.
|
||||||
|
|
||||||
for networks in $networks
|
7) Add PKTTYPE option.
|
||||||
...
|
|
||||||
|
|
||||||
It now reads:
|
8) Enhancements to /etc/shorewall/masq
|
||||||
|
|
||||||
for network in $networks
|
8) Allow overriding ADD_IP_ALIASES=Yes
|
||||||
...
|
|
||||||
|
|
||||||
|
9) Fix syntax error in setup_nat()
|
||||||
|
|
||||||
3) Don't give shorewall.conf and zones execute permission.
|
10) Port "shorewall status" changes from 2.0.7.
|
||||||
|
|
||||||
4) Backport 'dropInvalid' from 2.1
|
11) All config files are now empty.
|
||||||
|
|
||||||
Changes in 2.0.7
|
12) Port blacklisting fix from 2.0.7
|
||||||
|
|
||||||
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
|
13) Pass rule chain and display chain separately to log_rule_limit.
|
||||||
status".
|
Prep work for action logging.
|
||||||
|
|
||||||
2) Consult PKTTYPE when generating 'REJECT' rules.
|
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||||
|
|
||||||
3) Enhance IP/Routing output in "shorewall status".
|
15) Implement STARTUP_ENABLED.
|
||||||
|
|
||||||
4) Correct handling of multiple 'blacklist' interfaces.
|
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||||
|
|
||||||
5) Add "0.0.0.0 RETURN" to nobogons.
|
17) Removed SNAT from ORIGINAL DESTINATION column.
|
||||||
|
|
||||||
Changes in 2.0.8
|
18) Removed DNAT ONLY column.
|
||||||
|
|
||||||
1) Removed dead code from process_actions2()
|
19) Added IPSEC column to /etc/shorewall/masq.
|
||||||
|
|
||||||
2) Corrected read command in process_actions2() (userspec)
|
20) No longer enforce source port 500 for ISAKMP.
|
||||||
|
|
||||||
Changes in 2.0.9
|
21) Apply policy to interface/host options.
|
||||||
|
|
||||||
1) Corrected setup_tc1() handling of the PROTO column.
|
22) Fix policy and maclist.
|
||||||
|
|
||||||
2) Added warning about ADD_SNAT_ALIASES in the masq file.
|
23) Implement additional IPSEC options for zones and masq entries.
|
||||||
|
|
||||||
3) Added "brctl show" to the status command.
|
24) Deprecate the -c option in /sbin/shorewall.
|
||||||
|
|
||||||
Changes in 2.0.10
|
25) Allow distinct input and output IPSEC parameters.
|
||||||
|
|
||||||
1) Corrected GATEWAY handling for 'pptpserver's
|
26) Allow source port remapping in /etc/shorewall/masq.
|
||||||
|
|
||||||
2) Correct log rule number generation.
|
27) Include params file on 'restore'
|
||||||
|
|
||||||
3) Add clarification to /etc/shorewall/tcrules.
|
28) Apply Richard Musil's patch.
|
||||||
|
|
||||||
4) Apply part of Ian Allen's fix for down interface in the SUBNET
|
29) Correct parsing of PROTO column in setup_tc1().
|
||||||
column of /etc/shorewall/masq.
|
|
||||||
|
|
||||||
5) Add key /proc settings to "shorewall status" output.
|
30) Verify Physdev match if BRIDGING=Yes
|
||||||
|
|
||||||
Changes in 2.0.11
|
31) Don't NAT tunnel traffic.
|
||||||
|
|
||||||
1) Add note for Slackware users to INSTALL.
|
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
|
||||||
|
|
||||||
2) Correct bogons file.
|
33) Add iprange support.
|
||||||
|
|
||||||
3) Replace service names by port numbers in /etc/shorewall/tos.
|
34) Add CLASSIFY support.
|
||||||
|
|
||||||
4) Added NNTPS to action.AllowNNTP.
|
35) Fix iprange support so that ranges in both source and destination
|
||||||
|
work.
|
||||||
|
|
||||||
5) Fix install.sh
|
36) Remove logunclean and dropunclean
|
||||||
|
|
||||||
Changes in 2.0.12
|
37) Fixed proxy arp flag setting for complex configurations.
|
||||||
|
|
||||||
1) Correct typo in shorewall.conf.
|
38) Added RETAIN_ALIASES option.
|
||||||
|
|
||||||
2) Fix "shorewall add" and "shorewall delete" with bridging.
|
39) Relax OpenVPN source port restrictions.
|
||||||
|
|
||||||
3) Implement variable expansion in INCLUDE directives
|
40) Implement DELAYBLACKLISTLOAD.
|
||||||
|
|
||||||
4) Split restore-base into two files.
|
41) Avoid double-setting proxy arp flags.
|
||||||
|
|
||||||
5) Correct dynamic zone OUTPUT handling.
|
42) Fix DELAYBLACKLISTLOAD=No.
|
||||||
|
|
||||||
Changes in 2.0.13
|
43) Merge 'brctl show' change from 2.0.9.
|
||||||
|
|
||||||
1) Correct typo in "shorewall add" code.
|
44) Implememt LOGTAGONLY.
|
||||||
|
|
||||||
Changes in 2.0.14
|
45) Merge 'tcrules' clarification from 2.0.10.
|
||||||
|
|
||||||
1) Log drops due to policy rate limiting.
|
46) Implement 'sourceroute' interface option.
|
||||||
|
|
||||||
2) Fix typo in interfaces file.
|
47) Add 'AllowICMPs' action.
|
||||||
|
|
||||||
3) Eliminate "bad variable" errors during stop/clear.
|
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
|
||||||
|
handled before traffic from non-IPSEC zones.
|
||||||
|
|
||||||
4) Fix typo in tunnels file.
|
49) Correct logmartians handling.
|
||||||
|
|
||||||
Changes in 2.0.15
|
50) Add a clarification and fix a typo in the blacklist file.
|
||||||
|
|
||||||
1) Increased port range for Traceroute.
|
51) Allow setting a specify MSS value.
|
||||||
|
|
||||||
2) Corrected port of rate-limit logging change.
|
52) Detect duplicate zone names.
|
||||||
|
|
||||||
Changes in 2.0.16
|
53) Add mss=<number> option to the ipsec file.
|
||||||
|
|
||||||
1) Backport DROPINVALID from 2.2.0.
|
54) Added CONNMARK/ipp2p support.
|
||||||
|
|
||||||
|
55) Added LOGALLNEW support.
|
||||||
|
|
||||||
|
56) Fix typo in check_config()
|
||||||
|
|
||||||
|
57) Allow outgoing NTP responses in action.AllowNTP.
|
||||||
|
|
||||||
|
58) Clarification of the 'ipsec' hosts file option.
|
||||||
|
|
||||||
|
59) Allow list in the SUBNET column of the rfc1918 file.
|
||||||
|
|
||||||
|
60) Restore missing '#' in the rfc1918 file.
|
||||||
|
|
||||||
|
61) Add note for Slackware users to INSTALL.
|
||||||
|
|
||||||
|
62) Allow interface in DEST tcrules column.
|
||||||
|
|
||||||
|
63) Remove 'ipt_unclean' from search expression in "log" commands.
|
||||||
|
|
||||||
|
64) Remove nonsense from IPSEC description in masq file.
|
||||||
|
|
||||||
|
65) Correct typo in rules file.
|
||||||
|
|
||||||
|
66) Update bogons file.
|
||||||
|
|
||||||
|
67) Add a rule for NNTPS to action.AllowNNTP
|
||||||
|
|
||||||
|
68) Fix "shorewall add"
|
||||||
|
|
||||||
|
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
||||||
|
|
||||||
|
70) Correct typo in shorewall.conf.
|
||||||
|
|
||||||
|
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
||||||
|
|
||||||
|
72) Apply Tuomas Jormola's IPTABLES patch.
|
||||||
|
|
||||||
|
73) Fixed some bugs in Tuomas's patch.
|
||||||
|
|
||||||
|
74) Correct bug in "shorewall add"
|
||||||
|
|
||||||
|
75) Correct bridge handling in "shorewall add" and "shorewall delete"
|
||||||
|
|
||||||
|
76) Add "shorewall show zones"
|
||||||
|
|
||||||
|
77) Remove dependency of "show zones" on dynamic zones.
|
||||||
|
|
||||||
|
78) Implement variable expansion in INCLUDE directives
|
||||||
|
|
||||||
|
79) More fixes for "shorewall delete" with bridging.
|
||||||
|
|
||||||
|
80) Split restore-base into two files.
|
||||||
|
|
||||||
|
81) Correct OUTPUT handling of dynamic zones.
|
||||||
|
|
||||||
|
83) Add adapter statistics to the output of "shorewall status".
|
||||||
|
|
||||||
|
84) Log drops due to policy rate limiting.
|
||||||
|
|
||||||
|
85) Continue determining capabilities when fooX1234 already exists.
|
||||||
|
|
||||||
|
86) Corrected typo in interfaces file.
|
||||||
|
|
||||||
|
87) Add DROPINVALID option.
|
||||||
|
|
||||||
|
88) Allow list of hosts in add and delete commands. Fix ipsec problem
|
||||||
|
with "add" and "delete"
|
||||||
|
|
||||||
|
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
|
||||||
|
|
||||||
|
90) Implement OpenVPN TCP support.
|
||||||
|
|
||||||
|
91) Simplify the absurdly over-engineered code that restores the
|
||||||
|
dynamic chain.
|
||||||
|
|
||||||
|
92) Add OPENVPNPORT option.
|
||||||
|
|
||||||
|
93) Remove OPENVPNPORT option and change default port to 1194.
|
||||||
|
|
||||||
|
94) Avoid shell error during "shorewall stop/clear"
|
||||||
|
|
||||||
|
95) Change encryption to blowfish in 'ipsecvpn' script.
|
||||||
|
|
||||||
|
96) Correct rate limiting rule example.
|
||||||
|
|
||||||
|
97) Fix <if>:: handling in setup_masq().
|
||||||
|
|
||||||
|
98) Fix mis-leading typo in tunnels.
|
||||||
|
|
||||||
|
99) Fix brain-dead ipsec option handling in setup_masq().
|
||||||
|
|
||||||
|
100) Reconcile ipsec masq file implementation with the documentation.
|
||||||
|
|
||||||
|
101) Add netfilter module display to status output.
|
||||||
|
|
||||||
|
102) Add 'allowInvalid' builtin action.
|
||||||
|
|
||||||
|
103) Expand range of Traceroute ports.
|
||||||
|
|
||||||
|
102) Correct uninitialized variable in setup_ecn()
|
||||||
|
|
||||||
|
103) Allow DHCP to be IPSEC-encrypted.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.0 - Default Config Path
|
# Shorewall version 2.2 - Default Config Path
|
||||||
#
|
#
|
||||||
# /usr/share/shorewall/configpath
|
# /usr/share/shorewall/configpath
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 - /etc/shorewall/ecn
|
# Shorewall 2.2 - /etc/shorewall/ecn
|
||||||
#
|
#
|
||||||
# Use this file to list the destinations for which you want to
|
# Use this file to list the destinations for which you want to
|
||||||
# disable ECN.
|
# disable ECN.
|
||||||
@ -12,7 +12,9 @@
|
|||||||
# the firewall
|
# the firewall
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||||
# If left empty or supplied as "-",
|
# If left empty or supplied as "-",
|
||||||
# 0.0.0.0/0 is assumed.
|
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
||||||
|
# include iprange match support then IP address ranges
|
||||||
|
# are also permitted.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#INTERFACE HOST(S)
|
#INTERFACE HOST(S)
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||||
#
|
#
|
||||||
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=2.0.16
|
VERSION=2.2.0
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
|
|||||||
|
|
||||||
restore_file /etc/shorewall/interfaces
|
restore_file /etc/shorewall/interfaces
|
||||||
|
|
||||||
|
restore_file /etc/shorewall/ipsec
|
||||||
|
|
||||||
restore_file /etc/shorewall/hosts
|
restore_file /etc/shorewall/hosts
|
||||||
|
|
||||||
restore_file /etc/shorewall/rules
|
restore_file /etc/shorewall/rules
|
||||||
|
2431
STABLE2/firewall
2431
STABLE2/firewall
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,27 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Shorewall 2.0 -- /usr/share/shorewall/functions
|
# Shorewall 2.2 -- /usr/share/shorewall/functions
|
||||||
|
|
||||||
|
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||||
|
# rather than ${v:first:last} because light-weight shells like ash and
|
||||||
|
# dash do not support that form of expansion.
|
||||||
|
#
|
||||||
|
|
||||||
|
truncate() # $1 = length
|
||||||
|
{
|
||||||
|
cut -b -${1}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Split a colon-separated list into a space-separated list
|
||||||
|
#
|
||||||
|
split() {
|
||||||
|
local ifs=$IFS
|
||||||
|
IFS=:
|
||||||
|
set -- $1
|
||||||
|
echo $*
|
||||||
|
IFS=$ifs
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Search a list looking for a match -- returns zero if a match found
|
# Search a list looking for a match -- returns zero if a match found
|
||||||
@ -229,7 +250,7 @@ find_zones() # $1 = name of the zone file
|
|||||||
\#*)
|
\#*)
|
||||||
;;
|
;;
|
||||||
$FW)
|
$FW)
|
||||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo $zone
|
echo $zone
|
||||||
@ -255,12 +276,16 @@ determine_zones()
|
|||||||
multi_display=Multi-zone
|
multi_display=Multi-zone
|
||||||
strip_file zones $zonefile
|
strip_file zones $zonefile
|
||||||
zones=$(find_zones $TMP_DIR/zones)
|
zones=$(find_zones $TMP_DIR/zones)
|
||||||
zones=$(echo $zones) # Remove extra trash
|
newzones=
|
||||||
|
|
||||||
for zone in $zones; do
|
for zone in $zones; do
|
||||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
dsply=$(find_display $zone $TMP_DIR/zones)
|
||||||
|
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
|
||||||
eval ${zone}_display=\$dsply
|
eval ${zone}_display=\$dsply
|
||||||
|
newzones="$newzones $zone"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
zones=${newzones# }
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -377,7 +402,7 @@ mktempfile() {
|
|||||||
> $1/shorewall-$$ && echo $1/shorewall-$$
|
> $1/shorewall-$$ && echo $1/shorewall-$$
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo " ERROR:Internal error in mktempfile"
|
echo " ERROR:Internal error in mktempfile" >&2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
else
|
else
|
||||||
@ -393,7 +418,7 @@ mktempfile() {
|
|||||||
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo " ERROR:Internal error in mktempfile"
|
echo " ERROR:Internal error in mktempfile" >&2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@ -417,7 +442,7 @@ mktempdir() {
|
|||||||
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo " ERROR:Internal error in mktempdir"
|
echo " ERROR:Internal error in mktempdir" >&2
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
@ -532,6 +557,13 @@ ip_range() {
|
|||||||
local first last l x y z vlsm
|
local first last l x y z vlsm
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
|
!*)
|
||||||
|
#
|
||||||
|
# Let iptables complain if it's a range
|
||||||
|
#
|
||||||
|
echo $1
|
||||||
|
return
|
||||||
|
;;
|
||||||
[0-9]*.*.*.*-*.*.*.*)
|
[0-9]*.*.*.*-*.*.*.*)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -680,6 +712,9 @@ chain_base() #$1 = interface
|
|||||||
*-*)
|
*-*)
|
||||||
c="${c%-*}_${c##*-}"
|
c="${c%-*}_${c##*-}"
|
||||||
;;
|
;;
|
||||||
|
*%*)
|
||||||
|
c="${c%\%*}_${c##*%}"
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
echo ${c:=common}
|
echo ${c:=common}
|
||||||
return
|
return
|
||||||
@ -699,11 +734,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
|
|||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
*+)
|
*+)
|
||||||
#
|
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
|
||||||
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
|
|
||||||
# variable expansion :-(
|
|
||||||
#
|
|
||||||
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
|
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
test "x$1" = "x$2"
|
test "x$1" = "x$2"
|
||||||
@ -767,3 +798,11 @@ find_interface_by_address() {
|
|||||||
[ -n "$dev" ] && echo $dev
|
[ -n "$dev" ] && echo $dev
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Find interface addresses--returns the set of addresses assigned to the passed
|
||||||
|
# device
|
||||||
|
#
|
||||||
|
find_interface_addresses() # $1 = interface
|
||||||
|
{
|
||||||
|
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||||
|
}
|
||||||
|
51
STABLE2/help
51
STABLE2/help
@ -1,11 +1,11 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
# Shorewall help subsystem - V2.2
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
# Steve Herber (herber@thing.com)
|
# Steve Herber (herber@thing.com)
|
||||||
#
|
#
|
||||||
# This file should be placed in /usr/share/shorewall/help
|
# This file should be placed in /usr/share/shorewall/help
|
||||||
@ -29,11 +29,18 @@
|
|||||||
case $1 in
|
case $1 in
|
||||||
|
|
||||||
add)
|
add)
|
||||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
echo "add: add <interface>[:<host-list>] ... <zone>
|
||||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
|
||||||
|
|
||||||
shorewall add interface[:port][:host] zone - Adds the specified interface
|
shorewall add interface:host-list ... zone - Adds the specified interface
|
||||||
(and bridge port/host if included) to the specified zone.
|
(and host-list if included) to the specified zone.
