forked from extern/shorewall_code
Move 2.2.0+ to STABLE2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1939 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d356631782
commit
a32c5eb849
@ -1,4 +1,4 @@
|
||||
Shoreline Firewall (Shorewall) Version 2.0 - 2/14/2004
|
||||
Shoreline Firewall (Shorewall) Version 2.2
|
||||
----- ----
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Accounting File
|
||||
# Shorewall version 2.2 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
@ -47,9 +47,12 @@
|
||||
# Format the same as the SOURCE column.
|
||||
#
|
||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||
# number.
|
||||
# number, or "ipp2p"
|
||||
#
|
||||
# DEST PORT Destination Port number
|
||||
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
|
||||
# this column must contain an ipp2p option ("iptables -m
|
||||
# ipp2p --help") without the leading "--". If no option
|
||||
# is given in this column, "ipp2p" is assumed.
|
||||
#
|
||||
# Service name from /etc/services or port number. May
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
@ -61,13 +64,33 @@
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
# or 17).
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the CHAIN is
|
||||
# OUTPUT.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||
# "any" and "all" may be used as wildcards
|
||||
#
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
|
||||
# PORT PORT
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
# PORT PORT GROUP
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
|
||||
#
|
||||
# This action accepts Auth (identd) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
|
||||
#
|
||||
# This action accepts DNS traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
|
||||
#
|
||||
# This action accepts FTP traffic. See
|
||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||
|
11
STABLE2/action.AllowICMPs
Normal file
11
STABLE2/action.AllowICMPs
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
|
||||
#
|
||||
# ACCEPT needed ICMP types
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#
|
||||
ACCEPT - - icmp fragmentation-needed
|
||||
ACCEPT - - icmp time-exceeded
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
|
||||
#
|
||||
# This action accepts IMAP traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
|
||||
#
|
||||
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
|
||||
#
|
||||
# This action accepts NTP traffic (ntpd).
|
||||
#
|
||||
@ -7,4 +7,5 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - udp 123
|
||||
ACCEPT - - udp 1024: 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
|
||||
#
|
||||
# This action accepts PCAnywere (tm)
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
|
||||
#
|
||||
# This action accepts POP3 traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPing
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
|
||||
#
|
||||
# This action accepts 'ping' requests.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
|
||||
#
|
||||
# This action accepts remote time retrieval (rdate).
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
|
||||
#
|
||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||
# both directions.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
|
||||
#
|
||||
# This action accepts SMTP (email) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
|
||||
#
|
||||
# This action accepts SNMP traffic (including traps):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
|
||||
#
|
||||
# This action accepts secure shell (SSH) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
|
||||
#
|
||||
# This action accepts Telnet traffic. For traffic over the
|
||||
# internet, telnet is inappropriate; use SSH instead
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
|
||||
#
|
||||
# This action accepts Traceroute (for up to 30 hops):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
|
||||
#
|
||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
|
||||
#
|
||||
# This action accepts WWW traffic (secure and insecure):
|
||||
#
|
||||
@ -7,5 +7,5 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 80
|
||||
ACCEPT - - TCP 443
|
||||
ACCEPT - - tcp 443
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,16 +1,49 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Drop
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose of the action
|
||||
# is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
|
||||
# Otherwise, you may experience problems establishing connections with
|
||||
# servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
RejectAuth
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||
# confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
|
||||
#
|
||||
# This action silently drops DNS UDP replies
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropPing
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
|
||||
#
|
||||
# This action silently drops 'ping' requests.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
|
||||
#
|
||||
# This action silently drops Microsoft SMB traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
|
||||
#
|
||||
# This action silently drops UPnP probes on UDP port 1900
|
||||
#
|
||||
|
@ -1,16 +1,46 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Reject
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose of the action
|
||||
# is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' REJECT
|
||||
#
|
||||
RejectAuth
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||
# confuse people when they appear in the log (these ICMPs cannot be rejected).
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the lot.
|
||||
#
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
|
||||
#
|
||||
# This action silently rejects Auth (tcp 113) traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
|
||||
#
|
||||
# This action silently rejects Microsoft SMB traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.template
|
||||
# Shorewall 2.2 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
@ -37,6 +37,10 @@
|
||||
# ACCEPT:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# The special log level 'none' does not result in logging
|
||||
# but rather exempts the rule from being overridden by a
|
||||
# non-forcing log level when the action is invoked.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
@ -61,6 +65,10 @@
|
||||
#
|
||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
||||
#
|
||||
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
||||
# kernel and iptables must have
|
||||
# iprange match support.
|
||||
#
|
||||
# 192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2.
|
||||
@ -77,10 +85,6 @@
|
||||
# DEST Location of Server. Same as above with the exception that
|
||||
# MAC addresses are not allowed.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
@ -155,6 +159,6 @@
|
||||
# #of the 'kids' group
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
||||
# PORT PORT(S) LIMIT
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/actions
|
||||
# Shorewall 2.2 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
|
@ -1,19 +1,17 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
||||
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID conntrack
|
||||
# #state
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
@ -36,6 +34,7 @@ AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowICMPs #Allows critical ICMP types
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Blacklist File
|
||||
# Shorewall 2.2 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
@ -7,7 +7,9 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
|
||||
# range (if your kernel and iptables contain iprange
|
||||
# match support).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# as a separator.
|
||||
@ -21,10 +23,10 @@
|
||||
# is TCP (6) or UDP (17). A comma-separated list
|
||||
# of port numbers or service names from /etc/services.
|
||||
#
|
||||
# When a packet arrives on in interface that has the 'blacklist' option
|
||||
# specified, its source IP address is checked against this file and disposed of
|
||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
||||
# /etc/shorewall/shorewall.conf
|
||||
# When a packet arrives on an interface that has the 'blacklist' option
|
||||
# specified in /etc/shorewall/interfaces, its source IP address is checked
|
||||
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
|
||||
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0-- Bogons File
|
||||
# Shorewall 2.2-- Bogons File
|
||||
#
|
||||
# /etc/shorewall/bogons
|
||||
#
|
||||
@ -14,7 +14,9 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# SUBNET The subnet (host addresses also allowed as are IP
|
||||
# address ranges provided that your kernel and iptables
|
||||
# include iprange match support).
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
|
@ -1,121 +1,222 @@
|
||||
Changes in 2.0.4
|
||||
Changes in 2.2.1
|
||||
|
||||
1) Fix DNAT logging with 'fw' as the source zone.
|
||||
1) Add examples to the zones and policy files.
|
||||
|
||||
Change in 2.0.5
|
||||
2) Simon Matter's patch for umask.
|
||||
|
||||
1) Eradicate more RESTOREBASE messages.
|
||||
Changes since 2.0.3
|
||||
|
||||
2) Remove 'mangle' reference from shorewall.conf.
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
Change in 2.0.6
|
||||
2) Hack security fix so that it works under Slackware.
|
||||
|
||||
1) Add PKTTYPE option.
|
||||
3) Correct mktempfile() for case where mktemp isn't installed.
|
||||
|
||||
shorewall.conf
|
||||
firewall
|
||||
4) Implement 'dropInvalid' builtin action.
|
||||
|
||||
2) Sanitized some correct but confusing code in determine_hosts().
|
||||
5) Fix logging nat rules.
|
||||
|
||||
There was a loop:
|
||||
6) Fix COMMAND typos.
|
||||
|
||||
for networks in $networks
|
||||
...
|
||||
7) Add PKTTYPE option.
|
||||
|
||||
It now reads:
|
||||
8) Enhancements to /etc/shorewall/masq
|
||||
|
||||
for network in $networks
|
||||
...
|
||||
8) Allow overriding ADD_IP_ALIASES=Yes
|
||||
|
||||
9) Fix syntax error in setup_nat()
|
||||
|
||||
3) Don't give shorewall.conf and zones execute permission.
|
||||
10) Port "shorewall status" changes from 2.0.7.
|
||||
|
||||
4) Backport 'dropInvalid' from 2.1
|
||||
11) All config files are now empty.
|
||||
|
||||
Changes in 2.0.7
|
||||
12) Port blacklisting fix from 2.0.7
|
||||
|
||||
1) Include output of "ip rule ls" and "ip route ls" in "shorewall
|
||||
status".
|
||||
13) Pass rule chain and display chain separately to log_rule_limit.
|
||||
Prep work for action logging.
|
||||
|
||||
2) Consult PKTTYPE when generating 'REJECT' rules.
|
||||
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||
|
||||
3) Enhance IP/Routing output in "shorewall status".
|
||||
15) Implement STARTUP_ENABLED.
|
||||
|
||||
4) Correct handling of multiple 'blacklist' interfaces.
|
||||
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||
|
||||
5) Add "0.0.0.0 RETURN" to nobogons.
|
||||
17) Removed SNAT from ORIGINAL DESTINATION column.
|
||||
|
||||
Changes in 2.0.8
|
||||
18) Removed DNAT ONLY column.
|
||||
|
||||
1) Removed dead code from process_actions2()
|
||||
19) Added IPSEC column to /etc/shorewall/masq.
|
||||
|
||||
2) Corrected read command in process_actions2() (userspec)
|
||||
20) No longer enforce source port 500 for ISAKMP.
|
||||
|
||||
Changes in 2.0.9
|
||||
21) Apply policy to interface/host options.
|
||||
|
||||
1) Corrected setup_tc1() handling of the PROTO column.
|
||||
22) Fix policy and maclist.
|
||||
|
||||
2) Added warning about ADD_SNAT_ALIASES in the masq file.
|
||||
23) Implement additional IPSEC options for zones and masq entries.
|
||||
|
||||
3) Added "brctl show" to the status command.
|
||||
24) Deprecate the -c option in /sbin/shorewall.
|
||||
|
||||
Changes in 2.0.10
|
||||
25) Allow distinct input and output IPSEC parameters.
|
||||
|
||||
1) Corrected GATEWAY handling for 'pptpserver's
|
||||
26) Allow source port remapping in /etc/shorewall/masq.
|
||||
|
||||
2) Correct log rule number generation.
|
||||
27) Include params file on 'restore'
|
||||
|
||||
3) Add clarification to /etc/shorewall/tcrules.
|
||||
28) Apply Richard Musil's patch.
|
||||
|
||||
4) Apply part of Ian Allen's fix for down interface in the SUBNET
|
||||
column of /etc/shorewall/masq.
|
||||
29) Correct parsing of PROTO column in setup_tc1().
|
||||
|
||||
5) Add key /proc settings to "shorewall status" output.
|
||||
30) Verify Physdev match if BRIDGING=Yes
|
||||
|
||||
Changes in 2.0.11
|
||||
31) Don't NAT tunnel traffic.
|
||||
|
||||
1) Add note for Slackware users to INSTALL.
|
||||
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
|
||||
|
||||
2) Correct bogons file.
|
||||
33) Add iprange support.
|
||||
|
||||
3) Replace service names by port numbers in /etc/shorewall/tos.
|
||||
34) Add CLASSIFY support.
|
||||
|
||||
4) Added NNTPS to action.AllowNNTP.
|
||||
35) Fix iprange support so that ranges in both source and destination
|
||||
work.
|
||||
|
||||
5) Fix install.sh
|
||||
36) Remove logunclean and dropunclean
|
||||
|
||||
Changes in 2.0.12
|
||||
37) Fixed proxy arp flag setting for complex configurations.
|
||||
|
||||
1) Correct typo in shorewall.conf.
|
||||
38) Added RETAIN_ALIASES option.
|
||||
|
||||
2) Fix "shorewall add" and "shorewall delete" with bridging.
|
||||
39) Relax OpenVPN source port restrictions.
|
||||
|
||||
3) Implement variable expansion in INCLUDE directives
|
||||
40) Implement DELAYBLACKLISTLOAD.
|
||||
|
||||
4) Split restore-base into two files.
|
||||
41) Avoid double-setting proxy arp flags.
|
||||
|
||||
5) Correct dynamic zone OUTPUT handling.
|
||||
42) Fix DELAYBLACKLISTLOAD=No.
|
||||
|
||||
Changes in 2.0.13
|
||||
43) Merge 'brctl show' change from 2.0.9.
|
||||
|
||||
1) Correct typo in "shorewall add" code.
|
||||
44) Implememt LOGTAGONLY.
|
||||
|
||||
Changes in 2.0.14
|
||||
45) Merge 'tcrules' clarification from 2.0.10.
|
||||
|
||||
1) Log drops due to policy rate limiting.
|
||||
46) Implement 'sourceroute' interface option.
|
||||
|
||||
2) Fix typo in interfaces file.
|
||||
47) Add 'AllowICMPs' action.
|
||||
|
||||
3) Eliminate "bad variable" errors during stop/clear.
|
||||
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
|
||||
handled before traffic from non-IPSEC zones.
|
||||
|
||||
4) Fix typo in tunnels file.
|
||||
49) Correct logmartians handling.
|
||||
|
||||
Changes in 2.0.15
|
||||
50) Add a clarification and fix a typo in the blacklist file.
|
||||
|
||||
1) Increased port range for Traceroute.
|
||||
51) Allow setting a specify MSS value.
|
||||
|
||||
2) Corrected port of rate-limit logging change.
|
||||
52) Detect duplicate zone names.
|
||||
|
||||
Changes in 2.0.16
|
||||
53) Add mss=<number> option to the ipsec file.
|
||||
|
||||
1) Backport DROPINVALID from 2.2.0.
|
||||
54) Added CONNMARK/ipp2p support.
|
||||
|
||||
55) Added LOGALLNEW support.
|
||||
|
||||
56) Fix typo in check_config()
|
||||
|
||||
57) Allow outgoing NTP responses in action.AllowNTP.
|
||||
|
||||
58) Clarification of the 'ipsec' hosts file option.
