forked from extern/shorewall_code
Bring forward 3.2.2 changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5f7af88022
commit
aaa06b41c2
@ -44,7 +44,7 @@ allow)
|
||||
Re-enables receipt of packets from hosts previously blacklisted
|
||||
by a drop or reject command.
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
shorewall-lite allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
@ -66,7 +66,7 @@ debug)
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall debug start 2> /tmp/trace
|
||||
shorewall-lite debug start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace.
|
||||
@ -78,7 +78,7 @@ drop)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be ignored
|
||||
|
||||
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
@ -86,7 +86,7 @@ drop)
|
||||
dump)
|
||||
echo "dump: dump
|
||||
|
||||
shorewall [-x] dump
|
||||
shorewall-lite [-x] dump
|
||||
|
||||
Produce a verbose report about the firewall for problem analysis.
|
||||
|
||||
@ -105,7 +105,7 @@ forget)
|
||||
|
||||
help)
|
||||
echo "help: help [<command> | host | address ]
|
||||
Display helpful information about the shorewall commands."
|
||||
Display helpful information about the shorewall-lite commands."
|
||||
;;
|
||||
|
||||
hits)
|
||||
@ -136,7 +136,7 @@ logdrop)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be ignored and loged.
|
||||
|
||||
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
@ -152,7 +152,7 @@ logreject)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be rejected and logged.
|
||||
|
||||
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
@ -161,7 +161,7 @@ reject)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be rejected
|
||||
|
||||
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
@ -173,7 +173,7 @@ reset)
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -n ] [ <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Restart is the same as a shorewall-lite stop && shorewall-lite start.
|
||||
Existing connections are maintained.
|
||||
|
||||
If \"-n\" is specified, no changes to routing will be made"
|
||||
@ -183,9 +183,9 @@ restore)
|
||||
echo "restore: restore [ -n ] [ <file name> ]
|
||||
Restore Shorewall to a state saved using the 'save' command
|
||||
Existing connections are maintained. The <file name> names a restore file in
|
||||
/var/lib/shorewall-lite created using \"shorewall save\"; if no <file name> is given
|
||||
then Shorewall will be restored from the file specified by the RESTOREFILE
|
||||
option in shorewall.conf.
|
||||
/var/lib/shorewall-lite created using \"shorewall-lite save\"; if no
|
||||
<file name> is given then Shorewall Lite will be restored from the file
|
||||
specified by the RESTOREFILE option in shorewall.conf.
|
||||
|
||||
If \"-n\" is specified, no changes to routing will be made.
|
||||
|
||||
@ -195,50 +195,53 @@ restore)
|
||||
save)
|
||||
echo "save: save [ <file name> ]
|
||||
The dynamic data is stored in /var/lib/shorewall-lite/save. The state of the
|
||||
firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall restore'
|
||||
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
||||
firewall is stored in /var/lib/shorewall-lite/<file name> for use by the 'shorewall-lite restore'
|
||||
and 'shorewall-lite -f start' commands. If <file name> is not given then the state is saved
|
||||
in the file specified by the RESTOREFILE option in shorewall.conf.
|
||||
|
||||
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
shorewall-lite allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help restore\" and \"help forget\""
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
|
||||
echo "show: show [ <chain> [ <chain> ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones]
|
||||
|
||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
shorewall-lite [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
|
||||
shorewall [-x] show mangle - produce a verbose report about the mangle table.
|
||||
shorewall-lite [-x] show mangle - produce a verbose report about the mangle table.
|
||||
(iptables -t mangle -L -n -v)
|
||||
|
||||
shorewall [-x] show nat - produce a verbose report about the nat table.
|
||||
shorewall-lite [-x] show nat - produce a verbose report about the nat table.
|
||||
(iptables -t nat -L -n -v)
|
||||
|
||||
shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
|
||||
shorewall-lite show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then
|
||||
MAC addresses in the log entries (if any) are displayed.
|
||||
|
||||
shorewall show connections - displays the IP connections currently
|
||||
shorewall-lite show connections - displays the IP connections currently
|
||||
being tracked by the firewall.
|
||||
|
||||
shorewall show tc - displays information about the traffic
|
||||
shorewall-lite show tc - displays information about the traffic
|
||||
control/shaping configuration.
|
||||
|
||||
shorewall show zones - displays the contents of all zones.
|
||||
shorewall-lite show zones - displays the contents of all zones.
|
||||
|
||||
shorewall show capabilities - displays your kernel/iptables capabilities
|
||||
shorewall-lite show - [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is
|
||||
specified, then the output is suitable for use as /etc/shorewall/capabilities on your administrative
|
||||
system.
|
||||
|
||||
shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution
|
||||
shorewall-lite show config - displays the default CONFIG_PATH and LITEDIR for your distribution
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: start [ -f ] [ -n ] [ <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
Start Shorewall Lite. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies.
|
||||
|
||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||
in shorewall.conf will be restored if that saved configuration exists. In that
|
||||
case, a <configuration-directory> may not be specified.
|
||||
@ -256,7 +259,7 @@ stop)
|
||||
status)
|
||||
echo "status: status
|
||||
|
||||
shorewall status
|
||||
shorewall-lite status
|
||||
|
||||
Displays the Shorewall Lite status (running/not-running).
|
||||
|
||||
@ -270,11 +273,11 @@ trace)
|
||||
If you include the keyword trace as the first argument to any
|
||||
of these commands:
|
||||
|
||||
start|stop|restart|reset|clear|check|add|delete
|
||||
start|stop|restart|reset|clear
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall trace start 2> /tmp/trace
|
||||
shorewall-lite trace start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace.