|
||||||
|
|
||||||
|
A host-list is a comma-separated list whose elements are:
|
||||||
|
|
||||||
|
A host or network address
|
||||||
|
The name of a bridge port
|
||||||
|
The name of a bridge port followed by a colon (":") and a host or
|
||||||
|
network address.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
@ -46,7 +53,9 @@ add)
|
|||||||
address|host)
|
address|host)
|
||||||
echo "<$1>:
|
echo "<$1>:
|
||||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||||
CIDR format like 192.168.1.0/24"
|
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
|
||||||
|
match support then IP address ranges of the form <low address>-<high address>
|
||||||
|
are also permitted."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
allow)
|
allow)
|
||||||
@ -60,7 +69,7 @@ allow)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
check)
|
check)
|
||||||
echo "check: check [ -c <configuration-directory> ]
|
echo "check: check [ <configuration-directory> ]
|
||||||
Performs a cursory validation of the zones, interfaces, hosts,
|
Performs a cursory validation of the zones, interfaces, hosts,
|
||||||
rules and policy files. Use this if you are unsure of any edits
|
rules and policy files. Use this if you are unsure of any edits
|
||||||
you have made to the shorewall configuration. See the try command
|
you have made to the shorewall configuration. See the try command
|
||||||
@ -93,11 +102,18 @@ debug)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
delete)
|
delete)
|
||||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
echo "delete: delete <interface>[:<host-list>] ... <zone>
|
||||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
|
||||||
|
|
||||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
shorewall delete interface[:host-list] ... zone - Deletes the specified
|
||||||
interface (and bridge port/host if included) from the specified zone.
|
interfaces (and host list if included) from the specified zone.
|
||||||
|
|
||||||
|
A host-list is a comma-separated list whose elements are:
|
||||||
|
|
||||||
|
A host or network address
|
||||||
|
The name of a bridge port
|
||||||
|
The name of a bridge port followed by a colon (":") and a host or
|
||||||
|
network address.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
@ -187,7 +203,7 @@ reset)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
restart)
|
restart)
|
||||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
echo "restart: [ -q ] restart [ <configuration-directory> ]
|
||||||
Restart is the same as a shorewall stop && shorewall start.
|
Restart is the same as a shorewall stop && shorewall start.
|
||||||
Existing connections are maintained.
|
Existing connections are maintained.
|
||||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||||
@ -217,7 +233,7 @@ save)
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
show)
|
show)
|
||||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
|
||||||
|
|
||||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||||
(iptables -L chain -n -v)
|
(iptables -L chain -n -v)
|
||||||
@ -236,17 +252,20 @@ show)
|
|||||||
shorewall show tc - displays information about the traffic
|
shorewall show tc - displays information about the traffic
|
||||||
control/shaping configuration.
|
control/shaping configuration.
|
||||||
|
|
||||||
|
shorewall show zones - displays the contents of all zones.
|
||||||
|
|
||||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
start)
|
start)
|
||||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
|
||||||
Start shorewall. Existing connections through shorewall managed
|
Start shorewall. Existing connections through shorewall managed
|
||||||
interfaces are untouched. New connections will be allowed only
|
interfaces are untouched. New connections will be allowed only
|
||||||
if they are allowed by the firewall rules or policies.
|
if they are allowed by the firewall rules or policies.
|
||||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||||
in shorewall.conf will be restored if that saved configuration exists"
|
in shorewall.conf will be restored if that saved configuration exists. In that
|
||||||
|
case, a <configuration-directory> may not be specified".
|
||||||
;;
|
;;
|
||||||
|
|
||||||
stop)
|
stop)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 - /etc/shorewall/hosts
|
# Shorewall 2.2 - /etc/shorewall/hosts
|
||||||
#
|
#
|
||||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||||
@ -28,12 +28,15 @@
|
|||||||
# a) The IP address of a host
|
# a) The IP address of a host
|
||||||
# b) A subnetwork in the form
|
# b) A subnetwork in the form
|
||||||
# <subnet-address>/<mask width>
|
# <subnet-address>/<mask width>
|
||||||
# c) A physical port name; only allowed when the
|
# c) An IP address range of the form <low address>-<high
|
||||||
|
# address>. Your kernel and iptables must have iprange
|
||||||
|
# match support.
|
||||||
|
# d) A physical port name; only allowed when the
|
||||||
# interface names a bridge created by the
|
# interface names a bridge created by the
|
||||||
# brctl addbr command. This port must not
|
# brctl addbr command. This port must not
|
||||||
# be defined in /etc/shorewall/interfaces and may
|
# be defined in /etc/shorewall/interfaces and may
|
||||||
# optionally followed by a colon (":") and a
|
# optionally followed by a colon (":") and a
|
||||||
# host or network IP.
|
# host or network IP or a range.
|
||||||
# See http://www.shorewall.net/Bridge.html for details.
|
# See http://www.shorewall.net/Bridge.html for details.
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
@ -43,6 +46,7 @@
|
|||||||
# eth3:192.168.2.0/24,192.168.3.1
|
# eth3:192.168.2.0/24,192.168.3.1
|
||||||
# br0:eth4
|
# br0:eth4
|
||||||
# br0:eth0:192.168.1.16/28
|
# br0:eth0:192.168.1.16/28
|
||||||
|
# eth4:192.168.1.44-192.168.1.49
|
||||||
#
|
#
|
||||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||||
# options are:
|
# options are:
|
||||||
@ -124,5 +128,12 @@
|
|||||||
# This option has no effect if
|
# This option has no effect if
|
||||||
# NEWNOTSYN=Yes.
|
# NEWNOTSYN=Yes.
|
||||||
#
|
#
|
||||||
|
# ipsec - The zone is accessed via a
|
||||||
|
# kernel 2.6 ipsec SA. Note that if the
|
||||||
|
# zone named in the ZONE column is
|
||||||
|
# specified as an IPSEC zone in the
|
||||||
|
# /etc/shorewall/ipsec file then you do NOT
|
||||||
|
# need to specify the 'ipsec' option here.
|
||||||
|
#
|
||||||
#ZONE HOST(S) OPTIONS
|
#ZONE HOST(S) OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 2.0 -- /etc/shorewall/init
|
# Shorewall 2.2 -- /etc/shorewall/init
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed at the beginning of
|
# Add commands below that you want to be executed at the beginning of
|
||||||
# a "shorewall start" or "shorewall restart" command.
|
# a "shorewall start" or "shorewall restart" command.
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
RCDLINKS="2,S41 3,S41 6,K41"
|
RCDLINKS="2,S41 3,S41 6,K41"
|
||||||
#
|
#
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
|
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 2.0 -- /etc/shorewall/initdone
|
# Shorewall 2.2 -- /etc/shorewall/initdone
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed during
|
# Add commands below that you want to be executed during
|
||||||
# "shorewall start" or "shorewall restart" commands at the point where
|
# "shorewall start" or "shorewall restart" commands at the point where
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=2.0.16
|
VERSION=2.2.0
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -176,16 +176,16 @@ echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
|
|||||||
#
|
#
|
||||||
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
||||||
#
|
#
|
||||||
mkdir -p ${PREFIX}/etc/shorewall && chmod 700 ${PREFIX}/etc/shorewall
|
mkdir -p ${PREFIX}/etc/shorewall
|
||||||
mkdir -p ${PREFIX}/usr/share/shorewall && chmod 700 ${PREFIX}/usr/share/shorewall
|
mkdir -p ${PREFIX}/usr/share/shorewall
|
||||||
mkdir -p ${PREFIX}/var/lib/shorewall && chmod 700 ${PREFIX}/var/lib/shorewall
|
mkdir -p ${PREFIX}/var/lib/shorewall
|
||||||
#
|
#
|
||||||
# Install the config file
|
# Install the config file
|
||||||
#
|
#
|
||||||
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
||||||
backup_file /etc/shorewall/shorewall.conf
|
backup_file /etc/shorewall/shorewall.conf
|
||||||
else
|
else
|
||||||
run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||||
echo
|
echo
|
||||||
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
||||||
fi
|
fi
|
||||||
@ -195,7 +195,7 @@ fi
|
|||||||
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||||
backup_file /etc/shorewall/zones
|
backup_file /etc/shorewall/zones
|
||||||
else
|
else
|
||||||
run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones
|
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||||
echo
|
echo
|
||||||
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
|
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
|
||||||
fi
|
fi
|
||||||
@ -247,6 +247,16 @@ else
|
|||||||
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
|
# Install the ipsec file
|
||||||
|
#
|
||||||
|
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
|
||||||
|
backup_file /etc/shorewall/ipsec
|
||||||
|
else
|
||||||
|
run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
|
||||||
|
echo
|
||||||
|
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
|
||||||
|
fi
|
||||||
|
#
|
||||||
# Install the hosts file
|
# Install the hosts file
|
||||||
#
|
#
|
||||||
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
||||||
@ -539,8 +549,7 @@ fi
|
|||||||
#
|
#
|
||||||
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
|
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
|
||||||
|
|
||||||
if [ -z "$PREFIX" ]; then
|
if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||||
if [ -n "$first_install" ]; then
|
|
||||||
if [ -n "$DEBIAN" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||||
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
||||||
@ -552,7 +561,7 @@ if [ -z "$PREFIX" ]; then
|
|||||||
if insserv /etc/init.d/shorewall ; then
|
if insserv /etc/init.d/shorewall ; then
|
||||||
echo
|
echo
|
||||||
echo "shorewall will start automatically at boot"
|
echo "shorewall will start automatically at boot"
|
||||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
@ -560,7 +569,7 @@ if [ -z "$PREFIX" ]; then
|
|||||||
if chkconfig --add shorewall ; then
|
if chkconfig --add shorewall ; then
|
||||||
echo
|
echo
|
||||||
echo "shorewall will start automatically in run levels as follows:"
|
echo "shorewall will start automatically in run levels as follows:"
|
||||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||||
chkconfig --list shorewall
|
chkconfig --list shorewall
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
@ -569,23 +578,16 @@ if [ -z "$PREFIX" ]; then
|
|||||||
if rc-update add shorewall default; then
|
if rc-update add shorewall default; then
|
||||||
echo
|
echo
|
||||||
echo "shorewall will start automatically at boot"
|
echo "shorewall will start automatically at boot"
|
||||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo \
|
|
||||||
"########################################################################
|
|
||||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
|
||||||
########################################################################" > /etc/shorewall/startup_disabled
|
|
||||||
fi
|
|
||||||
elif [ -n "$DEBIAN" -a ! -f /etc/default/shorewall ]; then
|
|
||||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
# Report Success
|
# Report Success
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Interfaces File
|
# Shorewall 2.2 -- Interfaces File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/interfaces
|
# /etc/shorewall/interfaces
|
||||||
#
|
#
|
||||||
@ -75,12 +75,23 @@
|
|||||||
# option does not cover those ranges
|
# option does not cover those ranges
|
||||||
# reserved by RFC 1918 -- see above).
|
# reserved by RFC 1918 -- see above).
|
||||||
#
|
#
|
||||||
|
# I PERSONALLY RECOMMEND AGAINST USING
|
||||||
|
# THE 'nobogons' OPTION.
|
||||||
|
#
|
||||||
# routefilter - turn on kernel route filtering for this
|
# routefilter - turn on kernel route filtering for this
|
||||||
# interface (anti-spoofing measure). This
|
# interface (anti-spoofing measure). This
|
||||||
# option can also be enabled globally in
|
# option can also be enabled globally in
|
||||||
# the /etc/shorewall/shorewall.conf file.
|
# the /etc/shorewall/shorewall.conf file.
|
||||||
#
|
#
|
||||||
# . . blacklist - Check packets arriving on this interface
|
# logmartians - turn on kernel martian logging (logging
|
||||||
|
# of packets with impossible source
|
||||||
|
# addresses. It is suggested that if you
|
||||||
|
# set routefilter on an interface that
|
||||||
|
# you also set logmartians. This option
|
||||||
|
# may also be enabled globally in the
|
||||||
|
# /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# blacklist - Check packets arriving on this interface
|
||||||
# against the /etc/shorewall/blacklist
|
# against the /etc/shorewall/blacklist
|
||||||
# file.
|
# file.
|
||||||
#
|
#
|
||||||
|
58
STABLE2/ipsec
Normal file
58
STABLE2/ipsec
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
#
|
||||||
|
# Shorewall 2.2 - /etc/shorewall/ipsec
|
||||||
|
#
|
||||||
|
# This file defines the attributes of zones with respect to
|
||||||
|
# IPSEC. To use this file, you must be running a 2.6 kernel and
|
||||||
|
# both your kernel and iptables must include Policy Match Support.
|
||||||
|
#
|
||||||
|
# The columns are:
|
||||||
|
#
|
||||||
|
# ZONE The name of a zone defined in /etc/shorewall/zones. The
|
||||||
|
# $FW zone may not be listed.
|
||||||
|
#
|
||||||
|
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
||||||
|
# ONLY No -- Communication with some zone hosts is encrypted.
|
||||||
|
# Encrypted hosts are designated using the 'ipsec'
|
||||||
|
# option in /etc/shorewall/hosts.
|
||||||
|
#
|
||||||
|
# OPTIONS, A comma-separated list of options as follows:
|
||||||
|
# IN OPTIONS,
|
||||||
|
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||||
|
# using setkey(8) using the 'unique:<number>
|
||||||
|
# option for the SPD level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the SPI of
|
||||||
|
# the SA used to encrypt/decrypt packets.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mss=<number> (sets the MSS field in TCP packets)
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match all rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be used with
|
||||||
|
# strict..
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# mode=transport,reqid=44
|
||||||
|
#
|
||||||
|
# The options in the OPTIONS column are applied to both incoming
|
||||||
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||||
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||||
|
# applied to outgoing traffic.
|
||||||
|
#
|
||||||
|
# If you wish to leave a column empty but need to make an entry
|
||||||
|
# in a following column, use "-".
|
||||||
|
###################################################################################
|
||||||
|
#ZONE IPSEC OPTIONS IN OUT
|
||||||
|
# ONLY OPTIONS OPTIONS
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
|
296
STABLE2/ipsecvpn
Normal file
296
STABLE2/ipsecvpn
Normal file
@ -0,0 +1,296 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode
|
||||||
|
# IPSEC connection
|
||||||
|
#
|
||||||
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
|
#
|
||||||
|
# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
|
# as published by the Free Software Foundation.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
|
|
||||||
|
RCDLINKS="2,S42 3,S42 6,K42"
|
||||||
|
|
||||||
|
#### BEGIN INIT INFO
|
||||||
|
# Provides: ipsecvpn
|
||||||
|
# Required-Start: $shorewall
|
||||||
|
# Required-Stop:
|
||||||
|
# Default-Start: 2 3 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Description: starts and stops a tunnel-mode VPN connection
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# chkconfig: 2345 26 89
|
||||||
|
# description: IPSEC tunnel-mode connection
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# External Interface
|
||||||
|
#
|
||||||
|
INTERFACE=eth0
|
||||||
|
#
|
||||||
|
# Remote IPSEC Gateway
|
||||||
|
#
|
||||||
|
GATEWAY=1.2.3.4
|
||||||
|
#
|
||||||
|
# Networks behind the remote gateway (space-separated list)
|
||||||
|
#
|
||||||
|
NETWORKS="192.168.1.0/24"