|
||||
|
||||
59) Allow list in the SUBNET column of the rfc1918 file.
|
||||
|
||||
60) Restore missing '#' in the rfc1918 file.
|
||||
|
||||
61) Add note for Slackware users to INSTALL.
|
||||
|
||||
62) Allow interface in DEST tcrules column.
|
||||
|
||||
63) Remove 'ipt_unclean' from search expression in "log" commands.
|
||||
|
||||
64) Remove nonsense from IPSEC description in masq file.
|
||||
|
||||
65) Correct typo in rules file.
|
||||
|
||||
66) Update bogons file.
|
||||
|
||||
67) Add a rule for NNTPS to action.AllowNNTP
|
||||
|
||||
68) Fix "shorewall add"
|
||||
|
||||
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
||||
|
||||
70) Correct typo in shorewall.conf.
|
||||
|
||||
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
||||
|
||||
72) Apply Tuomas Jormola's IPTABLES patch.
|
||||
|
||||
73) Fixed some bugs in Tuomas's patch.
|
||||
|
||||
74) Correct bug in "shorewall add"
|
||||
|
||||
75) Correct bridge handling in "shorewall add" and "shorewall delete"
|
||||
|
||||
76) Add "shorewall show zones"
|
||||
|
||||
77) Remove dependency of "show zones" on dynamic zones.
|
||||
|
||||
78) Implement variable expansion in INCLUDE directives
|
||||
|
||||
79) More fixes for "shorewall delete" with bridging.
|
||||
|
||||
80) Split restore-base into two files.
|
||||
|
||||
81) Correct OUTPUT handling of dynamic zones.
|
||||
|
||||
83) Add adapter statistics to the output of "shorewall status".
|
||||
|
||||
84) Log drops due to policy rate limiting.
|
||||
|
||||
85) Continue determining capabilities when fooX1234 already exists.
|
||||
|
||||
86) Corrected typo in interfaces file.
|
||||
|
||||
87) Add DROPINVALID option.
|
||||
|
||||
88) Allow list of hosts in add and delete commands. Fix ipsec problem
|
||||
with "add" and "delete"
|
||||
|
||||
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
|
||||
|
||||
90) Implement OpenVPN TCP support.
|
||||
|
||||
91) Simplify the absurdly over-engineered code that restores the
|
||||
dynamic chain.
|
||||
|
||||
92) Add OPENVPNPORT option.
|
||||
|
||||
93) Remove OPENVPNPORT option and change default port to 1194.
|
||||
|
||||
94) Avoid shell error during "shorewall stop/clear"
|
||||
|
||||
95) Change encryption to blowfish in 'ipsecvpn' script.
|
||||
|
||||
96) Correct rate limiting rule example.
|
||||
|
||||
97) Fix <if>:: handling in setup_masq().
|
||||
|
||||
98) Fix mis-leading typo in tunnels.
|
||||
|
||||
99) Fix brain-dead ipsec option handling in setup_masq().
|
||||
|
||||
100) Reconcile ipsec masq file implementation with the documentation.
|
||||
|
||||
101) Add netfilter module display to status output.
|
||||
|
||||
102) Add 'allowInvalid' builtin action.
|
||||
|
||||
103) Expand range of Traceroute ports.
|
||||
|
||||
102) Correct uninitialized variable in setup_ecn()
|
||||
|
||||
103) Allow DHCP to be IPSEC-encrypted.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Default Config Path
|
||||
# Shorewall version 2.2 - Default Config Path
|
||||
#
|
||||
# /usr/share/shorewall/configpath
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/ecn
|
||||
# Shorewall 2.2 - /etc/shorewall/ecn
|
||||
#
|
||||
# Use this file to list the destinations for which you want to
|
||||
# disable ECN.
|
||||
@ -12,7 +12,9 @@
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
||||
# include iprange match support then IP address ranges
|
||||
# are also permitted.
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -5,7 +5,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||
#
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=2.0.16
|
||||
VERSION=2.2.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -85,6 +85,8 @@ restore_file /etc/shorewall/policy
|
||||
|
||||
restore_file /etc/shorewall/interfaces
|
||||
|
||||
restore_file /etc/shorewall/ipsec
|
||||
|
||||
restore_file /etc/shorewall/hosts
|
||||
|
||||
restore_file /etc/shorewall/rules
|
||||
|
2431
STABLE2/firewall
2431
STABLE2/firewall
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,27 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 2.0 -- /usr/share/shorewall/functions
|
||||
# Shorewall 2.2 -- /usr/share/shorewall/functions
|
||||
|
||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||
# rather than ${v:first:last} because light-weight shells like ash and
|
||||
# dash do not support that form of expansion.
|
||||
#
|
||||
|
||||
truncate() # $1 = length
|
||||
{
|
||||
cut -b -${1}
|
||||
}
|
||||
|
||||
#
|
||||
# Split a colon-separated list into a space-separated list
|
||||
#
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
IFS=:
|
||||
set -- $1
|
||||
echo $*
|
||||
IFS=$ifs
|
||||
}
|
||||
|
||||
#
|
||||
# Search a list looking for a match -- returns zero if a match found
|
||||
@ -229,7 +250,7 @@ find_zones() # $1 = name of the zone file
|
||||
\#*)
|
||||
;;
|
||||
$FW)
|
||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
echo $zone
|
||||
@ -255,12 +276,16 @@ determine_zones()
|
||||
multi_display=Multi-zone
|
||||
strip_file zones $zonefile
|
||||
zones=$(find_zones $TMP_DIR/zones)
|
||||
zones=$(echo $zones) # Remove extra trash
|
||||
newzones=
|
||||
|
||||
for zone in $zones; do
|
||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
||||
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
|
||||
eval ${zone}_display=\$dsply
|
||||
newzones="$newzones $zone"
|
||||
done
|
||||
|
||||
zones=${newzones# }
|
||||
}
|
||||
|
||||
#
|
||||
@ -377,7 +402,7 @@ mktempfile() {
|
||||
> $1/shorewall-$$ && echo $1/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempfile"
|
||||
echo " ERROR:Internal error in mktempfile" >&2
|
||||
;;
|
||||
esac
|
||||
else
|
||||
@ -393,7 +418,7 @@ mktempfile() {
|
||||
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempfile"
|
||||
echo " ERROR:Internal error in mktempfile" >&2
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -417,7 +442,7 @@ mktempdir() {
|
||||
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempdir"
|
||||
echo " ERROR:Internal error in mktempdir" >&2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
@ -532,6 +557,13 @@ ip_range() {
|
||||
local first last l x y z vlsm
|
||||
|
||||
case $1 in
|
||||
!*)
|
||||
#
|
||||
# Let iptables complain if it's a range
|
||||
#
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
[0-9]*.*.*.*-*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
@ -680,6 +712,9 @@ chain_base() #$1 = interface
|
||||
*-*)
|
||||
c="${c%-*}_${c##*-}"
|
||||
;;
|
||||
*%*)
|
||||
c="${c%\%*}_${c##*%}"
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
return
|
||||
@ -699,11 +734,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
|
||||
case $1 in
|
||||
*+)
|
||||
#
|
||||
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
|
||||
# variable expansion :-(
|
||||
#
|
||||
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
|
||||
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
|
||||
;;
|
||||
*)
|
||||
test "x$1" = "x$2"
|
||||
@ -767,3 +798,11 @@ find_interface_by_address() {
|
||||
[ -n "$dev" ] && echo $dev
|
||||
}
|
||||
|
||||
#
|
||||
# Find interface addresses--returns the set of addresses assigned to the passed
|
||||
# device
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
51
STABLE2/help
51
STABLE2/help
@ -1,11 +1,11 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
||||
# Shorewall help subsystem - V2.2
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
|
||||
# Steve Herber (herber@thing.com)
|
||||
#
|
||||
# This file should be placed in /usr/share/shorewall/help
|
||||
@ -29,11 +29,18 @@
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
echo "add: add <interface>[:<host-list>] ... <zone>
|
||||
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:port][:host] zone - Adds the specified interface
|
||||
(and bridge port/host if included) to the specified zone.
|
||||
shorewall add interface:host-list ... zone - Adds the specified interface
|
||||
(and host-list if included) to the specified zone.
|
||||
|
||||
A host-list is a comma-separated list whose elements are:
|
||||
|
||||
A host or network address
|
||||
The name of a bridge port
|
||||
The name of a bridge port followed by a colon (":") and a host or
|
||||
network address.
|
||||
|
||||
Example:
|
||||
|
||||
@ -46,7 +53,9 @@ add)
|
||||
address|host)
|
||||
echo "<$1>:
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
CIDR format like 192.168.1.0/24"
|
||||
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
|
||||
match support then IP address ranges of the form <low address>-<high address>
|
||||
are also permitted."
|
||||
;;
|
||||
|
||||
allow)
|
||||
@ -60,7 +69,7 @@ allow)
|
||||
;;
|
||||
|
||||
check)
|
||||
echo "check: check [ -c <configuration-directory> ]
|
||||
echo "check: check [ <configuration-directory> ]
|
||||
Performs a cursory validation of the zones, interfaces, hosts,
|
||||
rules and policy files. Use this if you are unsure of any edits
|
||||
you have made to the shorewall configuration. See the try command
|
||||
@ -93,11 +102,18 @@ debug)
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
echo "delete: delete <interface>[:<host-list>] ... <zone>
|
||||
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
||||
interface (and bridge port/host if included) from the specified zone.
|
||||
shorewall delete interface[:host-list] ... zone - Deletes the specified
|
||||
interfaces (and host list if included) from the specified zone.
|
||||
|
||||
A host-list is a comma-separated list whose elements are:
|
||||
|
||||
A host or network address
|
||||
The name of a bridge port
|
||||
The name of a bridge port followed by a colon (":") and a host or
|
||||
network address.
|
||||
|
||||
Example:
|
||||
|
||||
@ -187,7 +203,7 @@ reset)
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
||||
echo "restart: [ -q ] restart [ <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are maintained.
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
@ -217,7 +233,7 @@ save)
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
|
||||
|
||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
@ -236,17 +252,20 @@ show)
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration.
|
||||
|
||||
shorewall show zones - displays the contents of all zones.
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
||||
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies.
|
||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||
in shorewall.conf will be restored if that saved configuration exists"
|
||||
in shorewall.conf will be restored if that saved configuration exists. In that
|
||||
case, a <configuration-directory> may not be specified".
|
||||
;;
|
||||
|
||||
stop)
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/hosts
|
||||
# Shorewall 2.2 - /etc/shorewall/hosts
|
||||
#
|
||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||
@ -28,12 +28,15 @@
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
# c) A physical port name; only allowed when the
|
||||
# c) An IP address range of the form <low address>-<high
|
||||
# address>. Your kernel and iptables must have iprange
|
||||
# match support.
|
||||
# d) A physical port name; only allowed when the
|
||||
# interface names a bridge created by the
|
||||
# brctl addbr command. This port must not
|
||||
# be defined in /etc/shorewall/interfaces and may
|
||||
# optionally followed by a colon (":") and a
|
||||
# host or network IP.
|
||||
# host or network IP or a range.
|
||||
# See http://www.shorewall.net/Bridge.html for details.
|
||||
#
|
||||
# Examples:
|
||||
@ -43,6 +46,7 @@
|
||||
# eth3:192.168.2.0/24,192.168.3.1
|
||||
# br0:eth4
|
||||
# br0:eth0:192.168.1.16/28
|
||||
# eth4:192.168.1.44-192.168.1.49
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
@ -124,5 +128,12 @@
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# ipsec - The zone is accessed via a