|
||||||
|
#
|
||||||
|
# Directory where X.509 certificates are stored.
|
||||||
|
#
|
||||||
|
CERTS=/etc/certs
|
||||||
|
#
|
||||||
|
# Certificate to be used for this connection. The cert
|
||||||
|
# directory must contain:
|
||||||
|
#
|
||||||
|
# ${CERT}.pem - the certificate
|
||||||
|
# ${CERT}_key.pem - the certificates's key
|
||||||
|
#
|
||||||
|
CERT=roadwarrior
|
||||||
|
#
|
||||||
|
# The setkey binary
|
||||||
|
#
|
||||||
|
SETKEY=/usr/sbin/setkey
|
||||||
|
#
|
||||||
|
# The racoon binary
|
||||||
|
#
|
||||||
|
RACOON=/usr/sbin/racoon
|
||||||
|
|
||||||
|
#
|
||||||
|
# Message to stderr
|
||||||
|
#
|
||||||
|
error_message() # $* = Error Message
|
||||||
|
{
|
||||||
|
echo " $@" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Fatal error -- stops the firewall after issuing the error message
|
||||||
|
#
|
||||||
|
fatal_error() # $* = Error Message
|
||||||
|
{
|
||||||
|
echo " Error: $@" >&2
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Find interface address--returns the first IP address assigned to the passed
|
||||||
|
# device
|
||||||
|
#
|
||||||
|
find_first_interface_address() # $1 = interface
|
||||||
|
{
|
||||||
|
#
|
||||||
|
# get the line of output containing the first IP address
|
||||||
|
#
|
||||||
|
addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
|
||||||
|
#
|
||||||
|
# If there wasn't one, bail out now
|
||||||
|
#
|
||||||
|
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
|
||||||
|
#
|
||||||
|
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||||
|
# along with everything else on the line
|
||||||
|
#
|
||||||
|
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create a Racoon configuration file using the variables above
|
||||||
|
#
|
||||||
|
make_racoon_conf() {
|
||||||
|
echo "path certificate \"$CERTS\";"
|
||||||
|
echo
|
||||||
|
echo "listen"
|
||||||
|
echo "{"
|
||||||
|
echo " isakmp $IPADDR;"
|
||||||
|
echo "}"
|
||||||
|
echo
|
||||||
|
echo "remote $GATEWAY"
|
||||||
|
echo "{"
|
||||||
|
echo " exchange_mode main;"
|
||||||
|
echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";"
|
||||||
|
echo " verify_cert on;"
|
||||||
|
echo " my_identifier asn1dn ;"
|
||||||
|
echo " peers_identifier asn1dn ;"
|
||||||
|
echo " verify_identifier on ;"
|
||||||
|
echo " lifetime time 24 hour ;"
|
||||||
|
echo " proposal {"
|
||||||
|
echo " encryption_algorithm blowfish;"
|
||||||
|
echo " hash_algorithm sha1;"
|
||||||
|
echo " authentication_method rsasig ;"
|
||||||
|
echo " dh_group 2 ;"
|
||||||
|
echo " }"
|
||||||
|
echo "}"
|
||||||
|
echo
|
||||||
|
|
||||||
|
for network in $NETWORKS; do
|
||||||
|
echo "sainfo address $IPADDR/32 any address $network any"
|
||||||
|
echo "{"
|
||||||
|
echo " pfs_group 2;"
|
||||||
|
echo " lifetime time 12 hour ;"
|
||||||
|
echo " encryption_algorithm blowfish ;"
|
||||||
|
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||||
|
echo " compression_algorithm deflate ;"
|
||||||
|
echo "}"
|
||||||
|
echo
|
||||||
|
echo "sainfo address $network any address $IPADDR/32 any"
|
||||||
|
echo "{"
|
||||||
|
echo " pfs_group 2;"
|
||||||
|
echo " lifetime time 12 hour ;"
|
||||||
|
echo " encryption_algorithm blowfish ;"
|
||||||
|
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||||
|
echo " compression_algorithm deflate ;"
|
||||||
|
echo "}"
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any"
|
||||||
|
echo "{"
|
||||||
|
echo " pfs_group 2;"
|
||||||
|
echo " lifetime time 12 hour ;"
|
||||||
|
echo " encryption_algorithm blowfish ;"
|
||||||
|
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||||
|
echo " compression_algorithm deflate ;"
|
||||||
|
echo "}"
|
||||||
|
echo
|
||||||
|
echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any"
|
||||||
|
echo "{"
|
||||||
|
echo " pfs_group 2;"
|
||||||
|
echo " lifetime time 12 hour ;"
|
||||||
|
echo " encryption_algorithm blowfish ;"
|
||||||
|
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||||
|
echo " compression_algorithm deflate ;"
|
||||||
|
echo "}"
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Make a setkey configuration file using the variables above
|
||||||
|
#
|
||||||
|
make_setkey_conf()
|
||||||
|
{
|
||||||
|
echo "flush;"
|
||||||
|
echo "spdflush;"
|
||||||
|
|
||||||
|
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
|
||||||
|
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
|
||||||
|
|
||||||
|
for network in $NETWORKS; do
|
||||||
|
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
|
||||||
|
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Start the Tunnel
|
||||||
|
#
|
||||||
|
start()
|
||||||
|
{
|
||||||
|
#
|
||||||
|
# Get the first IP address configured on the device in INTERFACE
|
||||||
|
#
|
||||||
|
IPADDR=$(find_first_interface_address $INTERFACE)
|
||||||
|
#
|
||||||
|
# Create the name of the setkey temporary file
|
||||||
|
#
|
||||||
|
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
|
||||||
|
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
|
||||||
|
#
|
||||||
|
# Create the file
|
||||||
|
#
|
||||||
|
make_setkey_conf > $TEMPFILE
|
||||||
|
#
|
||||||
|
# Create the SPD
|
||||||
|
#
|
||||||
|
$SETKEY -f $TEMPFILE
|
||||||
|
#
|
||||||
|
# We can now remove the file
|
||||||
|
#
|
||||||
|
rm -f $TEMPFILE
|
||||||
|
#
|
||||||
|
# Create another name -- make this distict to aid debugging
|
||||||
|
# (just comment out the 'rm' commands)
|
||||||
|
#
|
||||||
|
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
|
||||||
|
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
|
||||||
|
#
|
||||||
|
# Create the file
|
||||||
|
#
|
||||||
|
make_racoon_conf > $TEMPFILE
|
||||||
|
#
|
||||||
|
# Start Racoon Daemon
|
||||||
|
#
|
||||||
|
$RACOON -4 -f $TEMPFILE
|
||||||
|
#
|
||||||
|
# Once the Daemon is running, we can remove the file
|
||||||
|
#
|
||||||
|
rm -f $TEMPFILE
|
||||||
|
}
|
||||||
|
#
|
||||||
|
# Stop the Tunnel
|
||||||
|
#
|
||||||
|
stop()
|
||||||
|
{
|
||||||
|
#
|
||||||
|
# Kill any racoon daemons
|
||||||
|
#
|
||||||
|
killall racoon
|
||||||
|
#
|
||||||
|
# Purge the SAD and SPD
|
||||||
|
#
|
||||||
|
setkey -F -FP
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Display command syntax and abend
|
||||||
|
#
|
||||||
|
usage()
|
||||||
|
{
|
||||||
|
error_message "usage: $(basename $0) [start|stop|restart]"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
# C O D E S T A R T S H E R E
|
||||||
|
################################################################################
|
||||||
|
[ $# -eq 1 ] || usage
|
||||||
|
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
start)
|
||||||
|
start
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
stop
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
stop
|
||||||
|
sleep 2
|
||||||
|
start
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 - MAC list file
|
# Shorewall 2.2 - MAC list file
|
||||||
#
|
#
|
||||||
# /etc/shorewall/maclist
|
# /etc/shorewall/maclist
|
||||||
#
|
#
|
||||||
@ -15,7 +15,9 @@
|
|||||||
#
|
#
|
||||||
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
||||||
# must match. This column can contain a comma-separated
|
# must match. This column can contain a comma-separated
|
||||||
# list of host and/or subnet addresses.
|
# list of host and/or subnet addresses. If your kernel
|
||||||
|
# and iptables have iprange match support then IP
|
||||||
|
# address ranges are also allowed.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
#INTERFACE MAC IP ADDRESSES (Optional)
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
78
STABLE2/masq
78
STABLE2/masq
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 - Masquerade file
|
# Shorewall 2.2 - Masquerade file
|
||||||
#
|
#
|
||||||
# /etc/shorewall/masq
|
# /etc/shorewall/masq
|
||||||
#
|
#
|
||||||
@ -20,6 +20,24 @@
|
|||||||
# This may be qualified by adding the character
|
# This may be qualified by adding the character
|
||||||
# ":" followed by a destination host or subnet.
|
# ":" followed by a destination host or subnet.
|
||||||
#
|
#
|
||||||
|
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
||||||
|
# for this entry then include the ":" but omit the digit:
|
||||||
|
#
|
||||||
|
# eth0:
|
||||||
|
# eth2::192.0.2.32/27
|
||||||
|
#
|
||||||
|
# Normally Masq/SNAT rules are evaluated after those for
|
||||||
|
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
||||||
|
# the rule to be applied before one-to-one NAT rules,
|
||||||
|
# prefix the interface name with "+":
|
||||||
|
#
|
||||||
|
# +eth0
|
||||||
|
# +eth0:192.0.2.32/27
|
||||||
|
# +eth0:2
|
||||||
|
#
|
||||||
|
# This feature should only be required if you need to
|
||||||
|
# insert rules in this file that preempt entries in
|
||||||
|
# /etc/shorewall/nat.
|
||||||
#
|
#
|
||||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||||
# a subnet or as an interface. If you give the name of an
|
# a subnet or as an interface. If you give the name of an
|
||||||
@ -42,13 +60,6 @@
|
|||||||
# will automatically add this address to the
|
# will automatically add this address to the
|
||||||
# INTERFACE named in the first column.
|
# INTERFACE named in the first column.
|
||||||
#
|
#
|
||||||
# If you have set ADD_SNAT_ALIASES=Yes in
|
|
||||||
# /etc/shorewall/shorewall.conf then DO NOT
|
|
||||||
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
|
|
||||||
# ADDRESS IN THIS COLUMN -- If you do so, you
|
|
||||||
# will loose your default route when Shorewall
|
|
||||||
# starts.
|
|
||||||
#
|
|
||||||
# You may also specify a range of up to 256
|
# You may also specify a range of up to 256
|
||||||
# IP addresses if you want the SNAT address to
|
# IP addresses if you want the SNAT address to
|
||||||
# be assigned from that range in a round-robin
|
# be assigned from that range in a round-robin
|
||||||
@ -62,6 +73,19 @@
|
|||||||
#
|
#
|
||||||
# This column may not contain DNS Names.
|
# This column may not contain DNS Names.
|
||||||
#
|
#
|
||||||
|
# Normally, Netfilter will attempt to retain
|
||||||
|
# the source port number. You may cause
|
||||||
|
# netfilter to remap the source port by following
|
||||||
|
# an address or range (if any) by ":" and
|
||||||
|
# a port range with the format <low port>-
|
||||||
|
# <high port>. If this is done, you must
|
||||||
|
# specify "tcp" or "udp" in the PROTO column.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# 192.0.2.4:5000-6000
|
||||||
|
# :4000-5000
|
||||||
|
#
|
||||||
# If you want to leave this column empty
|
# If you want to leave this column empty
|
||||||
# but you need to specify the next column then
|
# but you need to specify the next column then
|
||||||
# place a hyphen ("-") here.
|
# place a hyphen ("-") here.
|
||||||
@ -82,6 +106,42 @@
|
|||||||
# support and a maximum of 15 ports may be
|
# support and a maximum of 15 ports may be
|
||||||
# listed.
|
# listed.
|
||||||
#
|
#
|
||||||
|
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||||
|
# column, you must be running kernel 2.6 and
|
||||||
|
# your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
#
|
||||||
|
# Comma-separated list of options from the following.
|
||||||
|
# Only packets that will be encrypted via an SA that
|
||||||
|
# matches these options will have their source address
|
||||||
|
# changed.
|
||||||
|
#
|
||||||
|
# Yes or yes -- must be the only option listed
|
||||||
|
# and matches all outbound traffic that will be
|
||||||
|
# encrypted.
|
||||||
|
#
|
||||||
|
# reqid=<number> where <number> is specified
|
||||||
|
# using setkey(8) using the 'unique:<number>
|
||||||
|
# option for the SPD level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the SPI of
|
||||||
|
# the SA.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match all
|
||||||
|
# rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be used
|
||||||
|
# with strict..
|
||||||
#
|
#
|
||||||
# Example 1:
|
# Example 1:
|
||||||
#
|
#
|
||||||
@ -136,5 +196,5 @@
|
|||||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
# Shorewall 2.0 /etc/shorewall/modules
|
# Shorewall 2.2 /etc/shorewall/modules
|
||||||
#
|
#
|
||||||
# This file loads the modules needed by the firewall.
|
# This file loads the modules needed by the firewall.
|
||||||
#
|
#
|
||||||
|
10
STABLE2/nat
10
STABLE2/nat
@ -1,6 +1,6 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Network Address Translation Table
|
# Shorewall 2.2 -- Network Address Translation Table
|
||||||
#
|
#
|
||||||
# /etc/shorewall/nat
|
# /etc/shorewall/nat
|
||||||
#
|
#
|
||||||
@ -16,6 +16,7 @@
|
|||||||
# EXTERNAL External IP Address - this should NOT be the primary
|
# EXTERNAL External IP Address - this should NOT be the primary
|
||||||
# IP address of the interface named in the next
|
# IP address of the interface named in the next
|
||||||
# column and must not be a DNS Name.
|
# column and must not be a DNS Name.
|
||||||
|
#
|
||||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||||
# follow the interface name with ":" and a digit to
|
# follow the interface name with ":" and a digit to
|
||||||
@ -24,14 +25,21 @@
|
|||||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||||
|
#
|
||||||
|
# If you want to override ADD_IP_ALIASES=Yes for a
|
||||||
|
# particular entry, follow the interface name with
|
||||||
|
# ":" and no digit (e.g., "eth0:").
|
||||||
# INTERNAL Internal Address (must not be a DNS Name).
|
# INTERNAL Internal Address (must not be a DNS Name).
|
||||||
|
#
|
||||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||||
# If No or no (or left empty) then NAT will be effective
|
# If No or no (or left empty) then NAT will be effective
|
||||||
# only through the interface named in the INTERFACE
|
# only through the interface named in the INTERFACE
|
||||||
# column
|
# column
|
||||||
|
#
|
||||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||||
# system
|
# system
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||||
# INTERFACES
|
# INTERFACES
|
||||||
|
#
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Network Mapping Table
|
# Shorewall 2.2 -- Network Mapping Table
|
||||||
#
|
#
|
||||||
# /etc/shorewall/netmap
|
# /etc/shorewall/netmap
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/params
|
# Shorewall 2.2 /etc/shorewall/params
|
||||||
#
|
#
|
||||||
# Assign any variables that you need here.
|
# Assign any variables that you need here.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Policy File
|
# Shorewall 2.2 -- Policy File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/policy
|
# /etc/shorewall/policy
|
||||||
#
|
#
|
||||||
@ -66,20 +66,24 @@
|
|||||||
# and the size of an acceptable burst. If not specified,
|
# and the size of an acceptable burst. If not specified,
|
||||||
# TCP connections are not limited.
|
# TCP connections are not limited.
|
||||||
#
|
#
|
||||||
# As shipped, the default policies are:
|
# Example:
|
||||||
#
|
#
|
||||||
# a) All connections from the local network to the internet are allowed
|
# a) All connections from the local network to the internet are allowed
|
||||||
# b) All connections from the internet are ignored but logged at syslog
|
# b) All connections from the internet are ignored but logged at syslog
|
||||||
# level KERNEL.INFO.
|
# level KERNEL.INFO.
|
||||||
# d) All other connection requests are rejected and logged at level
|
# d) All other connection requests are rejected and logged at level
|
||||||
# KERNEL.INFO.
|
# KERNEL.INFO.
|
||||||
|
#
|
||||||
|
# #SOURCE DEST POLICY LOG
|
||||||
|
# # LEVEL
|
||||||
|
# loc net ACCEPT
|
||||||
|
# net all DROP info
|
||||||
|
# #
|
||||||
|
# # THE FOLLOWING POLICY MUST BE LAST
|
||||||
|
# #
|
||||||
|
# all all REJECT info
|
||||||
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||||
# LEVEL
|
# LEVEL
|
||||||
loc net ACCEPT
|
|
||||||
net all DROP info
|
|
||||||
#
|
|
||||||
# THE FOLLOWING POLICY MUST BE LAST
|
|
||||||
#
|
|
||||||
all all REJECT info
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Proxy ARP
|
# Shorewall 2.2 -- Proxy ARP
|
||||||
#
|
#
|
||||||
# /etc/shorewall/proxyarp
|
# /etc/shorewall/proxyarp
|
||||||
#
|
#
|
||||||
|
@ -1,235 +1,600 @@
|
|||||||
Shorewall 2.0.16
|
Shorewall 2.2.1
|
||||||
|
|
||||||
----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems Corrected in version 2.0.4
|
Problems corrected in version 2.2.1
|
||||||
|
|
||||||
1) A DNAT rule with 'fw' as the source that specified logging caused
|
1) The /etc/shorewall/policy file contained a misleading comment and
|
||||||
"shorewall start" to fail.
|
both that file and the /etc/shorewall/zones file lacked examples.
|
||||||
|
|
||||||
----------------------------------------------------------------------
|
2) Shorewall previously used root's default umask which could cause
|
||||||
Problems Corrected in version 2.0.5
|
files in /var/lib/shorewall to be world-readable. Shorewall now uses
|
||||||
|
umask 0177.
|
||||||
|
-----------------------------------------------------------------------
|
||||||
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
||||||
|
|
||||||
1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during
|
1) Shorewall configuration files except shorewall.conf are now empty
|
||||||
"shorewll stop" in the case where DISABLE_IPV6=Yes in
|
(they contain only comments). If you wish to retain the defaults
|
||||||
shorewall.conf.
|
in any of the following files, you should copy these files before
|
||||||
|
upgrading them then restore them after the upgrade:
|
||||||
|
|
||||||
2) An anachronistic reference to the mangle option was removed from
|
/etc/shorewall/zones
|
||||||
shorewall.conf.
|
/etc/shorewall/policy
|
||||||
|
/etc/shorewall/tos
|
||||||
|
|
||||||
----------------------------------------------------------------------
|
2) The following builtin actions have been removed and have been
|
||||||
Problems Corrected in version 2.0.6
|
replaced by the new action logging implementation described in the
|
||||||
|
new features below.
|
||||||
|
|
||||||
1) Some users have reported the pkttype match option in iptables/
|
logNotSyn
|
||||||
Netfilter failing to match certain broadcast packets. The result
|
rLogNotSyn
|
||||||
is that the firewall log shows a lot of broadcast packets.
|
dLogNotSyn
|
||||||
|
|
||||||
Other users have complained of the following message when
|
3) If shorewall.conf is upgraded to the latest version, it needs to be
|
||||||
starting Shorewall:
|
modified to set STARTUP_ENABLED=Yes
|
||||||
|
|
||||||
modprobe: cant locate module ipt_pkttype
|
4) The Leaf/Bering version of Shorewall was previously named:
|
||||||
|
|
||||||
Users experiencing either of these problems can use PKTTYPE=No in
|
shorwall-<version>.lrp
|
||||||
shorewall.conf to cause Shorewall to use IP address filtering of
|
|
||||||
broadcasts rather than packet type.
|
|
||||||
|
|
||||||
2) The shorewall.conf and zones file are no longer given execute
|
Beginning with 2.2, that file will now be named:
|
||||||
permission by the installer script.
|
|
||||||
|
|
||||||
3) ICMP packets that are in the INVALID state are now dropped by the
|
shorewall-lrp-<version>.tgz
|
||||||
|
|
||||||
|
Simply rename that file to 'shorwall.lrp' when installing it on your
|
||||||
|
LEAF/Bering system.
|
||||||
|
|
||||||
|
5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no
|
||||||
|
longer contain a second (SNAT) address. You must use an entry in
|
||||||
|
/etc/shorewall/masq instead.
|
||||||
|
|
||||||
|
Example from Shorewall FAQ #1:
|
||||||
|
|
||||||
|
Prior to Shorewall 2.2:
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces
|
||||||
|
|
||||||
|
loc eth1 detect routeback,...
|
||||||
|
|
||||||
|
/etc/shorewall/rules
|
||||||
|
|
||||||
|
DNAT loc loc:192.168.1.12 tcp 80 \
|
||||||
|
- 130.252.100.69:192.168.1.254
|
||||||
|
|
||||||
|
Shorewall 2.2 and Later:
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces
|
||||||
|
|
||||||
|
loc eth1 detect routeback,...
|
||||||
|
|
||||||
|
/etc/shorewall/masq:
|
||||||
|
|
||||||
|
eth1 eth1 192.168.1.254 tcp 80
|
||||||
|
|
||||||
|
|
||||||
|
/etc/shorewall/rules:
|
||||||
|
|
||||||
|
DNAT loc loc:192.168.1.12 tcp 80 \
|
||||||
|
- 130.252.100.69
|
||||||
|
|
||||||
|
6) The 'logunclean' and 'dropunclean' options that were deprecated in
|
||||||
|
Shorewall 2.0 have now been removed completely.
|
||||||
|
|
||||||
|
7) A new IPTABLES variable has been added to shorewall.conf. This
|
||||||
|
variable names the iptables executable that Shorewall will use. The
|
||||||
|
variable is set to "/sbin/iptables". If you use the new
|
||||||
|
shorewall.conf, you may need to change this setting to maintain
|
||||||
|
compabibility with your current setup (if you use your existing
|
||||||
|
shorewall.conf that does not set IPTABLES then you should
|
||||||
|
experience no change in behavior).
|
||||||
|
|
||||||
|
8) The default port for OpenVPN tunnels has been changed from 5000 to
|
||||||
|
1194 to reflect the recent IANA allocation of that port for
|
||||||
|
OpenVPN.
|
||||||
|
|
||||||
|
-----------------------------------------------------------------------
|
||||||
|
New Features in Shorewall 2.2.0:
|
||||||
|
|
||||||
|
1) ICMP packets that are in the INVALID state are now dropped by the
|
||||||
Reject and Drop default actions. They do so using the new
|
Reject and Drop default actions. They do so using the new
|
||||||
'dropInvalid' builtin action.
|
'dropInvalid' builtin action. An 'allowInvalid' builtin action is
|
||||||
-----------------------------------------------------------------------
|
also provided which accepts packets in that state.
|
||||||
Problems Corrected in version 2.0.7
|
|
||||||
|
|
||||||
1) The PKTTYPE option introduced in version 2.0.6 is now used when
|
2) The /etc/shorewall/masq file INTERFACE column now allows additional
|
||||||
generating rules to REJECT packets. Broadcast packets are silently
|
options.
|
||||||
dropped rather than being rejected with an ICMP (which is a protocol
|
|
||||||
violation) and users whose kernels have broken packet type match
|
|
||||||
support are likely to see messages reporting this violation.
|
|
||||||
Setting PKTTYPE=No should cause these messages to cease.
|
|
||||||
|
|
||||||
2) Multiple interfaces with the 'blacklist' option no longer result in
|
Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT
|
||||||
an error message at startup.
|
rules defined in the /etc/shorewall/nat file. If you preceed the
|
||||||
|
interface name with a plus sign ("+") then the rule will be
|
||||||
3) The following has been added to /etc/shorewall/bogons:
|
evaluated before one-to-one NAT.
|
||||||
|
|
||||||
0.0.0.0 RETURN
|
|
||||||
|
|
||||||
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
|
|
||||||
broadcasts.
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
New Features in version 2.0.7
|
|
||||||
|
|
||||||
1) To improve supportability, the "shorewall status" command now
|
|
||||||
includes IP and Route configuration information.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
IP Configuration
|
|
||||||
|
|
||||||
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
|
||||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
||||||
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
|
|
||||||
inet6 ::1/128 scope host
|
|
||||||
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
||||||
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
|
|
||||||
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
|
|
||||||
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
||||||
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
|
|
||||||
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
|
|
||||||
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
|
|
||||||
link/sit 0.0.0.0 brd 0.0.0.0
|
|
||||||
6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
||||||
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
|
||||||
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
|
||||||
7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
|
|
||||||
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
|
||||||
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
|
|
||||||
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
|
||||||
|
|
||||||
Routing Rules
|
|
||||||
|
|
||||||
0: from all lookup local
|
|
||||||
32765: from all fwmark ca lookup www.out
|
|
||||||
32766: from all lookup main
|
|
||||||
32767: from all lookup default
|
|
||||||
|
|
||||||
Table local:
|
|
||||||
|
|
||||||
broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3
|
|
||||||
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
|
|
||||||
local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3
|
|
||||||
broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3
|
|
||||||
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
|
|
||||||
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
|
|
||||||
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
|
|
||||||
|
|
||||||
Table www.out:
|
|
||||||
|
|
||||||
default via 192.168.1.3 dev br0
|
|
||||||
|
|
||||||
Table main:
|
|
||||||
|
|
||||||
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
|
|
||||||
default via 192.168.1.254 dev br0
|
|
||||||
|
|
||||||
Table default:
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems Corrected in version 2.0.8
|
|
||||||
|
|
||||||
1) User/group restricted rules now work in actions.
|
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems Corrected in version 2.0.9
|
|
||||||
|
|
||||||
1) Previously, an empty PROTO column or a value of "all" in that column
|
|
||||||
would cause errors when processing the /etc/shorewall/tcrules file.
|
|
||||||
|
|
||||||
New Fewatures in version 2.0.9
|
|
||||||
|
|
||||||
1) The "shorewall status" command now includes the output of "brctl
|
|
||||||
show" if the bridge tools are installed.
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in version 2.0.10
|
|
||||||
|
|
||||||
1) The GATEWAY column was previously ignored in 'pptpserver' entries in
|
|
||||||
/etc/shorewall/tunnels.
|
|
||||||
|
|
||||||
2) When log rule numbers are included in the LOGFORMAT, duplicate
|
|
||||||
rule numbers could previously be generated.
|
|
||||||
|
|
||||||
3) The /etc/shorewall/tcrules file now includes a note to the effect
|
|
||||||
that rule evaluation continues after a match.
|
|
||||||
|
|
||||||
4) The error message produced if Shorewall couldn't obtain the routes
|
|
||||||
through an interface named in the SUBNET column of
|
|
||||||
/etc/shorewall/masq was less than helpful since it didn't include
|
|
||||||
the interface name.
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
New Features in 2.0.10
|
|
||||||
|
|
||||||
The "shorewall status" command has been enhanced to include the values
|
|
||||||
of key /proc settings:
|
|
||||||
|
|
||||||
Example from a two-interface firewall:
|
|
||||||
|
|
||||||
/proc
|
|
||||||
|
|
||||||
/proc/sys/net/ipv4/ip_forward = 1
|
|
||||||
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
|
|
||||||
/proc/sys/net/ipv4/conf/all/arp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/all/rp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
|
|
||||||
/proc/sys/net/ipv4/conf/default/arp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/default/rp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
|
|
||||||
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
|
|
||||||
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
|
|
||||||
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
|
|
||||||
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
|
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in 2.0.11
|
|
||||||
|
|
||||||
1) The INSTALL file now include special instructions for Slackware
|
|
||||||
users.
|
|
||||||
|
|
||||||
2) The bogons file has been updated.
|
|
||||||
|
|
||||||
3) Service names are replaced by port numbers in /etc/shorewall/tos.
|
|
||||||
|
|
||||||
4) A typo in the install.sh file that caused an error during a new
|
|
||||||
install has been corrected.
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
New Features in 2.0.11
|
|
||||||
|
|
||||||
1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
|
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in 2.0.12
|
|
||||||
|
|
||||||
1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
|
|
||||||
|
|
||||||
2) The "shorewall add" and "shorewall delete" commands now work in a
|
|
||||||
bridged environment. The syntax is:
|
|
||||||
|
|
||||||
shorewall add <interface>[:<port>]:<address> <zone>
|
|
||||||
shorewall delete <interface>[:<port>]:<address> <zone>
|
|
||||||
|
|
||||||
Examples:
|
Examples:
|
||||||
|
|
||||||
shorewall add br0:eth2:192.168.1.3 OK
|
+eth0
|
||||||
shorewall delete br0:eth2:192.168.1.3 OK
|
+eth1:192.0.2.32/27
|
||||||
|
|
||||||
3) Previously, "shorewall save" created an out-of-sequence restore
|
Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
|
||||||
script. The commands saved in the user's /etc/shorewall/start script
|
entry by following the interface name by ":" but no digit.
|
||||||
were executed prior to the Netfilter configuration being
|
|
||||||
restored. This has been corrected so that "shorewall save" now
|
|
||||||
places those commands at the end of the script.
|
|
||||||
|
|
||||||
To accomplish this change, the "restore base" file
|
Examples:
|
||||||
(/var/lib/shorewall/restore-base) has been split into two files:
|
|
||||||
|
|
||||||
/var/lib/shorewall/restore-base -- commands to be executed before
|
eth0:
|
||||||
Netfilter the configuration is restored.
|
eth1::192.0.2.32/27
|
||||||
|
+eth3:
|
||||||
|
|
||||||
/var/lib/shorewall/restore-tail -- commands to be executed after the
|
3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
|
||||||
Netfilter configuration is restored.
|
you to override the setting of ADD_IP_ALIASES=Yes by following the
|
||||||
|
interface name with ":" but no digit.
|
||||||
|
|
||||||
4) Previously, traffic from the firewall to a dynamic zone member host
|
4) All configuration files in the Shorewall distribution with the
|
||||||
did not need to match the interface specified when the host was
|
exception of shorewall.conf are now empty. In particular, the
|
||||||
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
/etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos
|
||||||
zone Z then traffic out of any firewall interface to 1.2.3.4 will
|
files now have no active entries. Hopefully this will stop the
|
||||||
obey the fw->Z policies and rules. This has been corrected.
|
questions on the support and development lists regarding why the
|
||||||
|
default entries are the way they are.
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
5) Previously, including a log level (and optionally a log tag) on a
|
||||||
New Features in 2.0.12
|
rule that specified a user-defined (or Shorewall-defined) action
|
||||||
|
would log all traffic passed to the action. Beginning with this
|
||||||
|
release, specifying a log level in a rule that specifies a user-
|
||||||
|
or Shorewall-defined action will cause each rule in the action to
|
||||||
|
be logged with the specified level (and tag).
|
||||||
|
|
||||||
1) Variable expansion may now be used with the INCLUDE directive.
|
The extent to which logging of action rules occurs is goverend by
|
||||||
|
the following:
|
||||||
|
|
||||||
|
a) When you invoke an action and specify a log level, only those
|
||||||
|
rules in the action that have no log level will be changed to log
|
||||||
|
at the level specified at the action invocation.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
/etc/shorewall/action.foo:
|
||||||
|
|
||||||
|
ACCEPT - - tcp 22
|
||||||
|
bar:info
|
||||||
|
|
||||||
|
/etc/shorewall/rules:
|
||||||
|
|
||||||
|
foo:debug fw net
|
||||||
|
|
||||||
|
Logging in the invoked 'foo' action will be:
|
||||||
|
|
||||||
|
ACCEPT:debug - - tcp 22
|
||||||
|
bar:info
|
||||||
|
|
||||||
|
b) If you follow the log level with "!" then logging will
|
||||||
|
be at that level for all rules recursively invoked by the action
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
/etc/shorewall/action.foo:
|
||||||
|
|
||||||
|
ACCEPT - - tcp 22
|
||||||
|
bar:info
|
||||||
|
|
||||||
|
/etc/shorewall/rules:
|
||||||
|
|
||||||
|
foo:debug! fw net
|
||||||
|
|
||||||
|
Logging in the invoke 'foo' action will be:
|
||||||
|
|
||||||
|
ACCEPT:debug - - tcp 22
|
||||||
|
bar:debug!
|
||||||
|
|
||||||
|
This change has an effect on extension scripts used with
|
||||||
|
user-defined actions. If you define an action 'acton' and you have
|
||||||
|
an /etc/shorewall/acton script then when that script is invoked,
|
||||||
|
the following three variables will be set for use by the script:
|
||||||
|
|
||||||
|
$CHAIN = the name of the chain where your rules are to be
|
||||||
|
placed. When logging is used on an action invocation,
|
||||||
|
Shorewall creates a chain with a slightly different name from
|
||||||
|
the action itself.
|
||||||
|
|
||||||
|
$LEVEL = Log level. If empty, no logging was specified.
|
||||||
|
|
||||||
|
$TAG = Log Tag.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
/etc/shorewall/rules:
|
||||||
|
|
||||||
|
acton:info:test
|
||||||
|
|
||||||
|
Your /etc/shorewall/acton file will be run with:
|
||||||
|
|
||||||
|
$CHAIN="%acton1"
|
||||||
|
$LEVEL="info"
|
||||||
|
$TAG="test"
|
||||||
|
|
||||||
|
6) The /etc/shorewall/startup_disabled file is no longer created when
|
||||||
|
Shorewall is first installed. Rather, the variable STARTUP_ENABLED
|
||||||
|
is set to 'No' in /etc/shorewall/shorewall.conf. In order to get
|
||||||
|
Shorewall to start, that variable's value must be set to
|
||||||
|
'Yes'. This change accomplishes two things:
|
||||||
|
|
||||||
|
a) It prevents Shorewall from being started prematurely by the
|
||||||
|
user's initialization scripts.
|
||||||
|
|
||||||
|
b) It causes /etc/shorewall/shorewall.conf to be modified so that
|
||||||
|
it won't be replaced by upgrades using RPM.
|
||||||
|
|
||||||
|
7) Some additional support has been added for the 2.6 Kernel IPSEC
|
||||||
|
implementation. To use this support, you must have installed the
|
||||||
|
IPSEC policy match patch and the four IPSEC/Netfilter patches
|
||||||
|
from Patch-0-Matic-ng. The policy match patch affects both your
|
||||||
|
kernel and iptables.
|
||||||
|
|
||||||
|
There are two ways to specify that IPSEC is to be used when
|
||||||
|
communicating with a set of hosts; both methods involve the new
|
||||||
|
/etc/shorewall/ipsec file:
|
||||||
|
|
||||||
|
a) If encrypted communication is used with all hosts in a zone,
|
||||||
|
then you can designate the zone as an "ipsec" zone by placing
|
||||||
|
'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
|
||||||
|
|
||||||
|
#ZONE IPSEC OPTIONS ...
|
||||||
|
# ONLY
|
||||||
|
vpn Yes
|
||||||
|
|
||||||
|
The hosts in the zone (if any) must be specified in
|
||||||
|
/etc/shorewall/hosts but you do not need to specify the 'ipsec'
|
||||||
|
option on the entries in that file (see below).
|
||||||
|
|
||||||
|
Dynamic zones involving IPSEC must use that technique.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
Under 2.4 Kernel FreeS/Wan:
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
net Net The big bad Internet
|
||||||
|
vpn VPN Remote Network
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
net eth0 ...
|
||||||
|
vpn ipsec0 ...
|
||||||
|
|
||||||
|
Under 2.6 Kernel with this new support:
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
net Net The big bad Internet
|
||||||
|
vpn VPN Remote Network
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
net eth0 ...
|
||||||
|
|
||||||
|
/etc/shorewall/hosts:
|
||||||
|
|
||||||
|
vpn eth0:0.0.0.0/0
|
||||||
|
|
||||||
|
/etc/shorewall/ipsec
|
||||||
|
|
||||||
|
vpn Yes
|
||||||
|
|
||||||
|
b) If only part of the hosts in a zone require encrypted
|
||||||
|
communication, you may use of the new 'ipsec' option in
|
||||||
|
/etc/shorewall/hosts to designate those hosts.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
Under 2.4 Kernel FreeS/Wan:
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
net Net The big bad Internet
|
||||||
|
loc Local Extended local zone
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
net eth0 ...
|
||||||
|
loc eth1 ...
|
||||||
|
loc ipsec0 ...
|
||||||
|
|
||||||
|
Under 2.6 Kernel with this new support:
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
net Net The big bad Internet
|
||||||
|
vpn VPN Remote Network
|
||||||
|
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
net eth0 ...
|
||||||
|
loc eth1 ...
|
||||||
|
|
||||||
|
/etc/shorewall/hosts:
|
||||||
|
|
||||||
|
vpn eth0:0.0.0.0/0 ipsec,...
|
||||||
|
|
||||||
|
Regardless of which technique you choose, you can specify
|
||||||
|
additional SA options for the zone in the /etc/shorewall/ipsec
|
||||||
|
entry.
|
||||||
|
|
||||||
|
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
|
||||||
|
input-output, input and output characteristics of the security
|
||||||
|
associations to be used to decrypt (input) or encrypt (output) traffic
|
||||||
|
to/from the zone.
|
||||||
|
|
||||||
|
The available options are:
|
||||||
|
|
||||||
|
reqid[!]=<number> where <number> is specified using setkey(8) using
|
||||||
|
the 'unique:<number>' option for the SPD level.
|
||||||
|
|
||||||
|
spi[!]=<number> where <number> is the SPI of the SA. Since
|
||||||
|
different SAs are used to encrypt and decrypt traffic, this
|
||||||
|
option should only be listed in the IN OPTIONS and OUT OPTIONS
|
||||||
|
columns.
|
||||||
|
|
||||||
|
proto[!]=ah|esp|ipcomp
|
||||||
|
|
||||||
|
mss=<number> (sets the MSS value in TCP SYN packets and is not
|
||||||
|
related to policy matching)
|
||||||
|
|
||||||
|
mode[!]=transport|tunnel
|
||||||
|
|
||||||
|
tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel)
|
||||||
|
|
||||||
|
tunnel-dst[!]=<address>[/<mask>] (only available with
|
||||||
|
mode=tunnel). Because tunnel source and destination are
|
||||||
|
dependent on the direction of the traffic, these options
|
||||||
|
should only appear in the IN OPTIONS and OUT OPTIONS columns.
|
||||||
|
|
||||||
|
strict (if specified, packets must match all policies;
|
||||||
|
policies are delimited by 'next').
|
||||||
|
|
||||||
|
next (only available with strict)
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
#ZONE IPSEC OPTIONS IN OUT...
|
||||||
|
# ONLY OPTIONS OPTIONS
|
||||||
|
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
||||||
|
loc No reqid=44,mode=transport
|
||||||
|
|
||||||
|
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||||
|
specify Yes or yes in that column then the unencrypted packets will
|
||||||
|
have their source address changed. Otherwise, the unencrypted
|
||||||
|
packets will not have their source addresses changed. This column
|
||||||
|
may also contain a comma-separated list of the options specified
|
||||||
|
above in which case only those packets that will be encrypted
|
||||||
|
by an SA matching the given options will have their source address
|
||||||
|
changed.