|
||||
# kernel 2.6 ipsec SA. Note that if the
|
||||
# zone named in the ZONE column is
|
||||
# specified as an IPSEC zone in the
|
||||
# /etc/shorewall/ipsec file then you do NOT
|
||||
# need to specify the 'ipsec' option here.
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/init
|
||||
# Shorewall 2.2 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
|
@ -1,11 +1,11 @@
|
||||
#!/bin/sh
|
||||
RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
|
||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/initdone
|
||||
# Shorewall 2.2 -- /etc/shorewall/initdone
|
||||
#
|
||||
# Add commands below that you want to be executed during
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=2.0.16
|
||||
VERSION=2.2.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -176,16 +176,16 @@ echo "Shorewall script installed in ${PREFIX}${DEST}/$INIT"
|
||||
#
|
||||
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
||||
#
|
||||
mkdir -p ${PREFIX}/etc/shorewall && chmod 700 ${PREFIX}/etc/shorewall
|
||||
mkdir -p ${PREFIX}/usr/share/shorewall && chmod 700 ${PREFIX}/usr/share/shorewall
|
||||
mkdir -p ${PREFIX}/var/lib/shorewall && chmod 700 ${PREFIX}/var/lib/shorewall
|
||||
mkdir -p ${PREFIX}/etc/shorewall
|
||||
mkdir -p ${PREFIX}/usr/share/shorewall
|
||||
mkdir -p ${PREFIX}/var/lib/shorewall
|
||||
#
|
||||
# Install the config file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
|
||||
backup_file /etc/shorewall/shorewall.conf
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
|
||||
echo
|
||||
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
|
||||
fi
|
||||
@ -195,7 +195,7 @@ fi
|
||||
if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||
backup_file /etc/shorewall/zones
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 zones ${PREFIX}/etc/shorewall/zones
|
||||
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
echo
|
||||
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
|
||||
fi
|
||||
@ -247,6 +247,16 @@ else
|
||||
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
|
||||
fi
|
||||
#
|
||||
# Install the ipsec file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
|
||||
backup_file /etc/shorewall/ipsec
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
|
||||
echo
|
||||
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
|
||||
fi
|
||||
#
|
||||
# Install the hosts file
|
||||
#
|
||||
if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
|
||||
@ -539,8 +549,7 @@ fi
|
||||
#
|
||||
install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
|
||||
|
||||
if [ -z "$PREFIX" ]; then
|
||||
if [ -n "$first_install" ]; then
|
||||
if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
||||
if [ -n "$DEBIAN" ]; then
|
||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
||||
@ -552,7 +561,7 @@ if [ -z "$PREFIX" ]; then
|
||||
if insserv /etc/init.d/shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
@ -560,7 +569,7 @@ if [ -z "$PREFIX" ]; then
|
||||
if chkconfig --add shorewall ; then
|
||||
echo
|
||||
echo "shorewall will start automatically in run levels as follows:"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
chkconfig --list shorewall
|
||||
else
|
||||
cant_autostart
|
||||
@ -569,23 +578,16 @@ if [ -z "$PREFIX" ]; then
|
||||
if rc-update add shorewall default; then
|
||||
echo
|
||||
echo "shorewall will start automatically at boot"
|
||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
||||
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||
else
|
||||
cant_autostart
|
||||
fi
|
||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||
cant_autostart
|
||||
fi
|
||||
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" > /etc/shorewall/startup_disabled
|
||||
fi
|
||||
elif [ -n "$DEBIAN" -a ! -f /etc/default/shorewall ]; then
|
||||
run_install -o $OWNER -g $GROUP -m 0644 default.debian /etc/default/shorewall
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
# Report Success
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Interfaces File
|
||||
# Shorewall 2.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
@ -75,12 +75,23 @@
|
||||
# option does not cover those ranges
|
||||
# reserved by RFC 1918 -- see above).
|
||||
#
|
||||
# I PERSONALLY RECOMMEND AGAINST USING
|
||||
# THE 'nobogons' OPTION.
|
||||
#
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
#
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# logmartians - turn on kernel martian logging (logging
|
||||
# of packets with impossible source
|
||||
# addresses. It is suggested that if you
|
||||
# set routefilter on an interface that
|
||||
# you also set logmartians. This option
|
||||
# may also be enabled globally in the
|
||||
# /etc/shorewall/shorewall.conf file.
|
||||
#
|
||||
# blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
|
58
STABLE2/ipsec
Normal file
58
STABLE2/ipsec
Normal file
@ -0,0 +1,58 @@
|
||||
#
|
||||
# Shorewall 2.2 - /etc/shorewall/ipsec
|
||||
#
|
||||
# This file defines the attributes of zones with respect to
|
||||
# IPSEC. To use this file, you must be running a 2.6 kernel and
|
||||
# both your kernel and iptables must include Policy Match Support.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# ZONE The name of a zone defined in /etc/shorewall/zones. The
|
||||
# $FW zone may not be listed.
|
||||
#
|
||||
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
||||
# ONLY No -- Communication with some zone hosts is encrypted.
|
||||
# Encrypted hosts are designated using the 'ipsec'
|
||||
# option in /etc/shorewall/hosts.
|
||||
#
|
||||
# OPTIONS, A comma-separated list of options as follows:
|
||||
# IN OPTIONS,
|
||||
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA used to encrypt/decrypt packets.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mss=<number> (sets the MSS field in TCP packets)
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# strict Means that packets must match all rules.
|
||||
#
|
||||
# next Separates rules; can only be used with
|
||||
# strict..
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
# applied to outgoing traffic.
|
||||
#
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
###################################################################################
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
296
STABLE2/ipsecvpn
Normal file
296
STABLE2/ipsecvpn
Normal file
@ -0,0 +1,296 @@
|
||||
#!/bin/sh
|
||||
|
||||
################################################################################
|
||||
#
|
||||
# ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode
|
||||
# IPSEC connection
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
RCDLINKS="2,S42 3,S42 6,K42"
|
||||
|
||||
#### BEGIN INIT INFO
|
||||
# Provides: ipsecvpn
|
||||
# Required-Start: $shorewall
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Description: starts and stops a tunnel-mode VPN connection
|
||||
### END INIT INFO
|
||||
|
||||
# chkconfig: 2345 26 89
|
||||
# description: IPSEC tunnel-mode connection
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# External Interface
|
||||
#
|
||||
INTERFACE=eth0
|
||||
#
|
||||
# Remote IPSEC Gateway
|
||||
#
|
||||
GATEWAY=1.2.3.4
|
||||
#
|
||||
# Networks behind the remote gateway (space-separated list)
|
||||
#
|
||||
NETWORKS="192.168.1.0/24"
|
||||
#
|
||||
# Directory where X.509 certificates are stored.
|
||||
#
|
||||
CERTS=/etc/certs
|
||||
#
|
||||
# Certificate to be used for this connection. The cert
|
||||
# directory must contain:
|
||||
#
|
||||
# ${CERT}.pem - the certificate
|
||||
# ${CERT}_key.pem - the certificates's key
|
||||
#
|
||||
CERT=roadwarrior
|
||||
#
|
||||
# The setkey binary
|
||||
#
|
||||
SETKEY=/usr/sbin/setkey
|
||||
#
|
||||
# The racoon binary
|
||||
#
|
||||
RACOON=/usr/sbin/racoon
|
||||
|
||||
#
|
||||
# Message to stderr
|
||||
#
|
||||
error_message() # $* = Error Message
|
||||
{
|
||||
echo " $@" >&2
|
||||
}
|
||||
|
||||
#
|
||||
# Fatal error -- stops the firewall after issuing the error message
|
||||
#
|
||||
fatal_error() # $* = Error Message
|
||||
{
|
||||
echo " Error: $@" >&2
|
||||
exit 2
|
||||
}
|
||||
|
||||
#
|
||||
# Find interface address--returns the first IP address assigned to the passed
|
||||
# device
|
||||
#
|
||||
find_first_interface_address() # $1 = interface
|
||||
{
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
|
||||
#
|
||||
# If there wasn't one, bail out now
|
||||
#
|
||||
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
|
||||
#
|
||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||
# along with everything else on the line
|
||||
#
|
||||
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
#
|
||||
# Create a Racoon configuration file using the variables above
|
||||
#
|
||||
make_racoon_conf() {
|
||||
echo "path certificate \"$CERTS\";"
|
||||
echo
|
||||
echo "listen"
|
||||
echo "{"
|
||||
echo " isakmp $IPADDR;"
|
||||
echo "}"
|
||||
echo
|
||||
echo "remote $GATEWAY"
|
||||
echo "{"
|
||||
echo " exchange_mode main;"
|
||||
echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";"
|
||||
echo " verify_cert on;"
|
||||
echo " my_identifier asn1dn ;"
|
||||
echo " peers_identifier asn1dn ;"
|
||||
echo " verify_identifier on ;"
|
||||
echo " lifetime time 24 hour ;"
|
||||
echo " proposal {"
|
||||
echo " encryption_algorithm blowfish;"
|
||||
echo " hash_algorithm sha1;"
|
||||
echo " authentication_method rsasig ;"
|
||||
echo " dh_group 2 ;"
|
||||
echo " }"
|
||||
echo "}"
|
||||
echo
|
||||
|
||||
for network in $NETWORKS; do
|
||||
echo "sainfo address $IPADDR/32 any address $network any"
|
||||
echo "{"
|
||||
echo " pfs_group 2;"
|
||||
echo " lifetime time 12 hour ;"
|
||||
echo " encryption_algorithm blowfish ;"
|
||||
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||
echo " compression_algorithm deflate ;"
|
||||
echo "}"
|
||||
echo
|
||||
echo "sainfo address $network any address $IPADDR/32 any"
|
||||
echo "{"
|
||||
echo " pfs_group 2;"
|
||||
echo " lifetime time 12 hour ;"
|
||||
echo " encryption_algorithm blowfish ;"
|
||||
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||
echo " compression_algorithm deflate ;"
|
||||
echo "}"
|
||||
|
||||
done
|
||||
|
||||
echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any"
|
||||
echo "{"
|
||||
echo " pfs_group 2;"
|
||||
echo " lifetime time 12 hour ;"
|
||||
echo " encryption_algorithm blowfish ;"
|
||||
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||
echo " compression_algorithm deflate ;"
|
||||
echo "}"
|
||||
echo
|
||||
echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any"
|
||||
echo "{"
|
||||
echo " pfs_group 2;"
|
||||
echo " lifetime time 12 hour ;"
|
||||
echo " encryption_algorithm blowfish ;"
|
||||
echo " authentication_algorithm hmac_sha1, hmac_md5 ;"
|
||||
echo " compression_algorithm deflate ;"
|
||||
echo "}"
|
||||
}
|
||||
|
||||
#
|
||||
# Make a setkey configuration file using the variables above
|
||||
#
|
||||
make_setkey_conf()
|
||||
{
|
||||
echo "flush;"
|
||||
echo "spdflush;"
|
||||
|
||||
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
|
||||
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
|
||||
|
||||
for network in $NETWORKS; do
|
||||
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
|
||||
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Start the Tunnel
|
||||
#
|
||||
start()
|
||||
{
|
||||
#
|
||||
# Get the first IP address configured on the device in INTERFACE
|
||||
#
|
||||
IPADDR=$(find_first_interface_address $INTERFACE)
|
||||
#
|
||||
# Create the name of the setkey temporary file
|
||||
#
|
||||
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
|
||||
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
|
||||
#
|
||||
# Create the file
|
||||
#
|
||||
make_setkey_conf > $TEMPFILE
|
||||
#
|
||||
# Create the SPD
|
||||
#
|
||||
$SETKEY -f $TEMPFILE
|
||||
#
|
||||
# We can now remove the file
|
||||
#
|
||||
rm -f $TEMPFILE
|
||||
#
|
||||
# Create another name -- make this distict to aid debugging
|
||||
# (just comment out the 'rm' commands)
|
||||
#
|
||||
TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX)
|
||||
[ $? -eq 0 ] || fatal_error "Can't create temporary file name"
|
||||
#
|
||||
# Create the file
|
||||
#
|
||||
make_racoon_conf > $TEMPFILE
|
||||
#
|
||||
# Start Racoon Daemon
|
||||
#
|
||||
$RACOON -4 -f $TEMPFILE
|
||||
#
|
||||
# Once the Daemon is running, we can remove the file
|
||||
#
|
||||
rm -f $TEMPFILE
|
||||
}
|
||||
#
|
||||
# Stop the Tunnel
|
||||
#
|
||||
stop()
|
||||
{
|
||||
#
|
||||
# Kill any racoon daemons
|
||||
#
|
||||
killall racoon
|
||||
#
|
||||
# Purge the SAD and SPD
|
||||
#
|
||||
setkey -F -FP
|
||||
}
|
||||
|
||||
#
|
||||
# Display command syntax and abend
|
||||
#
|
||||
usage()
|
||||
{
|
||||
error_message "usage: $(basename $0) [start|stop|restart]"
|
||||
exit 1
|
||||
}
|
||||
################################################################################
|
||||
# C O D E S T A R T S H E R E
|
||||
################################################################################
|
||||
[ $# -eq 1 ] || usage
|
||||
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
restart)
|
||||
stop
|
||||
sleep 2
|
||||
start
|
||||
;;
|
||||
*)
|
||||
usage
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - MAC list file
|
||||
# Shorewall 2.2 - MAC list file
|
||||
#
|
||||
# /etc/shorewall/maclist
|
||||
#
|
||||
@ -15,7 +15,9 @@
|
||||
#
|
||||
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
||||
# must match. This column can contain a comma-separated
|
||||
# list of host and/or subnet addresses.
|
||||
# list of host and/or subnet addresses. If your kernel
|
||||
# and iptables have iprange match support then IP
|
||||
# address ranges are also allowed.
|
||||
##############################################################################
|
||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
78
STABLE2/masq
78
STABLE2/masq
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - Masquerade file
|
||||
# Shorewall 2.2 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
@ -20,6 +20,24 @@
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
||||
# for this entry then include the ":" but omit the digit:
|
||||
#
|
||||
# eth0:
|
||||
# eth2::192.0.2.32/27
|
||||
#
|
||||
# Normally Masq/SNAT rules are evaluated after those for
|
||||
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
||||
# the rule to be applied before one-to-one NAT rules,
|
||||
# prefix the interface name with "+":
|
||||
#
|
||||
# +eth0
|
||||
# +eth0:192.0.2.32/27
|
||||
# +eth0:2
|
||||
#
|
||||
# This feature should only be required if you need to
|
||||
# insert rules in this file that preempt entries in
|
||||
# /etc/shorewall/nat.
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
@ -42,13 +60,6 @@
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# If you have set ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf then DO NOT