|
||||||
|
|
||||||
|
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
||||||
|
enforce the use of source port 500 for ISAKMP and OpenVPN
|
||||||
|
tunnels no longer enforce use of the specified port as both the
|
||||||
|
source and destination ports.
|
||||||
|
|
||||||
|
9) A new 'allowBcast' builtin action has been added -- it silently
|
||||||
|
allows broadcasts and multicasts.
|
||||||
|
|
||||||
|
10) The -c option in /sbin/shorewall commands is now deprecated. The
|
||||||
|
commands where -c was previously allowed now permit you to specify
|
||||||
|
a configuration directory after the command:
|
||||||
|
|
||||||
|
shorewall check [ <configuration-directory> ]
|
||||||
|
shorewall restart [ <configuration-directory> ]
|
||||||
|
shorewall start [ <configuration-directory> ]
|
||||||
|
|
||||||
|
11) Normally, when SNAT or MASQUERADE is applied to a tcp or udp
|
||||||
|
connection, Netfilter attempts to retain the source port
|
||||||
|
number. If it has to change to port number to avoid
|
||||||
|
<source address>,<source port> conflicts, it tries to do so
|
||||||
|
within port ranges ( < 512, 512-1023, and > 1023). You may
|
||||||
|
now specify an explicit range of source ports to be used
|
||||||
|
by following the address or address range (if any) in the
|
||||||
|
ADDRESS column with ":" and a port range in the format
|
||||||
|
<low-port>-<high-port>. You must specify either "tcp" or
|
||||||
|
"udp" in the PROTO column.
|
||||||
|
|
||||||
|
Examples 1 -- MASQUERADE with tcp source ports 4000-5000:
|
||||||
|
|
||||||
|
#INTERFACE SUBNET ADDRESS PROTO
|
||||||
|
eth0 192.168.1.0/24 :4000-5000 tcp
|
||||||
|
|
||||||
|
Example 2 -- SNAT with udp source ports 7000-8000:
|
||||||
|
|
||||||
|
#INTERFACE SUBNET ADDRESS PROTO
|
||||||
|
eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp
|
||||||
|
|
||||||
|
12) You may now account by user/group ID for outbound traffic from the
|
||||||
|
firewall itself with entries in /etc/shorewall/accounting. Such
|
||||||
|
accounting rules must be placed in the OUTPUT chain.
|
||||||
|
|
||||||
|
See the comments at the top of /etc/shorewall/accounting for
|
||||||
|
details.
|
||||||
|
|
||||||
|
13) Shorewall now verifies that your kernel and iptables have physdev
|
||||||
|
match support if BRIDGING=Yes in shorewall.conf.
|
||||||
|
|
||||||
|
14) Beginning with this release, if your kernel and iptables have
|
||||||
|
iprange match support (see the output from "shorewall check"), then
|
||||||
|
with the exception of the /etc/shorewall/netmap file, anywhere that
|
||||||
|
a network address may appear an IP address range of the form <low
|
||||||
|
address>-<high address> may also appear.
|
||||||
|
|
||||||
|
15) Support has been added for the iptables CLASSIFY target. That
|
||||||
|
target allows you to classify packets for traffic shaping directly
|
||||||
|
rather than indirectly through fwmark. Simply enter the
|
||||||
|
<major>:<minor> classification in the first column of
|
||||||
|
/etc/shorewall/tcrules:
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
#MARK/ SOURCE DEST PROTO PORT(S)
|
||||||
|
#CLASSIFY
|
||||||
|
1:30 - eth0 tcp 25
|
||||||
|
|
||||||
|
Note that when using this form of rule, it is acceptable to include
|
||||||
|
the name of an interface in the DEST column.
|
||||||
|
|
||||||
|
Marking using the CLASSIFY target always occurs in the POSTROUTING
|
||||||
|
chain of the mangle table and is not affected by the setting of
|
||||||
|
MARK_IN_FORWARD_CHAIN in shorewall.conf.
|
||||||
|
|
||||||
|
16) During "shorewall start", IP addresses to be added as a consequence
|
||||||
|
of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
|
||||||
|
when /etc/shorewall/nat and /etc/shorewall/masq are processed then
|
||||||
|
the are re-added later. This is done to help ensure that the
|
||||||
|
addresses can be added with the specified labels but can have
|
||||||
|
the undesirable side effect of causing routes to be quietly
|
||||||
|
deleted. A new RETAIN_ALIASES option has been added to
|
||||||
|
shorewall.conf; when this option is set to Yes, existing addresses
|
||||||
|
will not be deleted. Regardless of the setting of RETAIN_ALIASES,
|
||||||
|
addresses added during "shorewall start" are still deleted at a
|
||||||
|
subsequent "shorewall stop" or "shorewall restart".
|
||||||
|
|
||||||
|
17) Users with a large black list (from /etc/shorewall/blacklist) may
|
||||||
|
want to set the new DELAYBLACKLISTLOAD option in
|
||||||
|
shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
|
||||||
|
enable new connections before loading the blacklist rules. While
|
||||||
|
this may allow connections from blacklisted hosts to slip by during
|
||||||
|
construction of the blacklist, it can substantially reduce the time
|
||||||
|
that all new connections are disabled during "shorewall [re]start".
|
||||||
|
|
||||||
|
18) Using the default LOGFORMAT, chain names longer than 11 characters
|
||||||
|
(such as in user-defined actions) may result in log prefix
|
||||||
|
truncation. A new shorewall.conf action LOGTAGONLY has been added
|
||||||
|
to deal with this problem. When LOGTAGONLY=Yes, logging rules that
|
||||||
|
specify a log tag will substitute the tag for the chain name in the
|
||||||
|
log prefix.
|
||||||
|
|
||||||
|
Example -- file /etc/shorewall/action.thisisaverylogactionname:
|
||||||
|
|
||||||
|
Rule:
|
||||||
|
|
||||||
|
DROP:info:ftp 0.0.0.0/0 0.0.0.0/0 tcp 21
|
||||||
|
|
||||||
|
Log prefix with LOGTAGONLY=No:
|
||||||
|
|
||||||
|
Shorewall:thisisaverylongacti
|
||||||
|
|
||||||
|
Log prefix with LOGTAGONLY=Yes:
|
||||||
|
|
||||||
|
Shorewall:ftp:DROP
|
||||||
|
|
||||||
|
19) Shorewall now resets the 'accept_source_route' flag for all
|
||||||
|
interfaces. If you wish to accept source routing on an interface,
|
||||||
|
you must specify the new 'sourceroute' interface option in
|
||||||
|
/etc/shorewall/interfaces.
|
||||||
|
|
||||||
|
20) The default Drop and Reject actions now invoke the new standard
|
||||||
|
action 'AllowICMPs'. This new action accepts critical ICMP types:
|
||||||
|
|
||||||
|
Type 3 code 4 (fragmentation needed)
|
||||||
|
Type 11 (TTL exceeded)
|
||||||
|
|
||||||
|
21) Explicit control over the kernel's Martian logging is now provided
|
||||||
|
using the new 'logmartians' interface option. If you include
|
||||||
|
'logmartians' in the interface option list then logging of Martian
|
||||||
|
packets on will be enabled on the specified interface.
|
||||||
|
If you wish to globally enable martian logging, you can set
|
||||||
|
LOG_MARTIANS=Yes in shorewall.conf.
|
||||||
|
|
||||||
|
22) You may now cause Shorewall to use the '--set-mss' option of the
|
||||||
|
TCPMSS target. In other words, you can cause Shorewall to set the
|
||||||
|
MSS field of SYN packets passing through the firewall to the value
|
||||||
|
you specify. This feature extends the existing CLAMPMSS option in
|
||||||
|
/etc/shorewall/shorewall.conf by allowing that option to have a
|
||||||
|
numeric value as well as the values "Yes" and "No".
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
CLAMPMSS=1400
|
||||||
|
|
||||||
|
23) Shorewall now includes support for the ipp2p match facility. This
|
||||||
|
is a departure from my usual policy in that the ipp2p match
|
||||||
|
facility is included in Patch-O-Matic-NG and is unlikely to ever be
|
||||||
|
included in the kernel.org source tree. Questions about how to
|
||||||
|
install the patch or how to build your kernel and/or iptables
|
||||||
|
should not be posted on the Shorewall mailing lists.
|
||||||
|
|
||||||
|
In the following files, the "PROTO" or "PROTOCOL" column may
|
||||||
|
contain "ipp2p":
|
||||||
|
|
||||||
|
/etc/shorewall/rules
|
||||||
|
/etc/shorewall/tcrules
|
||||||
|
/etc/shorewall/accounting
|
||||||
|
|
||||||
|
When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
|
||||||
|
PORT(S) or PORT(S) column may contain a recognized ipp2p option;
|
||||||
|
for a list of the options and their meaning, at a root prompt:
|
||||||
|
|
||||||
|
iptables -m ipp2p --help
|
||||||
|
|
||||||
|
You must not include the leading "--" on the option; Shorewall will
|
||||||
|
supply those characters for you. If you do not include an option
|
||||||
|
then "ipp2p" is assumed (Shorewall will generate "-m ipp2p
|
||||||
|
--ipp2p").
|
||||||
|
|
||||||
|
24) Shorewall now has support for the CONNMARK target from iptables.
|
||||||
|
See the /etc/shorewall/tcrules file for details.
|
||||||
|
|
||||||
|
25) A new debugging option LOGALLNEW has been added to
|
||||||
|
shorewall.conf. When set to a log level, this option causes
|
||||||
|
Shorewall to generaate a logging rule as the first rule in each
|
||||||
|
builtin chain.
|
||||||
|
|
||||||
|
- The table name is used as the chain name in the log prefix.
|
||||||
|
- The chain name is used as the target in the log prefix.
|
||||||
|
|
||||||
|
Example: Using the default LOGFORMAT, the log prefix for logging
|
||||||
|
from the nat table's PREROUTING chain is:
|
||||||
|
|
||||||
|
Shorewall:nat:PREROUTING
|
||||||
|
|
||||||
|
IMPORTANT: There is no rate limiting on these logging rules so
|
||||||
|
use LOGALLNEW at your own risk; it may cause high CPU and disk
|
||||||
|
utilization and you may not be able to control your firewall after
|
||||||
|
you enable this option.
|
||||||
|
|
||||||
|
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
|
||||||
|
BE SENT TO ANOTHER SYSTEM.
|
||||||
|
|
||||||
|
26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
|
||||||
|
SUBNETS and it is now possible to specify a list of addresses in
|
||||||
|
that column.
|
||||||
|
|
||||||
|
27) The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS).
|
||||||
|
|
||||||
|
28) For consistency, the CLIENT PORT(S) column in the tcrules file has
|
||||||
|
been renamed SOURCE PORT(S).
|
||||||
|
|
||||||
|
29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown
|
||||||
|
in the output of "shorewall status".
|
||||||
|
|
||||||
|
30) A new IPTABLES option has been added to shorewall.conf. IPTABLES
|
||||||
|
can be used to designate the iptables executable to be used by
|
||||||
|
Shorewall. If not specified, the iptables executable determined by
|
||||||
|
the PATH setting is used.
|
||||||
|
|
||||||
|
31) You can now use the "shorewall show zones" command to display the
|
||||||
|
current contents of the zones. This is particularly useful if you
|
||||||
|
use dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
ursa:/etc/shorewall # shorewall show zones
|
||||||
|
Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST 2004
|
||||||
|
|
||||||
|
loc
|
||||||
|
eth0:192.168.1.0/24
|
||||||
|
eth1:1.2.3.4
|
||||||
|
net
|
||||||
|
eth0:0.0.0.0/0
|
||||||
|
WiFi
|
||||||
|
eth1:0.0.0.0/0
|
||||||
|
sec
|
||||||
|
eth1:0.0.0.0/0
|
||||||
|
|
||||||
|
ursa:/etc/shorewall #
|
||||||
|
|
||||||
|
32) Variable expansion may now be used with the INCLUDE directive.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
@ -240,46 +605,18 @@ New Features in 2.0.12
|
|||||||
Any other config file:
|
Any other config file:
|
||||||
|
|
||||||
INCLUDE $FILE
|
INCLUDE $FILE
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in 2.0.13
|
|
||||||
|
|
||||||
1) A typo in /usr/share/shorewall/firewall caused the following:
|
33) The output of "shorewall status" now includes the results of "ip
|
||||||
|
-stat link ls". This helps diagnose performance problems caused by
|
||||||
|
link errors.
|
||||||
|
|
||||||
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
|
34) Previously, when rate-limiting was specified in
|
||||||
not found
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
New Features in 2.0.14
|
|
||||||
|
|
||||||
1) Previously, when rate-limiting was specified in
|
|
||||||
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
||||||
exceeded the specified rate was silently dropped. Now, if a log
|
exceeded the specified rate was silently dropped. Now, if a log
|
||||||
level is given in the entry (LEVEL column) then drops are logged at
|
level is given in the entry (LEVEL column) then drops are logged at
|
||||||
that level at a rate of 5/min with a burst of 5.
|
that level at a rate of 5/min with a burst of 5.
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in 2.0.14
|
|
||||||
|
|
||||||
1) A typo in the /etc/shorewall/interfaces file has been fixed.
|
35) Recent 2.6 kernels include code that evaluates TCP packets based on
|
||||||
|
|
||||||
2) "bad variable" error messages occurring during "shorewall stop" and
|
|
||||||
"shorewall clear" have been eliminated.
|
|
||||||
|
|
||||||
3) A misleading typo in /etc/shorewall/tunnels has been corrected.
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in 2.0.15
|
|
||||||
|
|
||||||
1) The range of ports opened by the AllowTrcrt action has been
|
|
||||||
expanded to 33434:33524.
|
|
||||||
|
|
||||||
2) Code mis-ported from 2.2.0 caused the following error during
|
|
||||||
"shorewall start" where SYN rate-limiting is present in
|
|
||||||
/etc/shorewall/policy:
|
|
||||||
|
|
||||||
Bad argument `DROP'
|
|
||||||
Try `iptables -h' or 'iptables --help' for more information.
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
New Features in 2.0.16
|
|
||||||
|
|
||||||
1) Recent 2.6 kernels include code that evaluates TCP packets based on
|
|
||||||
TCP Window analysis. This can cause packets that were previously
|
TCP Window analysis. This can cause packets that were previously
|
||||||
classified as NEW or ESTABLISHED to be classified as INVALID.
|
classified as NEW or ESTABLISHED to be classified as INVALID.
|
||||||
|
|
||||||
@ -299,3 +636,52 @@ New Features in 2.0.16
|
|||||||
|
|
||||||
If not specified or if specified as empty (e.g., DROPINVALID="")
|
If not specified or if specified as empty (e.g., DROPINVALID="")
|
||||||
then DROPINVALID=Yes is assumed.
|
then DROPINVALID=Yes is assumed.
|
||||||
|
|
||||||
|
36) The "shorewall add" and "shorewall delete" commands now accept a
|
||||||
|
list of hosts to add or delete.
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12
|
||||||
|
shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12
|
||||||
|
|
||||||
|
The above commands may also be written:
|
||||||
|
|
||||||
|
shorewall add eth1:1.2.3.4,2.3.4.5 z12
|
||||||
|
shorewall delete eth1:1.2.3.4,2.3.4.5 z12
|
||||||
|
|
||||||
|
37) TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
|
||||||
|
type. OpenVPN entries in /etc/shorewall/tunnels have this format:
|
||||||
|
|
||||||
|
openvpn[:{tcp|udp}][:<port>] <zone> <gateway>
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
openvpn:tcp net 1.2.3.4 # TCP tunnel on port 1194
|
||||||
|
openvpn:3344 net 1.2.3.4 # UDP on port 3344
|
||||||
|
openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455
|
||||||
|
|
||||||
|
38) A new 'ipsecvpn' script is included in the tarball and in the
|
||||||
|
RPM. The RPM installs the file in the Documentation directory
|
||||||
|
(/usr/share/doc/packages/shorewall-2.2.0-0RC1).
|
||||||
|
|
||||||
|
This script is intended for use on Roadwarrior laptops for
|
||||||
|
establishing an IPSEC SA to/from remote networks. The script has
|
||||||
|
some limitations:
|
||||||
|
|
||||||
|
- Only one instance of the script may be used at a time.
|
||||||
|
- Only the first SPD accessed will be instantiated at the remote
|
||||||
|
gateway. So while the script creates SPDs to/from the remote
|
||||||
|
gateway and each network listed in the NETWORKS setting at the
|
||||||
|
front of the script, only one of these may be used at a time.
|
||||||
|
|
||||||
|
39) The IANA has recently registered port 1194 for use by OpenVPN. In
|
||||||
|
previous versions of Shorewall (and OpenVPN), the default port was
|
||||||
|
5000 but has been changed to 1194 to conform to the new OpenVPN
|
||||||
|
default.
|
||||||
|
|
||||||
|
40) The output of "shorewall status" now lists the loaded netfilter
|
||||||
|
kernel modules.