|
||||
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
|
||||
# ADDRESS IN THIS COLUMN -- If you do so, you
|
||||
# will loose your default route when Shorewall
|
||||
# starts.
|
||||
#
|
||||
# You may also specify a range of up to 256
|
||||
# IP addresses if you want the SNAT address to
|
||||
# be assigned from that range in a round-robin
|
||||
@ -62,6 +73,19 @@
|
||||
#
|
||||
# This column may not contain DNS Names.
|
||||
#
|
||||
# Normally, Netfilter will attempt to retain
|
||||
# the source port number. You may cause
|
||||
# netfilter to remap the source port by following
|
||||
# an address or range (if any) by ":" and
|
||||
# a port range with the format <low port>-
|
||||
# <high port>. If this is done, you must
|
||||
# specify "tcp" or "udp" in the PROTO column.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# 192.0.2.4:5000-6000
|
||||
# :4000-5000
|
||||
#
|
||||
# If you want to leave this column empty
|
||||
# but you need to specify the next column then
|
||||
# place a hyphen ("-") here.
|
||||
@ -82,6 +106,42 @@
|
||||
# support and a maximum of 15 ports may be
|
||||
# listed.
|
||||
#
|
||||
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||
# column, you must be running kernel 2.6 and
|
||||
# your kernel and iptables must include policy
|
||||
# match support.
|
||||
#
|
||||
# Comma-separated list of options from the following.
|
||||
# Only packets that will be encrypted via an SA that
|
||||
# matches these options will have their source address
|
||||
# changed.
|
||||
#
|
||||
# Yes or yes -- must be the only option listed
|
||||
# and matches all outbound traffic that will be
|
||||
# encrypted.
|
||||
#
|
||||
# reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# strict Means that packets must match all
|
||||
# rules.
|
||||
#
|
||||
# next Separates rules; can only be used
|
||||
# with strict..
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
@ -136,5 +196,5 @@
|
||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 2.0 /etc/shorewall/modules
|
||||
# Shorewall 2.2 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
#
|
||||
|
10
STABLE2/nat
10
STABLE2/nat
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Address Translation Table
|
||||
# Shorewall 2.2 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
@ -16,6 +16,7 @@
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
#
|
||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
@ -24,14 +25,21 @@
|
||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||
#
|
||||
# If you want to override ADD_IP_ALIASES=Yes for a
|
||||
# particular entry, follow the interface name with
|
||||
# ":" and no digit (e.g., "eth0:").
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
#
|
||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||
# If No or no (or left empty) then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
#
|
||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Mapping Table
|
||||
# Shorewall 2.2 -- Network Mapping Table
|
||||
#
|
||||
# /etc/shorewall/netmap
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/params
|
||||
# Shorewall 2.2 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Policy File
|
||||
# Shorewall 2.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
@ -66,20 +66,24 @@
|
||||
# and the size of an acceptable burst. If not specified,
|
||||
# TCP connections are not limited.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
# Example:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the internet are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
#
|
||||
# #SOURCE DEST POLICY LOG
|
||||
# # LEVEL
|
||||
# loc net ACCEPT
|
||||
# net all DROP info
|
||||
# #
|
||||
# # THE FOLLOWING POLICY MUST BE LAST
|
||||
# #
|
||||
# all all REJECT info
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
#
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
#
|
||||
all all REJECT info
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Proxy ARP
|
||||
# Shorewall 2.2 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
|
@ -1,235 +1,600 @@
|
||||
Shorewall 2.0.16
|
||||
Shorewall 2.2.1
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.4
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.2.1
|
||||
|
||||
1) A DNAT rule with 'fw' as the source that specified logging caused
|
||||
"shorewall start" to fail.
|
||||
1) The /etc/shorewall/policy file contained a misleading comment and
|
||||
both that file and the /etc/shorewall/zones file lacked examples.
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.5
|
||||
2) Shorewall previously used root's default umask which could cause
|
||||
files in /var/lib/shorewall to be world-readable. Shorewall now uses
|
||||
umask 0177.
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
|
||||
|
||||
1) Eliminated "$RESTOREBASE: ambiguous redirect" messages during
|
||||
"shorewll stop" in the case where DISABLE_IPV6=Yes in
|
||||
shorewall.conf.
|
||||
1) Shorewall configuration files except shorewall.conf are now empty
|
||||
(they contain only comments). If you wish to retain the defaults
|
||||
in any of the following files, you should copy these files before
|
||||
upgrading them then restore them after the upgrade:
|
||||
|
||||
2) An anachronistic reference to the mangle option was removed from
|
||||
shorewall.conf.
|
||||
/etc/shorewall/zones
|
||||
/etc/shorewall/policy
|
||||
/etc/shorewall/tos
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.6
|
||||
2) The following builtin actions have been removed and have been
|
||||
replaced by the new action logging implementation described in the
|
||||
new features below.
|
||||
|
||||
1) Some users have reported the pkttype match option in iptables/
|
||||
Netfilter failing to match certain broadcast packets. The result
|
||||
is that the firewall log shows a lot of broadcast packets.
|
||||
logNotSyn
|
||||
rLogNotSyn
|
||||
dLogNotSyn
|
||||
|
||||
Other users have complained of the following message when
|
||||
starting Shorewall:
|
||||
3) If shorewall.conf is upgraded to the latest version, it needs to be
|
||||
modified to set STARTUP_ENABLED=Yes
|
||||
|
||||
modprobe: cant locate module ipt_pkttype
|
||||
4) The Leaf/Bering version of Shorewall was previously named:
|
||||
|
||||
Users experiencing either of these problems can use PKTTYPE=No in
|
||||
shorewall.conf to cause Shorewall to use IP address filtering of
|
||||
broadcasts rather than packet type.
|
||||
shorwall-<version>.lrp
|
||||
|
||||
2) The shorewall.conf and zones file are no longer given execute
|
||||
permission by the installer script.
|
||||
Beginning with 2.2, that file will now be named:
|
||||
|
||||
3) ICMP packets that are in the INVALID state are now dropped by the
|
||||
shorewall-lrp-<version>.tgz
|
||||
|
||||
Simply rename that file to 'shorwall.lrp' when installing it on your
|
||||
LEAF/Bering system.
|
||||
|
||||
5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no
|
||||
longer contain a second (SNAT) address. You must use an entry in
|
||||
/etc/shorewall/masq instead.
|
||||
|
||||
Example from Shorewall FAQ #1:
|
||||
|
||||
Prior to Shorewall 2.2:
|
||||
|
||||
/etc/shorewall/interfaces
|
||||
|
||||
loc eth1 detect routeback,...
|
||||
|
||||
/etc/shorewall/rules
|
||||
|
||||
DNAT loc loc:192.168.1.12 tcp 80 \
|
||||
- 130.252.100.69:192.168.1.254
|
||||
|
||||
Shorewall 2.2 and Later:
|
||||
|
||||
/etc/shorewall/interfaces
|
||||
|
||||
loc eth1 detect routeback,...
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
eth1 eth1 192.168.1.254 tcp 80
|
||||
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
DNAT loc loc:192.168.1.12 tcp 80 \
|
||||
- 130.252.100.69
|
||||
|
||||
6) The 'logunclean' and 'dropunclean' options that were deprecated in
|
||||
Shorewall 2.0 have now been removed completely.
|
||||
|
||||
7) A new IPTABLES variable has been added to shorewall.conf. This
|
||||
variable names the iptables executable that Shorewall will use. The
|
||||
variable is set to "/sbin/iptables". If you use the new
|
||||
shorewall.conf, you may need to change this setting to maintain
|
||||
compabibility with your current setup (if you use your existing
|
||||
shorewall.conf that does not set IPTABLES then you should
|
||||
experience no change in behavior).
|
||||
|
||||
8) The default port for OpenVPN tunnels has been changed from 5000 to
|
||||
1194 to reflect the recent IANA allocation of that port for
|
||||
OpenVPN.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in Shorewall 2.2.0:
|
||||
|
||||
1) ICMP packets that are in the INVALID state are now dropped by the
|
||||
Reject and Drop default actions. They do so using the new
|
||||
'dropInvalid' builtin action.
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.7
|
||||
'dropInvalid' builtin action. An 'allowInvalid' builtin action is
|
||||
also provided which accepts packets in that state.
|
||||
|
||||
1) The PKTTYPE option introduced in version 2.0.6 is now used when
|
||||
generating rules to REJECT packets. Broadcast packets are silently
|
||||
dropped rather than being rejected with an ICMP (which is a protocol
|
||||
violation) and users whose kernels have broken packet type match
|
||||
support are likely to see messages reporting this violation.
|
||||
Setting PKTTYPE=No should cause these messages to cease.
|
||||
2) The /etc/shorewall/masq file INTERFACE column now allows additional
|
||||
options.
|
||||
|
||||
2) Multiple interfaces with the 'blacklist' option no longer result in
|
||||
an error message at startup.
|
||||
|
||||
3) The following has been added to /etc/shorewall/bogons:
|
||||
|
||||
0.0.0.0 RETURN
|
||||
|
||||
This prevents the 'nobogons' option from logging DHCP 'DISCOVER'
|
||||
broadcasts.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.0.7
|
||||
|
||||
1) To improve supportability, the "shorewall status" command now
|
||||
includes IP and Route configuration information.
|
||||
|
||||
Example:
|
||||
|
||||
IP Configuration
|
||||
|
||||
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
|
||||
inet6 ::1/128 scope host
|
||||
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:a0:c9:15:39:78 brd ff:ff:ff:ff:ff:ff
|
||||
inet6 fe80::2a0:c9ff:fe15:3978/64 scope link
|
||||
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:a0:c9:a7:d7:bf brd ff:ff:ff:ff:ff:ff
|
||||
inet6 fe80::2a0:c9ff:fea7:d7bf/64 scope link
|
||||
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
|
||||
link/sit 0.0.0.0 brd 0.0.0.0
|
||||
6: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
||||
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
||||
7: br0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc noqueue
|
||||
link/ether 00:40:d0:07:3a:1b brd ff:ff:ff:ff:ff:ff
|
||||
inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
|
||||
inet6 fe80::240:d0ff:fe07:3a1b/64 scope link
|
||||
|
||||
Routing Rules
|
||||
|
||||
0: from all lookup local
|
||||
32765: from all fwmark ca lookup www.out
|
||||
32766: from all lookup main
|
||||
32767: from all lookup default
|
||||
|
||||
Table local:
|
||||
|
||||
broadcast 192.168.1.0 dev br0 proto kernel scope link src 192.168.1.3
|
||||
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
|
||||
local 192.168.1.3 dev br0 proto kernel scope host src 192.168.1.3
|
||||
broadcast 192.168.1.255 dev br0 proto kernel scope link src 192.168.1.3
|
||||
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
|
||||
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
|
||||
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
|
||||
|
||||
Table www.out:
|
||||
|
||||
default via 192.168.1.3 dev br0
|
||||
|
||||
Table main:
|
||||
|
||||
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
|
||||
default via 192.168.1.254 dev br0
|
||||
|
||||
Table default:
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.8
|
||||
|
||||
1) User/group restricted rules now work in actions.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems Corrected in version 2.0.9
|
||||
|
||||
1) Previously, an empty PROTO column or a value of "all" in that column
|
||||
would cause errors when processing the /etc/shorewall/tcrules file.
|
||||
|
||||
New Fewatures in version 2.0.9
|
||||
|
||||
1) The "shorewall status" command now includes the output of "brctl
|
||||
show" if the bridge tools are installed.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.0.10
|
||||
|
||||
1) The GATEWAY column was previously ignored in 'pptpserver' entries in
|
||||
/etc/shorewall/tunnels.
|
||||
|
||||
2) When log rule numbers are included in the LOGFORMAT, duplicate
|
||||
rule numbers could previously be generated.
|
||||
|
||||
3) The /etc/shorewall/tcrules file now includes a note to the effect
|
||||
that rule evaluation continues after a match.
|
||||
|
||||
4) The error message produced if Shorewall couldn't obtain the routes
|
||||
through an interface named in the SUBNET column of
|
||||
/etc/shorewall/masq was less than helpful since it didn't include
|
||||
the interface name.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.10
|
||||
|
||||
The "shorewall status" command has been enhanced to include the values
|
||||
of key /proc settings:
|
||||
|
||||
Example from a two-interface firewall:
|
||||
|
||||
/proc
|
||||
|
||||
/proc/sys/net/ipv4/ip_forward = 1
|
||||
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/all/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/all/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/default/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/default/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
|
||||
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
|
||||
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.11
|
||||
|
||||
1) The INSTALL file now include special instructions for Slackware
|
||||
users.
|
||||
|
||||
2) The bogons file has been updated.
|
||||
|
||||
3) Service names are replaced by port numbers in /etc/shorewall/tos.
|
||||
|
||||
4) A typo in the install.sh file that caused an error during a new
|
||||
install has been corrected.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.11
|
||||
|
||||
1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.12
|
||||
|
||||
1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
|
||||
|
||||
2) The "shorewall add" and "shorewall delete" commands now work in a
|
||||
bridged environment. The syntax is:
|
||||
|
||||
shorewall add <interface>[:<port>]:<address> <zone>
|
||||
shorewall delete <interface>[:<port>]:<address> <zone>
|
||||
Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT
|
||||
rules defined in the /etc/shorewall/nat file. If you preceed the
|
||||
interface name with a plus sign ("+") then the rule will be
|
||||
evaluated before one-to-one NAT.
|
||||
|
||||
Examples:
|
||||
|
||||
shorewall add br0:eth2:192.168.1.3 OK
|
||||
shorewall delete br0:eth2:192.168.1.3 OK
|
||||
+eth0
|
||||
+eth1:192.0.2.32/27
|
||||
|
||||
3) Previously, "shorewall save" created an out-of-sequence restore
|
||||
script. The commands saved in the user's /etc/shorewall/start script
|
||||
were executed prior to the Netfilter configuration being
|
||||
restored. This has been corrected so that "shorewall save" now
|
||||
places those commands at the end of the script.
|
||||
Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
|
||||
entry by following the interface name by ":" but no digit.
|
||||
|
||||
To accomplish this change, the "restore base" file
|
||||
(/var/lib/shorewall/restore-base) has been split into two files:
|
||||
Examples:
|
||||
|
||||
/var/lib/shorewall/restore-base -- commands to be executed before
|
||||
Netfilter the configuration is restored.
|
||||
eth0:
|
||||
eth1::192.0.2.32/27
|
||||
+eth3:
|
||||
|
||||
/var/lib/shorewall/restore-tail -- commands to be executed after the
|
||||
Netfilter configuration is restored.
|
||||
3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
|
||||
you to override the setting of ADD_IP_ALIASES=Yes by following the
|
||||
interface name with ":" but no digit.
|
||||
|
||||
4) Previously, traffic from the firewall to a dynamic zone member host
|
||||
did not need to match the interface specified when the host was
|
||||
added to the zone. For example, if eth0:1.2.3.4 is added to dynamic
|
||||
zone Z then traffic out of any firewall interface to 1.2.3.4 will
|
||||
obey the fw->Z policies and rules. This has been corrected.
|
||||
4) All configuration files in the Shorewall distribution with the
|
||||
exception of shorewall.conf are now empty. In particular, the
|
||||
/etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos
|
||||
files now have no active entries. Hopefully this will stop the
|
||||
questions on the support and development lists regarding why the
|
||||
default entries are the way they are.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.12
|
||||
5) Previously, including a log level (and optionally a log tag) on a
|
||||
rule that specified a user-defined (or Shorewall-defined) action
|
||||
would log all traffic passed to the action. Beginning with this
|
||||
release, specifying a log level in a rule that specifies a user-
|
||||
or Shorewall-defined action will cause each rule in the action to
|
||||
be logged with the specified level (and tag).
|
||||
|
||||
1) Variable expansion may now be used with the INCLUDE directive.
|
||||
The extent to which logging of action rules occurs is goverend by
|
||||
the following:
|
||||
|
||||
a) When you invoke an action and specify a log level, only those
|
||||
rules in the action that have no log level will be changed to log
|
||||
at the level specified at the action invocation.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/action.foo:
|
||||
|
||||
ACCEPT - - tcp 22
|
||||
bar:info
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
foo:debug fw net
|
||||
|
||||
Logging in the invoked 'foo' action will be:
|
||||
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:info
|
||||
|
||||
b) If you follow the log level with "!" then logging will
|
||||
be at that level for all rules recursively invoked by the action
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/action.foo:
|
||||
|
||||
ACCEPT - - tcp 22
|
||||
bar:info
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
foo:debug! fw net
|
||||
|
||||
Logging in the invoke 'foo' action will be:
|
||||
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:debug!
|
||||
|
||||
This change has an effect on extension scripts used with
|
||||
user-defined actions. If you define an action 'acton' and you have
|
||||
an /etc/shorewall/acton script then when that script is invoked,
|
||||
the following three variables will be set for use by the script:
|
||||
|
||||
$CHAIN = the name of the chain where your rules are to be
|
||||
placed. When logging is used on an action invocation,
|
||||
Shorewall creates a chain with a slightly different name from
|
||||
the action itself.
|
||||
|
||||
$LEVEL = Log level. If empty, no logging was specified.
|
||||
|
||||
$TAG = Log Tag.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
acton:info:test
|
||||
|
||||
Your /etc/shorewall/acton file will be run with:
|
||||
|
||||
$CHAIN="%acton1"
|
||||
$LEVEL="info"
|
||||
$TAG="test"
|
||||
|
||||
6) The /etc/shorewall/startup_disabled file is no longer created when
|
||||
Shorewall is first installed. Rather, the variable STARTUP_ENABLED
|
||||
is set to 'No' in /etc/shorewall/shorewall.conf. In order to get
|
||||
Shorewall to start, that variable's value must be set to
|
||||
'Yes'. This change accomplishes two things:
|
||||
|
||||
a) It prevents Shorewall from being started prematurely by the
|
||||
user's initialization scripts.
|
||||
|
||||
b) It causes /etc/shorewall/shorewall.conf to be modified so that
|
||||
it won't be replaced by upgrades using RPM.
|
||||
|
||||
7) Some additional support has been added for the 2.6 Kernel IPSEC
|
||||
implementation. To use this support, you must have installed the
|
||||
IPSEC policy match patch and the four IPSEC/Netfilter patches
|
||||
from Patch-0-Matic-ng. The policy match patch affects both your
|
||||
kernel and iptables.
|
||||
|
||||
There are two ways to specify that IPSEC is to be used when
|
||||
communicating with a set of hosts; both methods involve the new
|
||||
/etc/shorewall/ipsec file:
|
||||
|
||||
a) If encrypted communication is used with all hosts in a zone,
|
||||
then you can designate the zone as an "ipsec" zone by placing
|
||||
'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
|
||||
|
||||
#ZONE IPSEC OPTIONS ...
|
||||
# ONLY
|
||||
vpn Yes
|
||||
|
||||
The hosts in the zone (if any) must be specified in
|
||||
/etc/shorewall/hosts but you do not need to specify the 'ipsec'
|
||||
option on the entries in that file (see below).
|
||||
|
||||
Dynamic zones involving IPSEC must use that technique.
|
||||
|
||||
Example:
|
||||
|
||||
Under 2.4 Kernel FreeS/Wan:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
vpn VPN Remote Network
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
vpn ipsec0 ...
|
||||
|
||||
Under 2.6 Kernel with this new support:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
vpn VPN Remote Network
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0
|
||||
|
||||
/etc/shorewall/ipsec
|
||||
|
||||
vpn Yes
|
||||
|
||||
b) If only part of the hosts in a zone require encrypted
|
||||
communication, you may use of the new 'ipsec' option in
|
||||
/etc/shorewall/hosts to designate those hosts.
|
||||
|
||||
Example:
|
||||
|
||||
Under 2.4 Kernel FreeS/Wan:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
loc Local Extended local zone
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
loc eth1 ...
|
||||
loc ipsec0 ...
|
||||
|
||||
Under 2.6 Kernel with this new support:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
net Net The big bad Internet
|
||||
vpn VPN Remote Network
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 ...
|
||||
loc eth1 ...
|
||||
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0 ipsec,...
|
||||
|
||||
Regardless of which technique you choose, you can specify
|
||||
additional SA options for the zone in the /etc/shorewall/ipsec
|
||||
entry.
|
||||
|
||||
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
|
||||
input-output, input and output characteristics of the security
|
||||
associations to be used to decrypt (input) or encrypt (output) traffic
|
||||
to/from the zone.
|
||||
|
||||
The available options are:
|
||||
|
||||
reqid[!]=<number> where <number> is specified using setkey(8) using
|
||||
the 'unique:<number>' option for the SPD level.
|
||||
|
||||
spi[!]=<number> where <number> is the SPI of the SA. Since
|
||||
different SAs are used to encrypt and decrypt traffic, this
|
||||
option should only be listed in the IN OPTIONS and OUT OPTIONS
|
||||
columns.
|
||||
|
||||
proto[!]=ah|esp|ipcomp
|
||||
|
||||
mss=<number> (sets the MSS value in TCP SYN packets and is not
|
||||
related to policy matching)
|
||||
|
||||
mode[!]=transport|tunnel
|
||||
|
||||
tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel)
|
||||
|
||||
tunnel-dst[!]=<address>[/<mask>] (only available with
|
||||
mode=tunnel). Because tunnel source and destination are
|
||||
dependent on the direction of the traffic, these options
|
||||
should only appear in the IN OPTIONS and OUT OPTIONS columns.
|
||||
|
||||
strict (if specified, packets must match all policies;
|
||||
policies are delimited by 'next').
|
||||
|
||||
next (only available with strict)
|
||||
|
||||
Examples:
|
||||
|
||||
#ZONE IPSEC OPTIONS IN OUT...
|
||||
# ONLY OPTIONS OPTIONS
|
||||
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
||||
loc No reqid=44,mode=transport
|
||||
|
||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||
specify Yes or yes in that column then the unencrypted packets will
|
||||
have their source address changed. Otherwise, the unencrypted
|
||||
packets will not have their source addresses changed. This column
|
||||
may also contain a comma-separated list of the options specified
|
||||
above in which case only those packets that will be encrypted
|
||||
by an SA matching the given options will have their source address
|
||||
changed.
|
||||
|
||||
8) To improve interoperability, tunnels of type 'ipsec' no longer
|
||||
enforce the use of source port 500 for ISAKMP and OpenVPN
|
||||
tunnels no longer enforce use of the specified port as both the
|
||||
source and destination ports.
|
||||
|
||||
9) A new 'allowBcast' builtin action has been added -- it silently
|
||||
allows broadcasts and multicasts.
|
||||
|
||||
10) The -c option in /sbin/shorewall commands is now deprecated. The
|
||||
commands where -c was previously allowed now permit you to specify
|
||||
a configuration directory after the command:
|
||||
|
||||
shorewall check [ <configuration-directory> ]
|
||||
shorewall restart [ <configuration-directory> ]
|
||||
shorewall start [ <configuration-directory> ]
|
||||
|
||||
11) Normally, when SNAT or MASQUERADE is applied to a tcp or udp
|
||||
connection, Netfilter attempts to retain the source port
|
||||
number. If it has to change to port number to avoid
|
||||
<source address>,<source port> conflicts, it tries to do so
|
||||
within port ranges ( < 512, 512-1023, and > 1023). You may
|
||||
now specify an explicit range of source ports to be used
|
||||
by following the address or address range (if any) in the
|
||||
ADDRESS column with ":" and a port range in the format
|
||||
<low-port>-<high-port>. You must specify either "tcp" or
|
||||
"udp" in the PROTO column.
|
||||
|
||||
Examples 1 -- MASQUERADE with tcp source ports 4000-5000:
|
||||
|
||||
#INTERFACE SUBNET ADDRESS PROTO
|
||||
eth0 192.168.1.0/24 :4000-5000 tcp
|
||||
|
||||
Example 2 -- SNAT with udp source ports 7000-8000:
|
||||
|
||||
#INTERFACE SUBNET ADDRESS PROTO
|
||||
eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp
|
||||
|
||||
12) You may now account by user/group ID for outbound traffic from the
|
||||
firewall itself with entries in /etc/shorewall/accounting. Such
|
||||
accounting rules must be placed in the OUTPUT chain.
|
||||
|
||||
See the comments at the top of /etc/shorewall/accounting for
|
||||
details.
|
||||
|
||||
13) Shorewall now verifies that your kernel and iptables have physdev
|
||||
match support if BRIDGING=Yes in shorewall.conf.
|
||||
|
||||
14) Beginning with this release, if your kernel and iptables have
|
||||
iprange match support (see the output from "shorewall check"), then
|
||||
with the exception of the /etc/shorewall/netmap file, anywhere that
|
||||
a network address may appear an IP address range of the form <low
|
||||
address>-<high address> may also appear.
|
||||
|
||||
15) Support has been added for the iptables CLASSIFY target. That
|
||||
target allows you to classify packets for traffic shaping directly
|
||||
rather than indirectly through fwmark. Simply enter the
|
||||
<major>:<minor> classification in the first column of
|
||||
/etc/shorewall/tcrules:
|
||||
|
||||
Example:
|
||||
|
||||
#MARK/ SOURCE DEST PROTO PORT(S)
|
||||
#CLASSIFY
|
||||
1:30 - eth0 tcp 25
|
||||
|
||||
Note that when using this form of rule, it is acceptable to include
|
||||
the name of an interface in the DEST column.
|
||||
|
||||
Marking using the CLASSIFY target always occurs in the POSTROUTING
|
||||
chain of the mangle table and is not affected by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in shorewall.conf.
|
||||
|
||||
16) During "shorewall start", IP addresses to be added as a consequence
|
||||
of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
|
||||
when /etc/shorewall/nat and /etc/shorewall/masq are processed then
|
||||
the are re-added later. This is done to help ensure that the
|
||||
addresses can be added with the specified labels but can have
|
||||
the undesirable side effect of causing routes to be quietly
|
||||
deleted. A new RETAIN_ALIASES option has been added to
|
||||
shorewall.conf; when this option is set to Yes, existing addresses
|
||||
will not be deleted. Regardless of the setting of RETAIN_ALIASES,
|
||||
addresses added during "shorewall start" are still deleted at a
|
||||
subsequent "shorewall stop" or "shorewall restart".
|
||||
|
||||
17) Users with a large black list (from /etc/shorewall/blacklist) may
|
||||
want to set the new DELAYBLACKLISTLOAD option in
|
||||
shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
|
||||
enable new connections before loading the blacklist rules. While
|
||||
this may allow connections from blacklisted hosts to slip by during
|
||||
construction of the blacklist, it can substantially reduce the time
|
||||
that all new connections are disabled during "shorewall [re]start".
|
||||
|
||||
18) Using the default LOGFORMAT, chain names longer than 11 characters
|
||||
(such as in user-defined actions) may result in log prefix
|
||||
truncation. A new shorewall.conf action LOGTAGONLY has been added
|
||||
to deal with this problem. When LOGTAGONLY=Yes, logging rules that
|
||||
specify a log tag will substitute the tag for the chain name in the
|
||||
log prefix.
|
||||
|
||||
Example -- file /etc/shorewall/action.thisisaverylogactionname:
|
||||
|
||||
Rule:
|
||||
|
||||
DROP:info:ftp 0.0.0.0/0 0.0.0.0/0 tcp 21
|
||||
|
||||
Log prefix with LOGTAGONLY=No:
|
||||
|
||||
Shorewall:thisisaverylongacti
|
||||
|
||||
Log prefix with LOGTAGONLY=Yes:
|
||||
|
||||
Shorewall:ftp:DROP
|
||||
|
||||
19) Shorewall now resets the 'accept_source_route' flag for all
|
||||
interfaces. If you wish to accept source routing on an interface,
|
||||
you must specify the new 'sourceroute' interface option in
|
||||
/etc/shorewall/interfaces.
|
||||
|
||||
20) The default Drop and Reject actions now invoke the new standard
|
||||
action 'AllowICMPs'. This new action accepts critical ICMP types:
|
||||
|
||||
Type 3 code 4 (fragmentation needed)
|
||||
Type 11 (TTL exceeded)
|
||||
|
||||
21) Explicit control over the kernel's Martian logging is now provided
|
||||
using the new 'logmartians' interface option. If you include
|
||||
'logmartians' in the interface option list then logging of Martian
|
||||
packets on will be enabled on the specified interface.
|
||||
If you wish to globally enable martian logging, you can set
|
||||
LOG_MARTIANS=Yes in shorewall.conf.