|
||||||
|
|
||||||
|
41) The range of UDP ports opened by the AllowTrcrt action has been
|
||||||
|
increased to 33434:33524.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0-- RFC1918 File
|
# Shorewall 2.2 -- RFC1918 File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rfc1918
|
# /etc/shorewall/rfc1918
|
||||||
#
|
#
|
||||||
@ -12,14 +12,17 @@
|
|||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# SUBNET The subnet (host addresses also allowed)
|
# SUBNETS A comma-separated list of subnet addresses
|
||||||
|
# (host addresses also allowed as are IP
|
||||||
|
# address ranges provided that your kernel and iptables
|
||||||
|
# have iprange match support).
|
||||||
# TARGET Where to send packets to/from this subnet
|
# TARGET Where to send packets to/from this subnet
|
||||||
# RETURN - let the packet be processed normally
|
# RETURN - let the packet be processed normally
|
||||||
# DROP - silently drop the packet
|
# DROP - silently drop the packet
|
||||||
# logdrop - log then drop
|
# logdrop - log then drop
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SUBNET TARGET
|
#SUBNETS TARGET
|
||||||
172.16.0.0/12 logdrop # RFC 1918
|
172.16.0.0/12 logdrop # RFC 1918
|
||||||
192.168.0.0/16 logdrop # RFC 1918
|
192.168.0.0/16 logdrop # RFC 1918
|
||||||
10.0.0.0/8 logdrop # RFC 1918
|
10.0.0.0/8 logdrop # RFC 1918
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
|
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
|
||||||
#
|
#
|
||||||
# /etc/shorewall/routestopped
|
# /etc/shorewall/routestopped
|
||||||
#
|
#
|
||||||
@ -12,6 +12,10 @@
|
|||||||
# INTERFACE - Interface through which host(s) communicate with
|
# INTERFACE - Interface through which host(s) communicate with
|
||||||
# the firewall
|
# the firewall
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||||
|
# addresses. If your kernel and iptables include
|
||||||
|
# iprange match support, IP address ranges are also
|
||||||
|
# allowed.
|
||||||
|
#
|
||||||
# If left empty or supplied as "-",
|
# If left empty or supplied as "-",
|
||||||
# 0.0.0.0/0 is assumed.
|
# 0.0.0.0/0 is assumed.
|
||||||
# OPTIONS - (Optional) A comma-separated list of
|
# OPTIONS - (Optional) A comma-separated list of
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.0 - Rules File
|
# Shorewall version 2.2 - Rules File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rules
|
# /etc/shorewall/rules
|
||||||
#
|
#
|
||||||
@ -72,6 +72,20 @@
|
|||||||
# DNAT:debug). This causes the packet to be
|
# DNAT:debug). This causes the packet to be
|
||||||
# logged at the specified level.
|
# logged at the specified level.
|
||||||
#
|
#
|
||||||
|
# If the ACTION names an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std then:
|
||||||
|
#
|
||||||
|
# - If the log level is followed by "!' then all rules
|
||||||
|
# in the action are logged at the log level.
|
||||||
|
#
|
||||||
|
# - If the log level is not followed by "!" then only
|
||||||
|
# those rules in the action that do not specify
|
||||||
|
# logging are logged at the specified level.
|
||||||
|
#
|
||||||
|
# - The special log level 'none!' suppresses logging
|
||||||
|
# by the action.
|
||||||
|
#
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
# log level.This will log to the ULOG target for routing
|
# log level.This will log to the ULOG target for routing
|
||||||
# to a separate log through use of ulogd
|
# to a separate log through use of ulogd
|
||||||
@ -104,6 +118,10 @@
|
|||||||
# address; mac addresses must begin with "~" and must use
|
# address; mac addresses must begin with "~" and must use
|
||||||
# "-" as a separator.
|
# "-" as a separator.
|
||||||
#
|
#
|
||||||
|
# Hosts may be specified as an IP address range using the
|
||||||
|
# syntax <low address>-<high address>. This requires that
|
||||||
|
# your kernel and iptables contain iprange match support.
|
||||||
|
#
|
||||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||||
#
|
#
|
||||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||||
@ -115,6 +133,10 @@
|
|||||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||||
# MAC address 00:A0:C9:15:39:78.
|
# MAC address 00:A0:C9:15:39:78.
|
||||||
#
|
#
|
||||||
|
# net:192.0.2.11-192.0.2.17
|
||||||
|
# Hosts 192.0.2.11-192.0.2.17 in
|
||||||
|
# the net zone.
|
||||||
|
#
|
||||||
# Alternatively, clients may be specified by interface
|
# Alternatively, clients may be specified by interface
|
||||||
# by appending ":" to the zone name followed by the
|
# by appending ":" to the zone name followed by the
|
||||||
# interface name. For example, loc:eth1 specifies a
|
# interface name. For example, loc:eth1 specifies a
|
||||||
@ -145,7 +167,7 @@
|
|||||||
# 3. You may not specify both an interface and
|
# 3. You may not specify both an interface and
|
||||||
# an address.
|
# an address.
|
||||||
#
|
#
|
||||||
# Unlike in the SOURCE column, you may specify a range of
|
# Like in the SOURCE column, you may specify a range of
|
||||||
# up to 256 IP addresses using the syntax
|
# up to 256 IP addresses using the syntax
|
||||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||||
# the connections will be assigned to addresses in the
|
# the connections will be assigned to addresses in the
|
||||||
@ -166,14 +188,20 @@
|
|||||||
# contain the port number on the firewall that the
|
# contain the port number on the firewall that the
|
||||||
# request should be redirected to.
|
# request should be redirected to.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
# "all".
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
#
|
#
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example "bit"
|
||||||
|
# for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
# A port range is expressed as <low port>:<high port>.
|
# A port range is expressed as <low port>:<high port>.
|
||||||
#
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
@ -195,8 +223,8 @@
|
|||||||
# ranges.
|
# ranges.
|
||||||
#
|
#
|
||||||
# If you don't want to restrict client ports but need to
|
# If you don't want to restrict client ports but need to
|
||||||
# specify an ORIGINAL DEST in the next column, then
|
# specify an ORIGINAL DEST in the next column, then place
|
||||||
# place "-" in this column.
|
# "-" in this column.
|
||||||
#
|
#
|
||||||
# If your kernel contains multi-port match support, then
|
# If your kernel contains multi-port match support, then
|
||||||
# only a single Netfilter rule will be generated if in
|
# only a single Netfilter rule will be generated if in
|
||||||
@ -223,14 +251,6 @@
|
|||||||
# destination address in the connection request does not
|
# destination address in the connection request does not
|
||||||
# match any of the addresses listed.
|
# match any of the addresses listed.
|
||||||
#
|
#
|
||||||
# The address (list) may optionally be followed by
|
|
||||||
# a colon (":") and a second IP address. This causes
|
|
||||||
# Shorewall to use the second IP address as the source
|
|
||||||
# address in forwarded packets. See the Shorewall
|
|
||||||
# documentation for restrictions concerning this feature.
|
|
||||||
# If no source IP address is given, the original source
|
|
||||||
# address is not altered.
|
|
||||||
#
|
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
# this colume:
|
# this colume:
|
||||||
#
|
#
|
||||||
@ -281,9 +301,9 @@
|
|||||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||||
# a maximum burst of 10
|
# a maximum burst of 10
|
||||||
#
|
#
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
# # PORT PORT(S) DEST
|
# # PORT PORT(S) DEST LIMIT
|
||||||
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
|
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||||
#
|
#
|
||||||
# Example: Redirect all locally-originating www connection requests to
|
# Example: Redirect all locally-originating www connection requests to
|
||||||
# port 3128 on the firewall (Squid running on the firewall
|
# port 3128 on the firewall (Squid running on the firewall
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
|
# Shorewall Packet Filtering Firewall Control Program - V2.2
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# This file should be placed in /sbin/shorewall.
|
# This file should be placed in /sbin/shorewall.
|
||||||
#
|
#
|
||||||
@ -134,6 +134,24 @@ showchain() # $1 = name of chain
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
|
||||||
|
#
|
||||||
|
|
||||||
|
iptablesbug()
|
||||||
|
{
|
||||||
|
if qt which awk ; then
|
||||||
|
awk 'BEGIN {sline=""; };\
|
||||||
|
/^-j/ { print sline $0; next };\
|
||||||
|
/-m policy.*-j/ { print $0; next };\
|
||||||
|
/-m policy/ { sline=$0; next };\
|
||||||
|
{print ; sline="" }'
|
||||||
|
else
|
||||||
|
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
||||||
|
cat
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Validate the value of RESTOREFILE
|
# Validate the value of RESTOREFILE
|
||||||
#
|
#
|
||||||
@ -174,6 +192,19 @@ get_config() {
|
|||||||
|
|
||||||
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
||||||
|
|
||||||
|
if [ -n "$IPTABLES" ]; then
|
||||||
|
if [ ! -e "$IPTABLES" ]; then
|
||||||
|
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
IPTABLES=$(which iptables 2> /dev/null)
|
||||||
|
if [ -z "$IPTABLES" ] ; then
|
||||||
|
echo " ERROR: Can't find iptables executable" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||||
@ -205,7 +236,7 @@ display_chains()
|
|||||||
TMPFILE=$(mktempfile)
|
TMPFILE=$(mktempfile)
|
||||||
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
||||||
|
|
||||||
iptables -L $IPT_OPTIONS >> $TMPFILE
|
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||||
|
|
||||||
clear
|
clear
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
@ -288,7 +319,7 @@ display_chains()
|
|||||||
|
|
||||||
qt rm -f $TMPFILE
|
qt rm -f $TMPFILE
|
||||||
else
|
else
|
||||||
iptables -L -n -v
|
$IPTABLES -L -n -v
|
||||||
timed_read
|
timed_read
|
||||||
fi
|
fi
|
||||||
trap - 1 2 3 4 5 6 9
|
trap - 1 2 3 4 5 6 9
|
||||||
@ -315,10 +346,9 @@ packet_log() # $1 = number of messages
|
|||||||
|
|
||||||
[ -n "$realtail" ] && options="-n$1"
|
[ -n "$realtail" ] && options="-n$1"
|
||||||
|
|
||||||
grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
|
grep "${LOGFORMAT}" $LOGFILE | \
|
||||||
sed s/" kernel:"// | \
|
sed s/" kernel:"// | \
|
||||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
|
||||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||||
tail $options
|
tail $options
|
||||||
}
|
}
|
||||||
@ -388,9 +418,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
# an 'interesting' packet count changes
|
# an 'interesting' packet count changes
|
||||||
{
|
{
|
||||||
|
|
||||||
get_config
|
|
||||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ $1 -lt 0 ]; then
|
if [ $1 -lt 0 ]; then
|
||||||
let "timeout=- $1"
|
let "timeout=- $1"
|
||||||
@ -423,7 +452,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
show_reset
|
show_reset
|
||||||
|
|
||||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ "$rejects" != "$oldrejects" ]; then
|
if [ "$rejects" != "$oldrejects" ]; then
|
||||||
oldrejects="$rejects"
|
oldrejects="$rejects"
|
||||||
@ -450,7 +479,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
echo
|
echo
|
||||||
echo "NAT Status"
|
echo "NAT Status"
|
||||||
echo
|
echo
|
||||||
iptables -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear
|
||||||
@ -459,7 +488,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
echo
|
echo
|
||||||
echo "TOS/MARK Status"
|
echo "TOS/MARK Status"
|
||||||
echo
|
echo
|
||||||
iptables -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear
|
||||||
@ -498,9 +527,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
# an 'interesting' packet count changes
|
# an 'interesting' packet count changes
|
||||||
{
|
{
|
||||||
|
|
||||||
get_config
|
|
||||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ $1 -lt 0 ]; then
|
if [ $1 -lt 0 ]; then
|
||||||
timeout=$((- $1))
|
timeout=$((- $1))
|
||||||
@ -522,7 +550,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
show_reset
|
show_reset
|
||||||
|
|
||||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ "$rejects" != "$oldrejects" ]; then
|
if [ "$rejects" != "$oldrejects" ]; then
|
||||||
oldrejects="$rejects"
|
oldrejects="$rejects"
|
||||||
@ -562,11 +590,11 @@ usage() # $1 = exit status
|
|||||||
{
|
{
|
||||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
||||||
echo "where <command> is one of:"
|
echo "where <command> is one of:"
|
||||||
echo " add <interface>[:<host>] <zone>"
|
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||||
echo " allow <address> ..."
|
echo " allow <address> ..."
|
||||||
echo " check"
|
echo " check [ <directory> ]"
|
||||||
echo " clear"
|
echo " clear"
|
||||||
echo " delete <interface>[:<host>] <zone>"
|
echo " delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||||
echo " drop <address> ..."
|
echo " drop <address> ..."
|
||||||
echo " forget [ <file name> ]"
|
echo " forget [ <file name> ]"
|
||||||
echo " help [ <command > | host | address ]"
|
echo " help [ <command > | host | address ]"
|
||||||
@ -578,15 +606,17 @@ usage() # $1 = exit status
|
|||||||
echo " refresh"
|
echo " refresh"
|
||||||
echo " reject <address> ..."
|
echo " reject <address> ..."
|
||||||
echo " reset"
|
echo " reset"
|
||||||
echo " restart"
|
echo " restart [ <directory> ]"
|
||||||
echo " restore [ <file name> ]"
|
echo " restore [ <file name> ]"
|
||||||
echo " save [ <file name> ]"
|
echo " save [ <file name> ]"
|
||||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
||||||
echo " start"
|
echo " start [ <directory> ]"
|
||||||
echo " stop"
|
echo " stop"
|
||||||
echo " status"
|
echo " status"
|
||||||
echo " try <directory> [ <timeout> ]"
|
echo " try <directory> [ <timeout> ]"
|
||||||
echo " version"
|
echo " version"
|
||||||
|
echo
|
||||||
|
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -598,8 +628,11 @@ show_reset() {