|
||||
|
||||
22) You may now cause Shorewall to use the '--set-mss' option of the
|
||||
TCPMSS target. In other words, you can cause Shorewall to set the
|
||||
MSS field of SYN packets passing through the firewall to the value
|
||||
you specify. This feature extends the existing CLAMPMSS option in
|
||||
/etc/shorewall/shorewall.conf by allowing that option to have a
|
||||
numeric value as well as the values "Yes" and "No".
|
||||
|
||||
Example:
|
||||
|
||||
CLAMPMSS=1400
|
||||
|
||||
23) Shorewall now includes support for the ipp2p match facility. This
|
||||
is a departure from my usual policy in that the ipp2p match
|
||||
facility is included in Patch-O-Matic-NG and is unlikely to ever be
|
||||
included in the kernel.org source tree. Questions about how to
|
||||
install the patch or how to build your kernel and/or iptables
|
||||
should not be posted on the Shorewall mailing lists.
|
||||
|
||||
In the following files, the "PROTO" or "PROTOCOL" column may
|
||||
contain "ipp2p":
|
||||
|
||||
/etc/shorewall/rules
|
||||
/etc/shorewall/tcrules
|
||||
/etc/shorewall/accounting
|
||||
|
||||
When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
|
||||
PORT(S) or PORT(S) column may contain a recognized ipp2p option;
|
||||
for a list of the options and their meaning, at a root prompt:
|
||||
|
||||
iptables -m ipp2p --help
|
||||
|
||||
You must not include the leading "--" on the option; Shorewall will
|
||||
supply those characters for you. If you do not include an option
|
||||
then "ipp2p" is assumed (Shorewall will generate "-m ipp2p
|
||||
--ipp2p").
|
||||
|
||||
24) Shorewall now has support for the CONNMARK target from iptables.
|
||||
See the /etc/shorewall/tcrules file for details.
|
||||
|
||||
25) A new debugging option LOGALLNEW has been added to
|
||||
shorewall.conf. When set to a log level, this option causes
|
||||
Shorewall to generaate a logging rule as the first rule in each
|
||||
builtin chain.
|
||||
|
||||
- The table name is used as the chain name in the log prefix.
|
||||
- The chain name is used as the target in the log prefix.
|
||||
|
||||
Example: Using the default LOGFORMAT, the log prefix for logging
|
||||
from the nat table's PREROUTING chain is:
|
||||
|
||||
Shorewall:nat:PREROUTING
|
||||
|
||||
IMPORTANT: There is no rate limiting on these logging rules so
|
||||
use LOGALLNEW at your own risk; it may cause high CPU and disk
|
||||
utilization and you may not be able to control your firewall after
|
||||
you enable this option.
|
||||
|
||||
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
|
||||
BE SENT TO ANOTHER SYSTEM.
|
||||
|
||||
26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
|
||||
SUBNETS and it is now possible to specify a list of addresses in
|
||||
that column.
|
||||
|
||||
27) The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS).
|
||||
|
||||
28) For consistency, the CLIENT PORT(S) column in the tcrules file has
|
||||
been renamed SOURCE PORT(S).
|
||||
|
||||
29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown
|
||||
in the output of "shorewall status".
|
||||
|
||||
30) A new IPTABLES option has been added to shorewall.conf. IPTABLES
|
||||
can be used to designate the iptables executable to be used by
|
||||
Shorewall. If not specified, the iptables executable determined by
|
||||
the PATH setting is used.
|
||||
|
||||
31) You can now use the "shorewall show zones" command to display the
|
||||
current contents of the zones. This is particularly useful if you
|
||||
use dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).
|
||||
|
||||
Example:
|
||||
|
||||
ursa:/etc/shorewall # shorewall show zones
|
||||
Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST 2004
|
||||
|
||||
loc
|
||||
eth0:192.168.1.0/24
|
||||
eth1:1.2.3.4
|
||||
net
|
||||
eth0:0.0.0.0/0
|
||||
WiFi
|
||||
eth1:0.0.0.0/0
|
||||
sec
|
||||
eth1:0.0.0.0/0
|
||||
|
||||
ursa:/etc/shorewall #
|
||||
|
||||
32) Variable expansion may now be used with the INCLUDE directive.
|
||||
|
||||
Example:
|
||||
|
||||
@ -240,46 +605,18 @@ New Features in 2.0.12
|
||||
Any other config file:
|
||||
|
||||
INCLUDE $FILE
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.13
|
||||
|
||||
1) A typo in /usr/share/shorewall/firewall caused the following:
|
||||
33) The output of "shorewall status" now includes the results of "ip
|
||||
-stat link ls". This helps diagnose performance problems caused by
|
||||
link errors.
|
||||
|
||||
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
|
||||
not found
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.14
|
||||
|
||||
1) Previously, when rate-limiting was specified in
|
||||
34) Previously, when rate-limiting was specified in
|
||||
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
||||
exceeded the specified rate was silently dropped. Now, if a log
|
||||
level is given in the entry (LEVEL column) then drops are logged at
|
||||
that level at a rate of 5/min with a burst of 5.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.14
|
||||
|
||||
1) A typo in the /etc/shorewall/interfaces file has been fixed.
|
||||
|
||||
2) "bad variable" error messages occurring during "shorewall stop" and
|
||||
"shorewall clear" have been eliminated.
|
||||
|
||||
3) A misleading typo in /etc/shorewall/tunnels has been corrected.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in 2.0.15
|
||||
|
||||
1) The range of ports opened by the AllowTrcrt action has been
|
||||
expanded to 33434:33524.
|
||||
|
||||
2) Code mis-ported from 2.2.0 caused the following error during
|
||||
"shorewall start" where SYN rate-limiting is present in
|
||||
/etc/shorewall/policy:
|
||||
|
||||
Bad argument `DROP'
|
||||
Try `iptables -h' or 'iptables --help' for more information.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.16
|
||||
|
||||
1) Recent 2.6 kernels include code that evaluates TCP packets based on
|
||||
35) Recent 2.6 kernels include code that evaluates TCP packets based on
|
||||
TCP Window analysis. This can cause packets that were previously
|
||||
classified as NEW or ESTABLISHED to be classified as INVALID.
|
||||
|
||||
@ -299,3 +636,52 @@ New Features in 2.0.16
|
||||
|
||||
If not specified or if specified as empty (e.g., DROPINVALID="")
|
||||
then DROPINVALID=Yes is assumed.
|
||||
|
||||
36) The "shorewall add" and "shorewall delete" commands now accept a
|
||||
list of hosts to add or delete.
|
||||
|
||||
Examples:
|
||||
|
||||
shorewall add eth1:1.2.3.4 eth1:2.3.4.5 z12
|
||||
shorewall delete eth1:1.2.3.4 eth1:2.3.4.5 z12
|
||||
|
||||
The above commands may also be written:
|
||||
|
||||
shorewall add eth1:1.2.3.4,2.3.4.5 z12
|
||||
shorewall delete eth1:1.2.3.4,2.3.4.5 z12
|
||||
|
||||
37) TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
|
||||
type. OpenVPN entries in /etc/shorewall/tunnels have this format:
|
||||
|
||||
openvpn[:{tcp|udp}][:<port>] <zone> <gateway>
|
||||
|
||||
Examples:
|
||||
|
||||
openvpn:tcp net 1.2.3.4 # TCP tunnel on port 1194
|
||||
openvpn:3344 net 1.2.3.4 # UDP on port 3344
|
||||
openvpn:tcp:4455 net 1.2.3.4 # TCP on port 4455
|
||||
|
||||
38) A new 'ipsecvpn' script is included in the tarball and in the
|
||||
RPM. The RPM installs the file in the Documentation directory
|
||||
(/usr/share/doc/packages/shorewall-2.2.0-0RC1).
|
||||
|
||||
This script is intended for use on Roadwarrior laptops for
|
||||
establishing an IPSEC SA to/from remote networks. The script has
|
||||
some limitations:
|
||||
|
||||
- Only one instance of the script may be used at a time.
|
||||
- Only the first SPD accessed will be instantiated at the remote
|
||||
gateway. So while the script creates SPDs to/from the remote
|
||||
gateway and each network listed in the NETWORKS setting at the
|
||||
front of the script, only one of these may be used at a time.
|
||||
|
||||
39) The IANA has recently registered port 1194 for use by OpenVPN. In
|
||||
previous versions of Shorewall (and OpenVPN), the default port was
|
||||
5000 but has been changed to 1194 to conform to the new OpenVPN
|
||||
default.
|
||||
|
||||
40) The output of "shorewall status" now lists the loaded netfilter
|
||||
kernel modules.
|
||||
|
||||
41) The range of UDP ports opened by the AllowTrcrt action has been
|
||||
increased to 33434:33524.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0-- RFC1918 File
|
||||
# Shorewall 2.2 -- RFC1918 File
|
||||
#
|
||||
# /etc/shorewall/rfc1918
|
||||
#
|
||||
@ -12,14 +12,17 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# SUBNETS A comma-separated list of subnet addresses
|
||||
# (host addresses also allowed as are IP
|
||||
# address ranges provided that your kernel and iptables
|
||||
# have iprange match support).
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
###############################################################################
|
||||
#SUBNET TARGET
|
||||
#SUBNETS TARGET
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
10.0.0.0/8 logdrop # RFC 1918
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
|
||||
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
@ -12,6 +12,10 @@
|
||||
# INTERFACE - Interface through which host(s) communicate with
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# addresses. If your kernel and iptables include
|
||||
# iprange match support, IP address ranges are also
|
||||
# allowed.
|
||||
#
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
# OPTIONS - (Optional) A comma-separated list of
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Rules File
|
||||
# Shorewall version 2.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
@ -72,6 +72,20 @@
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# If the ACTION names an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std then:
|
||||
#
|
||||
# - If the log level is followed by "!' then all rules
|
||||
# in the action are logged at the log level.
|
||||
#
|
||||
# - If the log level is not followed by "!" then only
|
||||
# those rules in the action that do not specify
|
||||
# logging are logged at the specified level.
|
||||
#
|
||||
# - The special log level 'none!' suppresses logging
|
||||
# by the action.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
@ -104,6 +118,10 @@
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Hosts may be specified as an IP address range using the
|
||||
# syntax <low address>-<high address>. This requires that
|
||||
# your kernel and iptables contain iprange match support.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
@ -115,6 +133,10 @@
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# net:192.0.2.11-192.0.2.17
|
||||
# Hosts 192.0.2.11-192.0.2.17 in
|
||||
# the net zone.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, loc:eth1 specifies a
|
||||
@ -145,7 +167,7 @@
|
||||
# 3. You may not specify both an interface and
|
||||
# an address.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# Like in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||
# the connections will be assigned to addresses in the
|
||||
@ -166,14 +188,20 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
@ -195,8 +223,8 @@
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ORIGINAL DEST in the next column, then
|
||||
# place "-" in this column.
|
||||
# specify an ORIGINAL DEST in the next column, then place
|
||||
# "-" in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
@ -223,14 +251,6 @@
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# The address (list) may optionally be followed by
|
||||
# a colon (":") and a second IP address. This causes
|
||||
# Shorewall to use the second IP address as the source
|
||||
# address in forwarded packets. See the Shorewall
|
||||
# documentation for restrictions concerning this feature.
|
||||
# If no source IP address is given, the original source
|
||||
# address is not altered.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
#
|
||||
@ -281,9 +301,9 @@
|
||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||
# a maximum burst of 10
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# # PORT PORT(S) DEST LIMIT
|
||||
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
|
@ -1,10 +1,10 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.2
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
#
|
||||
@ -134,6 +134,24 @@ showchain() # $1 = name of chain
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
|
||||
#
|
||||
|
||||
iptablesbug()
|
||||
{
|
||||
if qt which awk ; then
|
||||
awk 'BEGIN {sline=""; };\
|
||||
/^-j/ { print sline $0; next };\
|
||||
/-m policy.*-j/ { print $0; next };\
|
||||
/-m policy/ { sline=$0; next };\
|
||||
{print ; sline="" }'
|
||||
else
|
||||
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
||||
cat
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Validate the value of RESTOREFILE
|
||||
#
|
||||
@ -174,6 +192,19 @@ get_config() {
|
||||
|
||||
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
||||
|
||||
if [ -n "$IPTABLES" ]; then
|
||||
if [ ! -e "$IPTABLES" ]; then
|
||||
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
else
|
||||
IPTABLES=$(which iptables 2> /dev/null)
|
||||
if [ -z "$IPTABLES" ] ; then
|
||||
echo " ERROR: Can't find iptables executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
@ -205,7 +236,7 @@ display_chains()
|
||||
TMPFILE=$(mktempfile)
|
||||
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
||||
|
||||
iptables -L $IPT_OPTIONS >> $TMPFILE
|
||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
@ -288,7 +319,7 @@ display_chains()
|
||||
|
||||
qt rm -f $TMPFILE
|
||||
else
|
||||
iptables -L -n -v
|
||||
$IPTABLES -L -n -v
|
||||
timed_read
|
||||
fi
|
||||
trap - 1 2 3 4 5 6 9
|
||||
@ -315,10 +346,9 @@ packet_log() # $1 = number of messages
|
||||
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
|
||||
grep "${LOGFORMAT}" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||
tail $options
|
||||
}
|
||||
@ -388,9 +418,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
@ -423,7 +452,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -450,7 +479,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
echo "NAT Status"
|
||||
echo
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
@ -459,7 +488,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
echo "TOS/MARK Status"
|
||||
echo
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
@ -498,9 +527,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
timeout=$((- $1))
|
||||
@ -522,7 +550,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -562,11 +590,11 @@ usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check"
|
||||
echo " check [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||
echo " drop <address> ..."
|
||||
echo " forget [ <file name> ]"
|
||||
echo " help [ <command > | host | address ]"
|
||||
@ -578,15 +606,17 @@ usage() # $1 = exit status
|
||||
echo " refresh"
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " restart [ <directory> ]"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
||||
echo " start [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
echo
|
||||
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -598,8 +628,11 @@ show_reset() {
|
||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
show_proc() {
|
||||
#
|
||||
# Display's the passed file name followed by "=" and the file's contents.
|
||||
#
|
||||
show_proc() # $1 = name of a file
|
||||
{
|
||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||
}
|
||||
|
||||
@ -721,6 +754,8 @@ ensure_config_path
|
||||
|
||||
export CONFIG_PATH
|
||||
|
||||
get_config
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
@ -765,8 +800,28 @@ esac
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$FAST" ]; then
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
@ -783,15 +838,37 @@ case "$1" in
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||
fi
|
||||
;;
|
||||
stop|restart|reset|clear|refresh|check)
|
||||
stop|reset|clear|refresh)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
check|restart)
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -ne 3 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
|
||||
[ $# -lt 3 ] && usage 1
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
|
||||
;;
|
||||
show|list)
|
||||
[ -n "$debugging" ] && set -x
|
||||
@ -807,18 +884,17 @@ case "$1" in
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
get_config
|
||||
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
@ -837,6 +913,24 @@ case "$1" in
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
if [ -f $STATEDIR/zones ]; then
|
||||
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||
echo
|
||||
while read zone hosts; do
|
||||
echo $zone
|
||||
for host in $hosts; do
|
||||
echo " $host"
|
||||
done
|
||||
done < $STATEDIR/zones
|
||||
echo
|
||||
else
|
||||
echo " ERROR: $STATEDIR/zones does not exist" >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
@ -845,10 +939,10 @@ case "$1" in
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
iptables -L $chain $IPT_OPTIONS
|
||||
$IPTABLES -L $chain $IPT_OPTIONS
|
||||
done
|
||||
else
|
||||
iptables -L $IPT_OPTIONS
|
||||
$IPTABLES -L $IPT_OPTIONS
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -866,29 +960,32 @@ case "$1" in
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
iptables -L $IPT_OPTIONS
|
||||
$IPTABLES -L $IPT_OPTIONS
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
echo
|
||||
echo "IP Configuration"
|
||||
echo
|
||||
ip addr ls
|
||||
echo
|
||||
echo "IP Stats"
|
||||
echo
|
||||
ip -stat link ls
|
||||
|
||||
if qt which brctl; then
|
||||
echo
|
||||
@ -902,9 +999,10 @@ case "$1" in
|
||||
echo
|
||||
|
||||
show_proc /proc/sys/net/ipv4/ip_forward
|
||||
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
for directory in /proc/sys/net/ipv4/conf/*; do
|
||||
for file in proxy_arp arp_filter rp_filter; do
|
||||
for file in proxy_arp arp_filter rp_filter log_martians; do
|
||||
show_proc $directory/$file
|
||||
done
|
||||
done
|
||||
@ -920,11 +1018,17 @@ case "$1" in
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
|
||||
if qt which lsmod; then
|
||||
echo
|
||||
echo "Modules"
|
||||
echo
|
||||
lsmod | grep -E '^ip_|^ipt_'
|
||||
fi
|
||||
;;
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
@ -972,10 +1076,10 @@ case "$1" in
|
||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||
if ! $0 $debugging -c $2 restart; then
|
||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
fi
|
||||
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
elif [ $# -eq 3 ]; then
|
||||
sleep $3
|
||||
@ -998,9 +1102,9 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j DROP || break 1
|
||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
||||
echo "$1 Dropped"
|
||||
done
|
||||
mutex_off
|
||||
@ -1011,9 +1115,9 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j reject || break 1
|
||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||
$IPTABLES -A dynamic -s $1 -j reject || break 1
|
||||
echo "$1 Rejected"
|
||||
done
|
||||
mutex_off
|
||||
@ -1024,7 +1128,7 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
|
||||
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
@ -1035,8 +1139,6 @@ case "$1" in
|
||||
save)
|
||||
[ -n "$debugging" ] && set -x
|
||||
|
||||
get_config
|
||||
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
@ -1053,7 +1155,7 @@ case "$1" in
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
if qt $IPTABLES -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
@ -1064,11 +1166,11 @@ case "$1" in
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
||||
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
@ -1094,7 +1196,6 @@ case "$1" in
|
||||
mutex_off
|
||||
;;
|
||||
forget)
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
@ -1114,7 +1215,7 @@ case "$1" in
|
||||
rm -f $RESTOREPATH
|
||||
echo " $RESTOREPATH removed"
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
fi
|
||||
;;
|
||||
ipcalc)
|
||||
@ -1153,7 +1254,6 @@ case "$1" in
|
||||
esac
|
||||
;;
|
||||
restore)
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
|
||||
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
@ -7,6 +7,14 @@
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
##############################################################################
|
||||
# Once you have configured Shorewall, you may change the setting of
|
||||
# this variable to 'Yes'
|
||||
|
||||
STARTUP_ENABLED=No
|
||||
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
@ -15,6 +23,11 @@
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
# These levels are defined by syslog and are used to determine the destination
|
||||
# of the messages through entries in /etc/syslog.conf (5). The syslog
|
||||
# documentation refers to these as "priorities"; Netfilter calls them "levels"
|
||||
# and Shorewall also uses that term.
|
||||
#
|
||||
# Valid levels are:
|
||||
#
|
||||
# 7 debug
|
||||
@ -80,6 +93,18 @@ LOGFILE=/var/log/messages
|
||||
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
|
||||
#
|
||||
# LOG FORMAT Continued
|
||||
#
|
||||
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
|
||||
# truncation of the log prefix may occur. Longer chain names may be used with
|
||||
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
|
||||
# specified then the tag is included in the log prefix in place of the chain
|
||||
# name.
|
||||
#
|
||||
|
||||
LOGTAGONLY=No
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
@ -110,6 +135,18 @@ LOGFORMAT="Shorewall:%s:%s:"
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
#
|
||||
# LOG ALL NEW
|
||||
#
|
||||
# This option should only be used when you are trying to analyze a problem.
|
||||
# It causes all packets in the Netfilter NEW state to be logged as the
|
||||
# first rule in each builtin chain. To use this option, set LOGALLNEW to
|
||||
# the log level that you want these packets logged at (e.g.,
|
||||
# LOGALLNEW=debug).
|
||||
#
|
||||
|
||||
LOGALLNEW=
|
||||
|
||||
#
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
@ -201,9 +238,29 @@ SMURF_LOG_LEVEL=info
|
||||
#
|
||||
|
||||
BOGON_LOG_LEVEL=info
|
||||
|
||||
#
|
||||
# MARTIAN LOGGING
|
||||
#
|
||||
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
|
||||
# that have impossible source IP addresses. This logging may be enabled
|
||||
# on individual interfaces by using the 'logmartians' option in
|
||||
# /etc/shorewall/interfaces.
|
||||
#
|
||||
|
||||
LOG_MARTIANS=No
|
||||
################################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
################################################################################
|
||||
#
|
||||
# IPTABLES
|
||||
#
|
||||
# Full path to iptables executable Shorewall uses to build the firewall. If
|
||||
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
||||
# the iptables executable located via the PATH setting below is used.
|
||||
#
|
||||
IPTABLES=
|
||||
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
@ -320,13 +377,29 @@ ADD_IP_ALIASES=Yes
|
||||
#
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
#
|
||||
# RETAIN EXISTING ALIASES/IP ADDRESSES
|
||||
#
|
||||
# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
|
||||
# will first delete the address then re-add it. This is to ensure that the
|
||||
# address is added with the specified label. Unfortunately, this can cause
|
||||
# problems if it results in the deletion of the last IP address on an
|
||||
# interface because then all routes through the interface are automatically
|
||||
# removed.
|
||||
#
|
||||
# You can cause Shorewall to retain existing addresses by setting
|
||||
# RETAIN_ALIASES=Yes.
|
||||
#
|
||||
RETAIN_ALIASES=No
|
||||
|
||||
#
|
||||
# ENABLE TRAFFIC SHAPING
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
||||
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
@ -392,6 +465,14 @@ MARK_IN_FORWARD_CHAIN=No
|
||||
#
|
||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||
#
|
||||
# You may also set this option to a numeric value in which case Shorewall will
|
||||
# set up a rule to modify the MSS value in SYN packets to the value that
|
||||
# you specify.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# CLAMPMSS=1400
|
||||
#
|
||||
CLAMPMSS=No
|
||||
|
||||
#
|
||||
@ -550,6 +631,14 @@ ADMINISABSENTMINDED=Yes
|
||||
#
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
#
|
||||
# Users with a large blacklist find that "shorwall [re]start" takes a long
|
||||
# time and that new connections are disabled during that time. By setting
|
||||
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
|
||||
# before loading the blacklist.
|
||||
|
||||
DELAYBLACKLISTLOAD=No
|
||||
|
||||
# MODULE NAME SUFFIX
|
||||
#
|
||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||
@ -608,16 +697,9 @@ DYNAMIC_ZONES=No
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
# Some users have reported problems with the PKTTYPE match extension not being
|
||||
# able to match certain broadcast packets.
|
||||
#
|
||||
# Other users have complained of the following message when
|
||||
# starting Shorewall:
|
||||
#
|
||||
# modprobe: cant locate module ipt_pkttype
|
||||
#
|
||||
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
|
||||
# broadcasts rather than pkttype. If not given or if given as empty
|
||||
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 2.0.16
|
||||
%define version 2.2.0
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -41,12 +41,6 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%post
|
||||
|
||||
if [ $1 -eq 1 ]; then
|
||||
echo \
|
||||
"########################################################################
|
||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
||||
########################################################################" \
|
||||
> /etc/shorewall/startup_disabled
|
||||
|
||||
if [ -x /sbin/insserv ]; then
|
||||
/sbin/insserv /etc/rc.d/shorewall
|
||||
elif [ -x /sbin/chkconfig ]; then
|
||||
@ -76,6 +70,7 @@ fi
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ipsec
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat
|
||||
%attr(0600,root,root) %config(noreplace) /etc/shorewall/netmap
|
||||
@ -106,6 +101,7 @@ fi
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
|
||||
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
|
||||
@ -138,386 +134,37 @@ fi
|
||||
%attr(0600,root,root) /usr/share/shorewall/bogons
|
||||
%attr(0600,root,root) /usr/share/shorewall/configpath
|
||||
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
||||
|
||||
%changelog
|
||||
* Tue Feb 01 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.16-1
|
||||
* Wed Jan 12 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.15-1
|
||||
* Mon Jan 03 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.14-1
|
||||
* Thu Dec 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.13-1
|
||||
* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.12-1
|
||||
* Mon Nov 22 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.11-1
|
||||
* Mon Oct 25 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.10-1
|
||||
* Thu Sep 23 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.9-1
|
||||
* Sun Aug 22 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.8-1
|
||||
* Tue Jul 20 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.7-1
|
||||
* Sun Jul 11 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.6-1
|
||||
* Fri Jul 09 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.5-1
|
||||
* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.4-1
|
||||
* Fri Jul 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3c-1
|
||||
* Wed Jun 30 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3b-1
|
||||
* Mon Jun 28 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3a-1
|
||||
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.3-1
|
||||
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC2
|
||||
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.0.2-0RC1
|
||||
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
|
||||
- Added %attr spec for /etc/init.d/shorewall
|
||||
* Sat May 15 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2a-1
|
||||
* Thu May 13 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.2-1
|
||||
* Mon May 10 2004 Tom Eastep tom@shorewall.net
|
||||
- Add /etc/shorewall/initdone
|
||||
* Fri May 07 2004 Tom Eastep tom@shorewall.net
|
||||
- Shorewall 2.0.2-RC1
|
||||
* Tue May 04 2004 Tom Eastep tom@shorewall.net
|
||||
- Shorewall 2.0.2-Beta2
|
||||
* Tue Apr 13 2004 Tom Eastep tom@shorewall.net
|
||||
- Add /usr/share/shorewall/configpath
|
||||
* Mon Apr 05 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1-1
|
||||
* Thu Apr 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC5
|
||||
* Thu Apr 01 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC4
|
||||
* Sun Mar 28 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC3
|
||||
* Thu Mar 25 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC2
|
||||
* Wed Mar 24 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 RC1
|
||||
* Fri Mar 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated for 2.0.1 Beta 2
|
||||
* Thu Mar 18 2004 Tom Eastep tom@shorewall.net
|
||||
- Added netmap file
|
||||
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for 2.0.1 Beta 1
|
||||
* Wed Mar 17 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Add bogons file
|
||||
* Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for 2.0.0 Final
|
||||
* Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for RC2
|
||||
* Fri Feb 27 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Update for RC1
|
||||
* Mon Feb 16 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Moved rfc1918 to /usr/share/shorewall
|
||||
- Update for Beta 3
|
||||
* Sat Feb 14 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Removed common.def
|
||||
- Unconditionally replace actions.std
|
||||
- Update for Beta 2
|
||||
* Thu Feb 12 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Added action.AllowPCA
|
||||
* Sun Feb 08 2004 Tom Eastep <tom@shorewall.net>
|
||||
- Updates for Shorewall 2.0.0.