|
|||||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||||
echo
|
echo
|
||||||
}
|
}
|
||||||
|
#
|
||||||
show_proc() {
|
# Display's the passed file name followed by "=" and the file's contents.
|
||||||
|
#
|
||||||
|
show_proc() # $1 = name of a file
|
||||||
|
{
|
||||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -721,6 +754,8 @@ ensure_config_path
|
|||||||
|
|
||||||
export CONFIG_PATH
|
export CONFIG_PATH
|
||||||
|
|
||||||
|
get_config
|
||||||
|
|
||||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||||
|
|
||||||
if [ ! -f $FIREWALL ]; then
|
if [ ! -f $FIREWALL ]; then
|
||||||
@ -765,8 +800,28 @@ esac
|
|||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
[ $# -ne 1 ] && usage 1
|
case $# in
|
||||||
get_config
|
1)
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
|
||||||
|
|
||||||
|
if [ ! -d $2 ]; then
|
||||||
|
if [ -e $2 ]; then
|
||||||
|
echo "$2 is not a directory" >&2 && exit 2
|
||||||
|
else
|
||||||
|
echo "Directory $2 does not exist" >&2 && exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHOREWALL_DIR=$2
|
||||||
|
export SHOREWALL_DIR
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
if [ -n "$FAST" ]; then
|
if [ -n "$FAST" ]; then
|
||||||
|
|
||||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||||
@ -783,15 +838,37 @@ case "$1" in
|
|||||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
stop|restart|reset|clear|refresh|check)
|
stop|reset|clear|refresh)
|
||||||
[ $# -ne 1 ] && usage 1
|
[ $# -ne 1 ] && usage 1
|
||||||
get_config
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||||
|
;;
|
||||||
|
check|restart)
|
||||||
|
case $# in
|
||||||
|
1)
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||||
|
|
||||||
|
if [ ! -d $2 ]; then
|
||||||
|
if [ -e $2 ]; then
|
||||||
|
echo "$2 is not a directory" >&2 && exit 2
|
||||||
|
else
|
||||||
|
echo "Directory $2 does not exist" >&2 && exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHOREWALL_DIR=$2
|
||||||
|
export SHOREWALL_DIR
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||||
;;
|
;;
|
||||||
add|delete)
|
add|delete)
|
||||||
[ $# -ne 3 ] && usage 1
|
[ $# -lt 3 ] && usage 1
|
||||||
get_config
|
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
|
||||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
|
|
||||||
;;
|
;;
|
||||||
show|list)
|
show|list)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
@ -807,18 +884,17 @@ case "$1" in
|
|||||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
iptables -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
;;
|
;;
|
||||||
tos|mangle)
|
tos|mangle)
|
||||||
[ $# -gt 2 ] && usage 1
|
[ $# -gt 2 ] && usage 1
|
||||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
iptables -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
;;
|
;;
|
||||||
log)
|
log)
|
||||||
[ $# -gt 2 ] && usage 1
|
[ $# -gt 2 ] && usage 1
|
||||||
get_config
|
|
||||||
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
@ -837,6 +913,24 @@ case "$1" in
|
|||||||
echo
|
echo
|
||||||
show_classifiers
|
show_classifiers
|
||||||
;;
|
;;
|
||||||
|
zones)
|
||||||
|
[ $# -gt 2 ] && usage 1
|
||||||
|
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||||
|
if [ -f $STATEDIR/zones ]; then
|
||||||
|
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||||
|
echo
|
||||||
|
while read zone hosts; do
|
||||||
|
echo $zone
|
||||||
|
for host in $hosts; do
|
||||||
|
echo " $host"
|
||||||
|
done
|
||||||
|
done < $STATEDIR/zones
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
echo " ERROR: $STATEDIR/zones does not exist" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
shift
|
shift
|
||||||
|
|
||||||
@ -845,10 +939,10 @@ case "$1" in
|
|||||||
show_reset
|
show_reset
|
||||||
if [ $# -gt 0 ]; then
|
if [ $# -gt 0 ]; then
|
||||||
for chain in $*; do
|
for chain in $*; do
|
||||||
iptables -L $chain $IPT_OPTIONS
|
$IPTABLES -L $chain $IPT_OPTIONS
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
iptables -L $IPT_OPTIONS
|
$IPTABLES -L $IPT_OPTIONS
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -866,29 +960,32 @@ case "$1" in
|
|||||||
status)
|
status)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
[ $# -eq 1 ] || usage 1
|
[ $# -eq 1 ] || usage 1
|
||||||
get_config
|
|
||||||
clear
|
clear
|
||||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||||
iptables -L $IPT_OPTIONS
|
$IPTABLES -L $IPT_OPTIONS
|
||||||
echo
|
echo
|
||||||
packet_log 20
|
packet_log 20
|
||||||
echo
|
echo
|
||||||
echo "NAT Table"
|
echo "NAT Table"
|
||||||
echo
|
echo
|
||||||
iptables -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
echo
|
echo
|
||||||
echo "Mangle Table"
|
echo "Mangle Table"
|
||||||
echo
|
echo
|
||||||
iptables -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
echo
|
echo
|
||||||
cat /proc/net/ip_conntrack
|
cat /proc/net/ip_conntrack
|
||||||
echo
|
echo
|
||||||
echo "IP Configuration"
|
echo "IP Configuration"
|
||||||
echo
|
echo
|
||||||
ip addr ls
|
ip addr ls
|
||||||
|
echo
|
||||||
|
echo "IP Stats"
|
||||||
|
echo
|
||||||
|
ip -stat link ls
|
||||||
|
|
||||||
if qt which brctl; then
|
if qt which brctl; then
|
||||||
echo
|
echo
|
||||||
@ -902,9 +999,10 @@ case "$1" in
|
|||||||
echo
|
echo
|
||||||
|
|
||||||
show_proc /proc/sys/net/ipv4/ip_forward
|
show_proc /proc/sys/net/ipv4/ip_forward
|
||||||
|
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||||
|
|
||||||
for directory in /proc/sys/net/ipv4/conf/*; do
|
for directory in /proc/sys/net/ipv4/conf/*; do
|
||||||
for file in proxy_arp arp_filter rp_filter; do
|
for file in proxy_arp arp_filter rp_filter log_martians; do
|
||||||
show_proc $directory/$file
|
show_proc $directory/$file
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
@ -920,11 +1018,17 @@ case "$1" in
|
|||||||
echo
|
echo
|
||||||
ip route ls table $table
|
ip route ls table $table
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if qt which lsmod; then
|
||||||
|
echo
|
||||||
|
echo "Modules"
|
||||||
|
echo
|
||||||
|
lsmod | grep -E '^ip_|^ipt_'
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
hits)
|
hits)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
[ $# -eq 1 ] || usage 1
|
[ $# -eq 1 ] || usage 1
|
||||||
get_config
|
|
||||||
clear
|
clear
|
||||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
@ -972,10 +1076,10 @@ case "$1" in
|
|||||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||||
if ! $0 $debugging -c $2 restart; then
|
if ! $0 $debugging -c $2 restart; then
|
||||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||||
$0 start
|
$0 start
|
||||||
fi
|
fi
|
||||||
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||||
$0 start
|
$0 start
|
||||||
elif [ $# -eq 3 ]; then
|
elif [ $# -eq 3 ]; then
|
||||||
sleep $3
|
sleep $3
|
||||||
@ -998,9 +1102,9 @@ case "$1" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
qt iptables -D dynamic -s $1 -j reject
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
qt iptables -D dynamic -s $1 -j DROP
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
iptables -A dynamic -s $1 -j DROP || break 1
|
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
||||||
echo "$1 Dropped"
|
echo "$1 Dropped"
|
||||||
done
|
done
|
||||||
mutex_off
|
mutex_off
|
||||||
@ -1011,9 +1115,9 @@ case "$1" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
qt iptables -D dynamic -s $1 -j reject
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
qt iptables -D dynamic -s $1 -j DROP
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
iptables -A dynamic -s $1 -j reject || break 1
|
$IPTABLES -A dynamic -s $1 -j reject || break 1
|
||||||
echo "$1 Rejected"
|
echo "$1 Rejected"
|
||||||
done
|
done
|
||||||
mutex_off
|
mutex_off
|
||||||
@ -1024,7 +1128,7 @@ case "$1" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
|
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
|
||||||
echo "$1 Allowed"
|
echo "$1 Allowed"
|
||||||
else
|
else
|
||||||
echo "$1 Not Dropped or Rejected"
|
echo "$1 Not Dropped or Rejected"
|
||||||
@ -1035,8 +1139,6 @@ case "$1" in
|
|||||||
save)
|
save)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
|
|
||||||
get_config
|
|
||||||
|
|
||||||
case $# in
|
case $# in
|
||||||
1)
|
1)
|
||||||
;;
|
;;
|
||||||
@ -1053,7 +1155,7 @@ case "$1" in
|
|||||||
|
|
||||||
mutex_on
|
mutex_on
|
||||||
|
|
||||||
if qt iptables -L shorewall -n; then
|
if qt $IPTABLES -L shorewall -n; then
|
||||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||||
|
|
||||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||||
@ -1064,11 +1166,11 @@ case "$1" in
|
|||||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||||
echo " Dynamic Rules Saved"
|
echo " Dynamic Rules Saved"
|
||||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||||
@ -1094,7 +1196,6 @@ case "$1" in
|
|||||||
mutex_off
|
mutex_off
|
||||||
;;
|
;;
|
||||||
forget)
|
forget)
|
||||||
get_config
|
|
||||||
case $# in
|
case $# in
|
||||||
1)
|
1)
|
||||||
;;
|
;;
|
||||||
@ -1114,7 +1215,7 @@ case "$1" in
|
|||||||
rm -f $RESTOREPATH
|
rm -f $RESTOREPATH
|
||||||
echo " $RESTOREPATH removed"
|
echo " $RESTOREPATH removed"
|
||||||
elif [ -f $RESTOREPATH ]; then
|
elif [ -f $RESTOREPATH ]; then
|
||||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
ipcalc)
|
ipcalc)
|
||||||
@ -1153,7 +1254,6 @@ case "$1" in
|
|||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
restore)
|
restore)
|
||||||
get_config
|
|
||||||
case $# in
|
case $# in
|
||||||
1)
|
1)
|
||||||
;;
|
;;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
|
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
|
||||||
# match your setup
|
# match your setup
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
@ -7,6 +7,14 @@
|
|||||||
# This file should be placed in /etc/shorewall
|
# This file should be placed in /etc/shorewall
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||||
|
##############################################################################
|
||||||
|
# S T A R T U P E N A B L E D
|
||||||
|
##############################################################################
|
||||||
|
# Once you have configured Shorewall, you may change the setting of
|
||||||
|
# this variable to 'Yes'
|
||||||
|
|
||||||
|
STARTUP_ENABLED=No
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# L O G G I N G
|
# L O G G I N G
|
||||||
##############################################################################
|
##############################################################################
|
||||||
@ -15,6 +23,11 @@
|
|||||||
# to syslog (8) the importance of a message and a number of parameters
|
# to syslog (8) the importance of a message and a number of parameters
|
||||||
# in this file have log levels as their value.
|
# in this file have log levels as their value.
|
||||||
#
|
#
|
||||||
|
# These levels are defined by syslog and are used to determine the destination
|
||||||
|
# of the messages through entries in /etc/syslog.conf (5). The syslog
|
||||||
|
# documentation refers to these as "priorities"; Netfilter calls them "levels"
|
||||||
|
# and Shorewall also uses that term.
|
||||||
|
#
|
||||||
# Valid levels are:
|
# Valid levels are:
|
||||||
#
|
#
|
||||||
# 7 debug
|
# 7 debug
|
||||||
@ -80,6 +93,18 @@ LOGFILE=/var/log/messages
|
|||||||
|
|
||||||
LOGFORMAT="Shorewall:%s:%s:"
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
|
#
|
||||||
|
# LOG FORMAT Continued
|
||||||
|
#
|
||||||
|
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
|
||||||
|
# truncation of the log prefix may occur. Longer chain names may be used with
|
||||||
|
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
|
||||||
|
# specified then the tag is included in the log prefix in place of the chain
|
||||||
|
# name.
|
||||||
|
#
|
||||||
|
|
||||||
|
LOGTAGONLY=No
|
||||||
|
|
||||||
#
|
#
|
||||||
# LOG RATE LIMITING
|
# LOG RATE LIMITING
|
||||||
#
|
#
|
||||||
@ -110,6 +135,18 @@ LOGFORMAT="Shorewall:%s:%s:"
|
|||||||
LOGRATE=
|
LOGRATE=
|
||||||
LOGBURST=
|
LOGBURST=
|
||||||
|
|
||||||
|
#
|
||||||
|
# LOG ALL NEW
|
||||||
|
#
|
||||||
|
# This option should only be used when you are trying to analyze a problem.
|
||||||
|
# It causes all packets in the Netfilter NEW state to be logged as the
|
||||||
|
# first rule in each builtin chain. To use this option, set LOGALLNEW to
|
||||||
|
# the log level that you want these packets logged at (e.g.,
|
||||||
|
# LOGALLNEW=debug).
|
||||||
|
#
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
#
|
#
|
||||||
# BLACKLIST LOG LEVEL
|
# BLACKLIST LOG LEVEL
|
||||||
#
|
#
|
||||||
@ -201,9 +238,29 @@ SMURF_LOG_LEVEL=info
|
|||||||
#
|
#
|
||||||
|
|
||||||
BOGON_LOG_LEVEL=info
|
BOGON_LOG_LEVEL=info
|
||||||
|
|
||||||
|
#
|
||||||
|
# MARTIAN LOGGING
|
||||||
|
#
|
||||||
|
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
|
||||||
|
# that have impossible source IP addresses. This logging may be enabled
|
||||||
|
# on individual interfaces by using the 'logmartians' option in
|
||||||
|
# /etc/shorewall/interfaces.
|
||||||
|
#
|
||||||
|
|
||||||
|
LOG_MARTIANS=No
|
||||||
################################################################################
|
################################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
################################################################################
|
################################################################################
|
||||||
|
#
|
||||||
|
# IPTABLES
|
||||||
|
#
|
||||||
|
# Full path to iptables executable Shorewall uses to build the firewall. If
|
||||||
|
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
||||||
|
# the iptables executable located via the PATH setting below is used.
|
||||||
|
#
|
||||||
|
IPTABLES=
|
||||||
|
|
||||||
#
|
#
|
||||||
# PATH - Change this if you want to change the order in which Shorewall
|
# PATH - Change this if you want to change the order in which Shorewall
|
||||||
# searches directories for executable files.
|
# searches directories for executable files.
|
||||||
@ -320,13 +377,29 @@ ADD_IP_ALIASES=Yes
|
|||||||
#
|
#
|
||||||
ADD_SNAT_ALIASES=No
|
ADD_SNAT_ALIASES=No
|
||||||
|
|
||||||
|
#
|
||||||
|
# RETAIN EXISTING ALIASES/IP ADDRESSES
|
||||||
|
#
|
||||||
|
# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
|
||||||
|
# will first delete the address then re-add it. This is to ensure that the
|
||||||
|
# address is added with the specified label. Unfortunately, this can cause
|
||||||
|
# problems if it results in the deletion of the last IP address on an
|
||||||
|
# interface because then all routes through the interface are automatically
|
||||||
|
# removed.
|
||||||
|
#
|
||||||
|
# You can cause Shorewall to retain existing addresses by setting
|
||||||
|
# RETAIN_ALIASES=Yes.
|
||||||
|
#
|
||||||
|
RETAIN_ALIASES=No
|
||||||
|
|
||||||
#
|
#
|
||||||
# ENABLE TRAFFIC SHAPING
|
# ENABLE TRAFFIC SHAPING
|
||||||
#
|
#
|
||||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||||
|
# you must enable packet mangling above.
|
||||||
|
#
|
||||||
TC_ENABLED=No
|
TC_ENABLED=No
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -392,6 +465,14 @@ MARK_IN_FORWARD_CHAIN=No
|
|||||||
#
|
#
|
||||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||||
#
|
#
|
||||||
|
# You may also set this option to a numeric value in which case Shorewall will
|
||||||
|
# set up a rule to modify the MSS value in SYN packets to the value that
|
||||||
|
# you specify.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# CLAMPMSS=1400
|
||||||
|
#
|
||||||
CLAMPMSS=No
|
CLAMPMSS=No
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -550,6 +631,14 @@ ADMINISABSENTMINDED=Yes
|
|||||||
#
|
#
|
||||||
BLACKLISTNEWONLY=Yes
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
#
|
||||||
|
# Users with a large blacklist find that "shorwall [re]start" takes a long
|
||||||
|
# time and that new connections are disabled during that time. By setting
|
||||||
|
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
|
||||||
|
# before loading the blacklist.
|
||||||
|
|
||||||
|
DELAYBLACKLISTLOAD=No
|
||||||
|
|
||||||
# MODULE NAME SUFFIX
|
# MODULE NAME SUFFIX
|
||||||
#
|
#
|
||||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||||
@ -608,16 +697,9 @@ DYNAMIC_ZONES=No
|
|||||||
# USE PKTTYPE MATCH
|
# USE PKTTYPE MATCH
|
||||||
#
|
#
|
||||||
# Some users have reported problems with the PKTTYPE match extension not being
|
# Some users have reported problems with the PKTTYPE match extension not being
|
||||||
# able to match certain broadcast packets.
|
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||||
#
|
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||||
# Other users have complained of the following message when
|
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||||
# starting Shorewall:
|
|
||||||
#
|
|
||||||
# modprobe: cant locate module ipt_pkttype
|
|
||||||
#
|
|
||||||
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
|
|
||||||
# broadcasts rather than pkttype. If not given or if given as empty
|
|
||||||
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
|
||||||
|
|
||||||
PKTTYPE=Yes
|
PKTTYPE=Yes
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 2.0.16
|
%define version 2.2.0
|
||||||
%define release 1
|
%define release 1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
@ -41,12 +41,6 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%post
|
%post
|
||||||
|
|
||||||
if [ $1 -eq 1 ]; then
|
if [ $1 -eq 1 ]; then
|
||||||
echo \
|
|
||||||
"########################################################################
|
|
||||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
|
||||||
########################################################################" \
|
|
||||||
> /etc/shorewall/startup_disabled
|
|
||||||
|
|
||||||
if [ -x /sbin/insserv ]; then
|
if [ -x /sbin/insserv ]; then
|
||||||
/sbin/insserv /etc/rc.d/shorewall
|
/sbin/insserv /etc/rc.d/shorewall
|
||||||
elif [ -x /sbin/chkconfig ]; then
|
elif [ -x /sbin/chkconfig ]; then
|
||||||
@ -76,6 +70,7 @@ fi
|
|||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
||||||
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
||||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
|
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
|
||||||
@ -106,6 +101,7 @@ fi
|
|||||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
|
||||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
|
||||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
|
||||||
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
|
||||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
|
||||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
|
||||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
|
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
|
||||||
@ -138,386 +134,37 @@ fi
|
|||||||
%attr(0600,root,root) /usr/share/shorewall/bogons
|
%attr(0600,root,root) /usr/share/shorewall/bogons
|
||||||
%attr(0600,root,root) /usr/share/shorewall/configpath
|
%attr(0600,root,root) /usr/share/shorewall/configpath
|
||||||
|
|
||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
|
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.0.16-1
|
- Updated to 2.2.0-1
|
||||||
* Wed Jan 12 2005 Tom Eastep tom@shorewall.net
|
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.0.15-1
|
- Updated to 2.2.0-0RC5
|
||||||
* Mon Jan 03 2005 Tom Eastep tom@shorewall.net
|
* Thu Jan 06 2005 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.0.14-1
|
- Updated to 2.2.0-0RC4
|
||||||
* Thu Dec 02 2004 Tom Eastep tom@shorewall.net
|
* Thu Dec 30 2004 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.0.13-1
|
- Updated to 2.2.0-0RC3
|
||||||
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
|
* Fri Dec 24 2004 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.0.12-1
|
- Updated to 2.2.0-0RC2
|
||||||
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
|
* Sun Dec 19 2004 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.0.11-1
|
- Updated to 2.2.0-0RC1
|
||||||
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
|
- Added ipsecvpn file
|
||||||
- Updated to 2.0.10-1
|
* Sat Dec 11 2004 Tom Eastep tom@shorewall.net
|
||||||
* Thu Sep 23 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta8
|
||||||
- Updated to 2.0.9-1
|
* Mon Nov 29 2004 Tom Eastep tom@shorewall.net
|
||||||
* Sun Aug 22 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta7
|
||||||
- Updated to 2.0.8-1
|
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
|
||||||
* Tue Jul 20 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta6
|
||||||
- Updated to 2.0.7-1
|
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
|
||||||
* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta5
|
||||||
- Updated to 2.0.6-1
|
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
|
||||||
* Fri Jul 09 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta4
|
||||||
- Updated to 2.0.5-1
|
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
|
||||||
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta3
|
||||||
- Updated to 2.0.4-1
|
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
|
||||||
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta2
|
||||||
- Updated to 2.0.3c-1
|
* Fri Oct 22 2004 Tom Eastep tom@shorewall.net
|
||||||
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
|
- Updated to 2.2.0-0Beta1
|
||||||
- Updated to 2.0.3b-1
|
|
||||||
* Mon Jun 28 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated to 2.0.3a-1
|
|
||||||
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated to 2.0.3-1
|
|
||||||
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated to 2.0.2-0RC2
|
|
||||||
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated to 2.0.2-0RC1
|
|
||||||
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Added %attr spec for /etc/init.d/shorewall
|
|
||||||
* Sat May 15 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.2a-1
|
|
||||||
* Thu May 13 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.2-1
|
|
||||||
* Mon May 10 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Add /etc/shorewall/initdone
|
|
||||||
* Fri May 07 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Shorewall 2.0.2-RC1
|
|
||||||
* Tue May 04 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Shorewall 2.0.2-Beta2
|
|
||||||
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Add /usr/share/shorewall/configpath
|
|
||||||
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1-1
|
|
||||||
* Thu Apr 02 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1 RC5
|
|
||||||
* Thu Apr 01 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1 RC4
|
|
||||||
* Sun Mar 28 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1 RC3
|
|
||||||
* Thu Mar 25 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1 RC2
|
|
||||||
* Wed Mar 24 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1 RC1
|
|
||||||
* Fri Mar 19 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Updated for 2.0.1 Beta 2
|
|
||||||
* Thu Mar 18 2004 Tom Eastep tom@shorewall.net
|
|
||||||
- Added netmap file
|
|
||||||
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Update for 2.0.1 Beta 1
|
|
||||||
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Add bogons file
|
|
||||||
* Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Update for 2.0.0 Final
|
|
||||||
* Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Update for RC2
|
|
||||||
* Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Update for RC1
|
|
||||||
* Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Moved rfc1918 to /usr/share/shorewall
|
|
||||||
- Update for Beta 3
|
|
||||||
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Removed common.def
|
|
||||||
- Unconditionally replace actions.std
|
|
||||||
- Update for Beta 2
|
|
||||||
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added action.AllowPCA
|
|
||||||
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Updates for Shorewall 2.0.0.