|
||||
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Remove Documentation from this RPM
|
||||
* Sun Dec 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Updated for Beta 2
|
||||
* Sun Dec 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added User Defined Actions Files
|
||||
* Wed Dec 03 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added User Defined Actions Files
|
||||
* Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.8
|
||||
* Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.8-0RC2
|
||||
* Thu Oct 30 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.8-0RC1
|
||||
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-1
|
||||
- Removed conflict with 2.2 Kernels
|
||||
* Mon Sep 22 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0RC2
|
||||
* Thu Sep 18 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0RC1
|
||||
* Mon Sep 15 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0Beta2
|
||||
* Mon Aug 25 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.7-0Beta1
|
||||
* Sat Aug 23 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /etc/shorewall/users
|
||||
- Changed version to 1.4.6_20030823-1
|
||||
* Thu Aug 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030821-1
|
||||
- Added /etc/shorewall/usersets
|
||||
* Wed Aug 13 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030813-1
|
||||
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /etc/shorewall/accounting
|
||||
* Sat Aug 09 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030809-1
|
||||
* Thu Jul 31 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030731-1
|
||||
* Sun Jul 27 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Added /usr/share/shorewall/help
|
||||
- Changed version to 1.4.6_20030727-1
|
||||
* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6_20030726-1
|
||||
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-1
|
||||
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-0RC1
|
||||
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-0Beta2
|
||||
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.6-0Beta1
|
||||
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.5-1
|
||||
* Thu May 29 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.4b-1
|
||||
* Tue May 27 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.4a-1
|
||||
* Thu May 22 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.4-1
|
||||
* Mon May 19 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.3a-1
|
||||
* Sun May 18 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.3-1
|
||||
* Mon Apr 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.2-1
|
||||
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.1-1
|
||||
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-1
|
||||
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0RC2
|
||||
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0RC1
|
||||
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.4.0-0Beta2
|
||||
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Add ecn file
|
||||
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.4.0-0Beta1
|
||||
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.4.0Alpha1
|
||||
- Delete icmp.def
|
||||
- Move firewall and version to /usr/share/shorewall
|
||||
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0RC1
|
||||
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0Beta2
|
||||
* Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0Beta1
|
||||
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.13
|
||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12
|
||||
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta3
|
||||
* Fri Dec 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta2
|
||||
* Wed Dec 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12-0Beta1
|
||||
- Add init, start, stop and stopped files.
|
||||
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.11a
|
||||
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.11
|
||||
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.10
|
||||
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.10b1
|
||||
* Tue Oct 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Added maclist file
|
||||
* Tue Oct 15 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.10
|
||||
- Replaced symlink with real file
|
||||
* Wed Oct 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.9b
|
||||
* Mon Sep 30 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.9a
|
||||
* Thu Sep 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.8
|
||||
* Mon Sep 16 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.8
|
||||
* Mon Sep 02 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7c
|
||||
* Mon Aug 26 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7b
|
||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7a
|
||||
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.7
|
||||
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.6
|
||||
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.5b
|
||||
* Sat Jul 13 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.4
|
||||
* Wed Jul 10 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Added 'routestopped' configuration file.
|
||||
* Fri Jul 05 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.3
|
||||
* Sat Jun 15 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version and release for new convention
|
||||
- Moved version,firewall and functions to /var/lib/shorewall
|
||||
* Sun Jun 02 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.2
|
||||
* Fri May 31 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.1
|
||||
- Added the rfc1918 file
|
||||
* Wed May 29 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changed version to 1.3.0
|
||||
* Mon May 20 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Removed whitelist file
|
||||
* Sat May 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 91
|
||||
* Wed May 8 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 90
|
||||
- removed 'provides' tag.
|
||||
* Tue Apr 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 13
|
||||
- Added whitelist file.
|
||||
* Thu Apr 18 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed version to 12
|
||||
* Tue Apr 16 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Merged Stefan's changes to create single RPM
|
||||
* Mon Apr 15 2002 Stefan Mohr <stefan@familie-mohr.com>
|
||||
- changed to SuSE Linux 7.3
|
||||
* Wed Apr 10 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 11
|
||||
* Tue Mar 19 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 10
|
||||
* Sat Mar 09 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 9
|
||||
* Sat Feb 23 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 8
|
||||
* Thu Feb 21 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 7
|
||||
* Tue Feb 05 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 6
|
||||
* Wed Jan 30 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 5
|
||||
* Sat Jan 26 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 4
|
||||
- Merged Ajay's change to allow build by non-root
|
||||
* Sun Jan 12 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 3
|
||||
* Tue Jan 01 2002 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 2
|
||||
- Updated URL
|
||||
- Added blacklist file
|
||||
* Mon Dec 31 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 1
|
||||
* Wed Dec 19 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 0
|
||||
* Tue Dec 18 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to Rc1
|
||||
* Sat Dec 15 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to Beta2
|
||||
* Thu Nov 08 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed Version to 1.2
|
||||
- added tcrules file
|
||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed release to 17
|
||||
* Sun Oct 21 2001 Tom Eastep <tom@shorewall.net>
|
||||
- changed release to 16
|
||||
* Sun Oct 14 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 15
|
||||
* Thu Oct 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 14
|
||||
* Tue Sep 11 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- changed release to 13
|
||||
- added params file
|
||||
* Tue Aug 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 12
|
||||
* Fri Jul 27 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 11
|
||||
* Sun Jul 08 2001 Ajay Ramaswamy <ajayr@bigfoot.com>
|
||||
- reorganized spec file
|
||||
- s/Copyright/License/
|
||||
- now will build fron rpm -tb
|
||||
* Fri Jul 06 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 10
|
||||
* Tue Jun 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 9
|
||||
- Added tunnel file
|
||||
- Readded tunnels file
|
||||
* Mon Jun 18 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 8
|
||||
* Sat Jun 02 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 7
|
||||
- Changed iptables dependency.
|
||||
* Tue May 22 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 6
|
||||
- Added tunnels file
|
||||
* Sat May 19 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 5
|
||||
- Added modules and tos files
|
||||
* Sat May 12 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 4
|
||||
- Added changelog.txt and releasenotes.txt
|
||||
* Sat Apr 28 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed release to 3
|
||||
* Mon Apr 9 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Added files common.def and icmpdef.def
|
||||
- Changed release to 2
|
||||
* Wed Apr 4 2001 Tom Eastep <tom@seattlefirewall.dyndns.org>
|
||||
- Changed the release to 1.
|
||||
* Mon Mar 26 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed the version to 1.1
|
||||
- Added hosts file
|
||||
* Sun Mar 18 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed the release to 4
|
||||
- Added Zones and Functions files
|
||||
* Mon Mar 12 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change ipchains dependency to an iptables dependency and
|
||||
changed the release to 3
|
||||
* Fri Mar 9 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Add additional files.
|
||||
* Thu Mar 8 2001 Tom EAstep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 1.0.2
|
||||
* Tue Mar 6 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 1.0.1
|
||||
* Sun Mar 4 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changes for Shorewall
|
||||
* Thu Feb 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.1.0
|
||||
* Fri Feb 2 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.0.4
|
||||
* Mon Jan 22 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Change version to 4.0.2
|
||||
* Sat Jan 20 2001 Tom Eastep <teastep@seattlefirewall.dyndns.org>
|
||||
- Changed version to 4.0
|
||||
* Fri Jan 5 2001 Tom Eastep <teastep@evergo.net>
|
||||
- Added dmzclients file
|
||||
* Sun Dec 24 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Added ftpserver file
|
||||
* Sat Aug 12 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Added "nat" and "proxyarp" files for 4.0
|
||||
* Mon May 20 2000 Tom Eastep <teastep@evergo.net>
|
||||
- added updown file
|
||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
||||
- Corrected the group - Networking/Utilities
|
||||
- Added "noreplace" attributes to config files, so current confis is not
|
||||
changed.
|
||||
- Added the version file.
|
||||
* Sat May 20 2000 Tom Eastep <teastep@evergo.net>
|
||||
- Converted Simon's patch to version 3.1
|
||||
* Sat May 20 2000 Simon Piette <spiette@generation.net>
|
||||
- 3.0.2 Initial RPM
|
||||
Patched the install script so it can take a PREFIX variable
|
||||
* Mon Jan 24 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-1
|
||||
* Mon Jan 17 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0RC5
|
||||
* Thu Jan 06 2005 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0RC4
|
||||
* Thu Dec 30 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0RC3
|
||||
* Fri Dec 24 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0RC2
|
||||
* Sun Dec 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0RC1
|
||||
- Added ipsecvpn file
|
||||
* Sat Dec 11 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta8
|
||||
* Mon Nov 29 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta7
|
||||
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta6
|
||||
* Fri Nov 26 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta5
|
||||
* Fri Nov 19 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta4
|
||||
* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta3
|
||||
* Tue Nov 02 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta2
|
||||
* Fri Oct 22 2004 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.2.0-0Beta1
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/start
|
||||
# Shorewall 2.2 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/stop
|
||||
# Shorewall 2.2 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/stopped
|
||||
# Shorewall 2.2 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Traffic Control Rules File
|
||||
# Shorewall version 2.2 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
@ -19,9 +19,8 @@
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
#
|
||||
# MARK/ a) A mark value which is a integer in the range 1-255
|
||||
# CLASSIFY
|
||||
# May optionally be followed by ":P" or ":F"
|
||||
# where ":P" indicates that marking should occur in
|
||||
# the PREROUTING chain and ":F" indicates that marking
|
||||
@ -30,9 +29,55 @@
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# If your kernel and iptables include CONNMARK support
|
||||
# then you can also mark the connection rather than
|
||||
# the packet.
|
||||
#
|
||||
# The mark value may be optionally followed by "/"
|
||||
# and a mask value (used to determine those bits of
|
||||
# the connection mark to actually be set). The
|
||||
# mark and optional mask are then followed by one of:
|
||||
#
|
||||
# C - Mark the connection in the chain determined
|
||||
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||
#
|
||||
# CF: Mark the conneciton in the FORWARD chain
|
||||
#
|
||||
# CP: Mark the connection in the PREROUTING chain.
|
||||
#
|
||||
# b) A classification of the form <major>:<minor> where
|
||||
# <major> and <minor> are integers. Corresponds to
|
||||
# the 'class' specification in these traffic shaping
|
||||
# modules:
|
||||
#
|
||||
# - atm
|
||||
# - cbq
|
||||
# - dsmark
|
||||
# - pfifo_fast
|
||||
# - htb
|
||||
# - prio
|
||||
#
|
||||
# Classify always occurs in the POSTROUTING chain.
|
||||
#
|
||||
# c) RESTORE[/mask] -- restore the packet's mark from the
|
||||
# connection's mark using the supplied mask if any.
|
||||
# Your kernel and iptables must include CONNMARK support.
|
||||
# As in a) above, may be followed by ":P" or ":F
|
||||
#
|
||||
# c) SAVE[/mask] -- save the packet's mark to the
|
||||
# connection's mark using the supplied mask if any.
|
||||
# Your kernel and iptables must include CONNMARK support.
|
||||
# As in a) above, may be followed by ":P" or ":F
|
||||
#
|
||||
# d) CONTINUE -- don't process any more marking rules in
|
||||
# the table. As in a) above, may be followed by ":P" or
|
||||
# ":F".
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# and/or subnets. If your kernel and iptables include
|
||||
# iprange match support, IP address ranges are also
|
||||
# allowed. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
@ -43,22 +88,34 @@
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Destination of the packet. Comma separated list of
|
||||
# IP addresses and/or subnets.
|
||||
# IP addresses and/or subnets. If your kernel and
|
||||
# iptables include iprange match support, IP address
|
||||
# ranges are also allowed.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# or "all".
|
||||
# If the MARK column specificies a classification of
|
||||
# the form <major>:<minor> then this column may also
|
||||
# contain an interface name.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following field is supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
@ -77,7 +134,19 @@
|
||||
# The colon is optionnal when specifying only a user.
|
||||
# Examples : john: / john / :users / john:users
|
||||
#
|
||||
# TEST Defines a test on the existing packet or connection mark.
|
||||
# The rule will match only if the test returns true. Tests
|
||||
# have the format [!]<value>[/<mask>][:C]
|
||||
#
|
||||
# Where:
|
||||
#
|
||||
# ! Inverts the test (not equal)
|
||||
# <value> Value of the packet or connection mark.
|
||||
# <mask> A mask to be applied to the mark before
|
||||
# testing
|
||||
# :C Designates a connection mark. If omitted,
|
||||
# the packet mark's value is tested.
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- /etc/shorewall/tos
|
||||
# Shorewall 2.2 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
@ -43,10 +43,4 @@
|
||||
#
|
||||
##############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||
all all tcp - 22 16
|
||||
all all tcp 22 - 16
|
||||
all all tcp - 21 16
|
||||
all all tcp 21 - 16
|
||||
all all tcp 20 - 8
|
||||
all all tcp - 20 8
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
||||
|
@ -2,14 +2,14 @@
|
||||
|
||||
RCDLINKS="2,S45 3,S45 6,K45"
|
||||
################################################################################
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 2.0
|
||||
# Script to create a gre or ipip tunnel -- Shorewall 2.2
|
||||
#
|
||||
# Modified - Steve Cowles 5/9/2000
|
||||
# Incorporated init {start|stop} syntax and iproute2 usage
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Modify the following variables to match your configuration
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/tunnels
|
||||
# Shorewall 2.2 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
@ -34,7 +34,10 @@
|
||||
#
|
||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
# then specify the gateway as 0.0.0.0/0. May be
|
||||
# specified as a network address and if your kernel and
|
||||
# iptables include iprange match support then IP address
|
||||
# ranges are also allowed.
|
||||
#
|
||||
# GATEWAY
|
||||
# ZONES -- Optional. If the gateway system specified in the third
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=2.0.16
|
||||
VERSION=2.2.0
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/zones
|
||||
# Shorewall 2.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
@ -11,9 +11,15 @@
|
||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
||||
#
|
||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
||||
#--------------------------------------------------------------------------------
|
||||
# Example zones:
|
||||
#
|
||||
# You have a three interface firewall with internet, local and DMZ interfaces.
|
||||
#
|
||||
# #ZONE DISPLAY COMMENTS
|
||||
# net Internet The big bad Internet
|
||||
# loc Local Local Network
|
||||
# dmz DMZ Demilitarized zone.
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user