|
|
||||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Remove Documentation from this RPM
|
|
||||||
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Updated for Beta 2
|
|
||||||
* Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added User Defined Actions Files
|
|
||||||
* Wed Dec 03 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added User Defined Actions Files
|
|
||||||
* Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.8
|
|
||||||
* Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.8-0RC2
|
|
||||||
* Thu Oct 30 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.8-0RC1
|
|
||||||
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.7-1
|
|
||||||
- Removed conflict with 2.2 Kernels
|
|
||||||
* Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.7-0RC2
|
|
||||||
* Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.7-0RC1
|
|
||||||
* Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.7-0Beta2
|
|
||||||
* Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.7-0Beta1
|
|
||||||
* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added /etc/shorewall/users
|
|
||||||
- Changed version to 1.4.6_20030823-1
|
|
||||||
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6_20030821-1
|
|
||||||
- Added /etc/shorewall/usersets
|
|
||||||
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6_20030813-1
|
|
||||||
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added /etc/shorewall/accounting
|
|
||||||
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6_20030809-1
|
|
||||||
* Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6_20030731-1
|
|
||||||
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added /usr/share/shorewall/help
|
|
||||||
- Changed version to 1.4.6_20030727-1
|
|
||||||
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6_20030726-1
|
|
||||||
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6-1
|
|
||||||
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6-0RC1
|
|
||||||
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6-0Beta2
|
|
||||||
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.6-0Beta1
|
|
||||||
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.5-1
|
|
||||||
* Thu May 29 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.4b-1
|
|
||||||
* Tue May 27 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.4a-1
|
|
||||||
* Thu May 22 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.4-1
|
|
||||||
* Mon May 19 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.3a-1
|
|
||||||
* Sun May 18 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.3-1
|
|
||||||
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.2-1
|
|
||||||
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.1-1
|
|
||||||
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.0-1
|
|
||||||
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.0-0RC2
|
|
||||||
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.0-0RC1
|
|
||||||
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.4.0-0Beta2
|
|
||||||
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Add ecn file
|
|
||||||
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.4.0-0Beta1
|
|
||||||
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.4.0Alpha1
|
|
||||||
- Delete icmp.def
|
|
||||||
- Move firewall and version to /usr/share/shorewall
|
|
||||||
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.14-0RC1
|
|
||||||
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.14-0Beta2
|
|
||||||
* Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.14-0Beta1
|
|
||||||
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.13
|
|
||||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.12
|
|
||||||
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.12-0Beta3
|
|
||||||
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.12-0Beta2
|
|
||||||
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.12-0Beta1
|
|
||||||
- Add init, start, stop and stopped files.
|
|
||||||
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.11a
|
|
||||||
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.11
|
|
||||||
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.10
|
|
||||||
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changes version to 1.3.10b1
|
|
||||||
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added maclist file
|
|
||||||
* Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.10
|
|
||||||
- Replaced symlink with real file
|
|
||||||
* Wed Oct 09 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.9b
|
|
||||||
* Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.9a
|
|
||||||
* Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.8
|
|
||||||
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.8
|
|
||||||
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.7c
|
|
||||||
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.7b
|
|
||||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.7a
|
|
||||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.7
|
|
||||||
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.6
|
|
||||||
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.5b
|
|
||||||
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.4
|
|
||||||
* Wed Jul 10 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Added 'routestopped' configuration file.
|
|
||||||
* Fri Jul 05 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.3
|
|
||||||
* Sat Jun 15 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version and release for new convention
|
|
||||||
- Moved version,firewall and functions to /var/lib/shorewall
|
|
||||||
* Sun Jun 02 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.2
|
|
||||||
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.1
|
|
||||||
- Added the rfc1918 file
|
|
||||||
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Changed version to 1.3.0
|
|
||||||
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Removed whitelist file
|
|
||||||
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed version to 91
|
|
||||||
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed version to 90
|
|
||||||
- removed 'provides' tag.
|
|
||||||
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed version to 13
|
|
||||||
- Added whitelist file.
|
|
||||||
* Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed version to 12
|
|
||||||
* Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- Merged Stefan's changes to create single RPM
|
|
||||||
* Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
|
|
||||||
- changed to SuSE Linux 7.3
|
|
||||||
* Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 11
|
|
||||||
* Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 10
|
|
||||||
* Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 9
|
|
||||||
* Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 8
|
|
||||||
* Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 7
|
|
||||||
* Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 6
|
|
||||||
* Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 5
|
|
||||||
* Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 4
|
|
||||||
- Merged Ajay's change to allow build by non-root
|
|
||||||
* Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 3
|
|
||||||
* Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 2
|
|
||||||
- Updated URL
|
|
||||||
- Added blacklist file
|
|
||||||
* Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 1
|
|
||||||
* Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 0
|
|
||||||
* Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to Rc1
|
|
||||||
* Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to Beta2
|
|
||||||
* Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed Version to 1.2
|
|
||||||
- added tcrules file
|
|
||||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed release to 17
|
|
||||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
|
||||||
- changed release to 16
|
|
||||||
* Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- changed release to 15
|
|
||||||
* Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- changed release to 14
|
|
||||||
* Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- changed release to 13
|
|
||||||
- added params file
|
|
||||||
* Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 12
|
|
||||||
* Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 11
|
|
||||||
* Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
|
|
||||||
- reorganized spec file
|
|
||||||
- s/Copyright/License/
|
|
||||||
- now will build fron rpm -tb
|
|
||||||
* Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 10
|
|
||||||
* Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 9
|
|
||||||
- Added tunnel file
|
|
||||||
- Readded tunnels file
|
|
||||||
* Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 8
|
|
||||||
* Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 7
|
|
||||||
- Changed iptables dependency.
|
|
||||||
* Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 6
|
|
||||||
- Added tunnels file
|
|
||||||
* Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 5
|
|
||||||
- Added modules and tos files
|
|
||||||
* Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 4
|
|
||||||
- Added changelog.txt and releasenotes.txt
|
|
||||||
* Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed release to 3
|
|
||||||
* Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Added files common.def and icmpdef.def
|
|
||||||
- Changed release to 2
|
|
||||||
* Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
|
||||||
- Changed the release to 1.
|
|
||||||
* Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Changed the version to 1.1
|
|
||||||
- Added hosts file
|
|
||||||
* Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Changed the release to 4
|
|
||||||
- Added Zones and Functions files
|
|
||||||
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Change ipchains dependency to an iptables dependency and
|
|
||||||
changed the release to 3
|
|
||||||
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Add additional files.
|
|
||||||
* Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Change version to 1.0.2
|
|
||||||
* Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Change version to 1.0.1
|
|
||||||
* Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Changes for Shorewall
|
|
||||||
* Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Change version to 4.1.0
|
|
||||||
* Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Change version to 4.0.4
|
|
||||||
* Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Change version to 4.0.2
|
|
||||||
* Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
|
||||||
- Changed version to 4.0
|
|
||||||
* Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
|
|
||||||
- Added dmzclients file
|
|
||||||
* Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
|
|
||||||
- Added ftpserver file
|
|
||||||
* Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
|
|
||||||
- Added "nat" and "proxyarp" files for 4.0
|
|
||||||
* Mon May 20 2000 Tom Eastep <teastep@evergo.net>
|
|
||||||
- added updown file
|
|
||||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
|
||||||
- Corrected the group - Networking/Utilities
|
|
||||||
- Added "noreplace" attributes to config files, so current confis is not
|
|
||||||
changed.
|
|
||||||
- Added the version file.
|
|
||||||
* Sat May 20 2000 Tom Eastep <teastep@evergo.net>
|
|
||||||
- Converted Simon's patch to version 3.1
|
|
||||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
|
||||||
- 3.0.2 Initial RPM
|
|
||||||
Patched the install script so it can take a PREFIX variable
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 2.0 -- /etc/shorewall/start
|
# Shorewall 2.2 -- /etc/shorewall/start
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed after shorewall has
|
# Add commands below that you want to be executed after shorewall has
|
||||||
# been started or restarted.
|
# been started or restarted.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 2.0 -- /etc/shorewall/stop
|
# Shorewall 2.2 -- /etc/shorewall/stop
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed at the beginning of a
|
# Add commands below that you want to be executed at the beginning of a
|
||||||
# "shorewall stop" command.
|
# "shorewall stop" command.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 2.0 -- /etc/shorewall/stopped
|
# Shorewall 2.2 -- /etc/shorewall/stopped
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed at the completion of a
|
# Add commands below that you want to be executed at the completion of a
|
||||||
# "shorewall stop" command.
|
# "shorewall stop" command.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.0 - Traffic Control Rules File
|
# Shorewall version 2.2 - Traffic Control Rules File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/tcrules
|
# /etc/shorewall/tcrules
|
||||||
#
|
#
|
||||||
@ -19,9 +19,8 @@
|
|||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# MARK The mark value which is an
|
# MARK/ a) A mark value which is a integer in the range 1-255
|
||||||
# integer in the range 1-255
|
# CLASSIFY
|
||||||
#
|
|
||||||
# May optionally be followed by ":P" or ":F"
|
# May optionally be followed by ":P" or ":F"
|
||||||
# where ":P" indicates that marking should occur in
|
# where ":P" indicates that marking should occur in
|
||||||
# the PREROUTING chain and ":F" indicates that marking
|
# the PREROUTING chain and ":F" indicates that marking
|
||||||
@ -30,9 +29,55 @@
|
|||||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||||
# /etc/shorewall/shorewall.conf.
|
# /etc/shorewall/shorewall.conf.
|
||||||
#
|
#
|
||||||
|
# If your kernel and iptables include CONNMARK support
|
||||||
|
# then you can also mark the connection rather than
|
||||||
|
# the packet.
|
||||||
|
#
|
||||||
|
# The mark value may be optionally followed by "/"
|
||||||
|
# and a mask value (used to determine those bits of
|
||||||
|
# the connection mark to actually be set). The
|
||||||
|
# mark and optional mask are then followed by one of:
|
||||||
|
#
|
||||||
|
# C - Mark the connection in the chain determined
|
||||||
|
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||||
|
#
|
||||||
|
# CF: Mark the conneciton in the FORWARD chain
|
||||||
|
#
|
||||||
|
# CP: Mark the connection in the PREROUTING chain.
|
||||||
|
#
|
||||||
|
# b) A classification of the form <major>:<minor> where
|
||||||
|
# <major> and <minor> are integers. Corresponds to
|
||||||
|
# the 'class' specification in these traffic shaping
|
||||||
|
# modules:
|
||||||
|
#
|
||||||
|
# - atm
|
||||||
|
# - cbq
|
||||||
|
# - dsmark
|
||||||
|
# - pfifo_fast
|
||||||
|
# - htb
|
||||||
|
# - prio
|
||||||
|
#
|
||||||
|
# Classify always occurs in the POSTROUTING chain.
|
||||||
|
#
|
||||||
|
# c) RESTORE[/mask] -- restore the packet's mark from the
|
||||||
|
# connection's mark using the supplied mask if any.
|
||||||
|
# Your kernel and iptables must include CONNMARK support.
|
||||||
|
# As in a) above, may be followed by ":P" or ":F
|
||||||
|
#
|
||||||
|
# c) SAVE[/mask] -- save the packet's mark to the
|
||||||
|
# connection's mark using the supplied mask if any.
|
||||||
|
# Your kernel and iptables must include CONNMARK support.
|
||||||
|
# As in a) above, may be followed by ":P" or ":F
|
||||||
|
#
|
||||||
|
# d) CONTINUE -- don't process any more marking rules in
|
||||||
|
# the table. As in a) above, may be followed by ":P" or
|
||||||
|
# ":F".
|
||||||
|
#
|
||||||
# SOURCE Source of the packet. A comma-separated list of
|
# SOURCE Source of the packet. A comma-separated list of
|
||||||
# interface names, IP addresses, MAC addresses
|
# interface names, IP addresses, MAC addresses
|
||||||
# and/or subnets. Use $FW if the packet originates on
|
# and/or subnets. If your kernel and iptables include
|
||||||
|
# iprange match support, IP address ranges are also
|
||||||
|
# allowed. Use $FW if the packet originates on
|
||||||
# the firewall in which case the MARK column may NOT
|
# the firewall in which case the MARK column may NOT
|
||||||
# specify either ":P" or ":F" (marking always occurs
|
# specify either ":P" or ":F" (marking always occurs
|
||||||
# in the OUTPUT chain).
|
# in the OUTPUT chain).
|
||||||
@ -43,22 +88,34 @@
|
|||||||
# Example: ~00-A0-C9-15-39-78
|
# Example: ~00-A0-C9-15-39-78
|
||||||
#
|
#
|
||||||
# DEST Destination of the packet. Comma separated list of
|
# DEST Destination of the packet. Comma separated list of
|
||||||
# IP addresses and/or subnets.
|
# IP addresses and/or subnets. If your kernel and
|
||||||
|
# iptables include iprange match support, IP address
|
||||||
|
# ranges are also allowed.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
# If the MARK column specificies a classification of
|
||||||
# or "all".
|
# the form <major>:<minor> then this column may also
|
||||||
|
# contain an interface name.
|
||||||
|
#
|
||||||
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
#
|
#
|
||||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example "bit"
|
||||||
|
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
# entered if any of the following field is supplied.
|
# entered if any of the following field is supplied.
|
||||||
# In that case, it is suggested that this field contain
|
# In that case, it is suggested that this field contain
|
||||||
# "-"
|
# "-"
|
||||||
#
|
#
|
||||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||||
# any source port is acceptable. Specified as a comma-
|
# any source port is acceptable. Specified as a comma-
|
||||||
# separated list of port names, port numbers or port
|
# separated list of port names, port numbers or port
|
||||||
# ranges.
|
# ranges.
|
||||||
@ -77,7 +134,19 @@
|
|||||||
# The colon is optionnal when specifying only a user.
|
# The colon is optionnal when specifying only a user.
|
||||||
# Examples : john: / john / :users / john:users
|
# Examples : john: / john / :users / john:users
|
||||||
#
|
#
|
||||||
|
# TEST Defines a test on the existing packet or connection mark.
|
||||||
|
# The rule will match only if the test returns true. Tests
|
||||||
|
# have the format [!]<value>[/<mask>][:C]
|
||||||
|
#
|
||||||
|
# Where:
|
||||||
|
#
|
||||||
|
# ! Inverts the test (not equal)
|
||||||
|
# <value> Value of the packet or connection mark.
|
||||||
|
# <mask> A mask to be applied to the mark before
|
||||||
|
# testing
|
||||||
|
# :C Designates a connection mark. If omitted,
|
||||||
|
# the packet mark's value is tested.
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 -- /etc/shorewall/tos
|
# Shorewall 2.2 -- /etc/shorewall/tos
|
||||||
#
|
#
|
||||||
# This file defines rules for setting Type Of Service (TOS)
|
# This file defines rules for setting Type Of Service (TOS)
|
||||||
#
|
#
|
||||||
@ -43,10 +43,4 @@
|
|||||||
#
|
#
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||||
all all tcp - 22 16
|
|
||||||
all all tcp 22 - 16
|
|
||||||
all all tcp - 21 16
|
|
||||||
all all tcp 21 - 16
|
|
||||||
all all tcp 20 - 8
|
|
||||||
all all tcp - 20 8
|
|
||||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
|
|
||||||
RCDLINKS="2,S45 3,S45 6,K45"
|
RCDLINKS="2,S45 3,S45 6,K45"
|
||||||
################################################################################
|
################################################################################
|
||||||
# Script to create a gre or ipip tunnel -- Shorewall 2.0
|
# Script to create a gre or ipip tunnel -- Shorewall 2.2
|
||||||
#
|
#
|
||||||
# Modified - Steve Cowles 5/9/2000
|
# Modified - Steve Cowles 5/9/2000
|
||||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# Modify the following variables to match your configuration
|
# Modify the following variables to match your configuration
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 - /etc/shorewall/tunnels
|
# Shorewall 2.2 - /etc/shorewall/tunnels
|
||||||
#
|
#
|
||||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||||
#
|
#
|
||||||
@ -34,7 +34,10 @@
|
|||||||
#
|
#
|
||||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
||||||
# remote getway has no fixed address (Road Warrior)
|
# remote getway has no fixed address (Road Warrior)
|
||||||
# then specify the gateway as 0.0.0.0/0.
|
# then specify the gateway as 0.0.0.0/0. May be
|
||||||
|
# specified as a network address and if your kernel and
|
||||||
|
# iptables include iprange match support then IP address
|
||||||
|
# ranges are also allowed.
|
||||||
#
|
#
|
||||||
# GATEWAY
|
# GATEWAY
|
||||||
# ZONES -- Optional. If the gateway system specified in the third
|
# ZONES -- Optional. If the gateway system specified in the third
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||||
#
|
#
|
||||||
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=2.0.16
|
VERSION=2.2.0
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 /etc/shorewall/zones
|
# Shorewall 2.2 /etc/shorewall/zones
|
||||||
#
|
#
|
||||||
# This file determines your network zones. Columns are:
|
# This file determines your network zones. Columns are:
|
||||||
#
|
#
|
||||||
@ -11,9 +11,15 @@
|
|||||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
||||||
#
|
#
|
||||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
# See http://www.shorewall.net/Documentation.htm#Nested
|
||||||
|
#--------------------------------------------------------------------------------
|
||||||
|
# Example zones:
|
||||||
|
#
|
||||||
|
# You have a three interface firewall with internet, local and DMZ interfaces.
|
||||||
|
#
|
||||||
|
# #ZONE DISPLAY COMMENTS
|
||||||
|
# net Internet The big bad Internet
|
||||||
|
# loc Local Local Network
|
||||||
|
# dmz DMZ Demilitarized zone.
|
||||||
#
|
#
|
||||||
#ZONE DISPLAY COMMENTS
|
#ZONE DISPLAY COMMENTS
|
||||||
net Net Internet
|
|
||||||
loc Local Local networks
|
|
||||||
dmz DMZ Demilitarized zone
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
Loading…
Reference in New Issue
Block a user