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
#
|
||||
|
||||
VERSION=3.2.0
|
||||
VERSION=3.2.2
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -30,6 +30,7 @@ usage() # $1 = exit status
|
||||
echo "usage: $ME"
|
||||
echo " $ME -v"
|
||||
echo " $ME -h"
|
||||
echo " $ME -n"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -88,7 +89,7 @@ backup_directory() # $1 = directory to backup
|
||||
|
||||
backup_file() # $1 = file to backup, $2 = (optional) Directory in which to create the backup
|
||||
{
|
||||
if [ -z "$PREFIX" ]; then
|
||||
if [ -z "${PREFIX}${NOBACKUP}" ]; then
|
||||
if [ -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
|
||||
if [ -n "$2" ]; then
|
||||
if [ -d $2 ]; then
|
||||
@ -155,6 +156,8 @@ if [ -z "$GROUP" ] ; then
|
||||
GROUP=root
|
||||
fi
|
||||
|
||||
NOBACKUP=
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
@ -164,6 +167,9 @@ while [ $# -gt 0 ] ; do
|
||||
echo "Shorewall Lite Firewall Installer Version $VERSION"
|
||||
exit 0
|
||||
;;
|
||||
-n)
|
||||
NOBACKUP=Yes
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@ -216,9 +222,11 @@ echo "Installing Shorewall Lite Version $VERSION"
|
||||
#
|
||||
if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
|
||||
first_install=""
|
||||
backup_directory /etc/shorewall-lite
|
||||
backup_directory /usr/share/shorewall-lite
|
||||
backup_directory /var/lib/shorewall-lite
|
||||
if [ -z "$NOBACKUP" ]; then
|
||||
backup_directory /etc/shorewall-lite
|
||||
backup_directory /usr/share/shorewall-lite
|
||||
backup_directory /var/lib/shorewall-lite
|
||||
fi
|
||||
else
|
||||
first_install="Yes"
|
||||
rm -rf ${PREFIX}/etc/shorewall-lite
|
||||
|
@ -44,50 +44,18 @@
|
||||
# used during firewall compilation, then the generated firewall program will likewise not
|
||||
# require Shorewall to be installed.
|
||||
|
||||
PRODUCT="Shorewall Lite"
|
||||
|
||||
. /usr/share/shorewall-lite/functions
|
||||
. /usr/share/shorewall-lite/configpath
|
||||
. /etc/shorewall-lite/shorewall.conf
|
||||
|
||||
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
VERSION=$(cat /usr/share/shorewall-lite/version)
|
||||
|
||||
report_capability() # $1 = Capability
|
||||
{
|
||||
eval echo $1=\$$1
|
||||
}
|
||||
|
||||
report_capabilities() {
|
||||
echo "#"
|
||||
echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
|
||||
echo "#"
|
||||
report_capability NAT_ENABLED
|
||||
report_capability MANGLE_ENABLED
|
||||
report_capability MULTIPORT
|
||||
report_capability XMULTIPORT
|
||||
report_capability CONNTRACK_MATCH
|
||||
report_capability USEPKTTYPE
|
||||
report_capability POLICY_MATCH
|
||||
report_capability PHYSDEV_MATCH
|
||||
report_capability LENGTH_MATCH
|
||||
report_capability IPRANGE_MATCH
|
||||
report_capability RECENT_MATCH
|
||||
report_capability OWNER_MATCH
|
||||
report_capability IPSET_MATCH
|
||||
report_capability CONNMARK
|
||||
report_capability XCONNMARK
|
||||
report_capability CONNMARK_MATCH
|
||||
report_capability XCONNMARK_MATCH
|
||||
report_capability RAW_TABLE
|
||||
report_capability IPP2P_MATCH
|
||||
report_capability CLASSIFY_TARGET
|
||||
report_capability ENHANCED_REJECT
|
||||
report_capability KLUDGEFREE
|
||||
report_capability MARK
|
||||
report_capability XMARK
|
||||
report_capability MANGLE_FORWARD
|
||||
}
|
||||
|
||||
[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
|
||||
|
||||
VERBOSE=0
|
||||
load_kernel_modules
|
||||
determine_capabilities
|
||||
report_capabilities
|
||||
report_capabilities1
|
||||
|
@ -162,6 +162,8 @@ validate_restorefile() # $* = label
|
||||
#
|
||||
get_config() {
|
||||
|
||||
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
||||
|
||||
if [ ! -f $LOGFILE ]; then
|
||||
@ -376,10 +378,29 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Verify that we have a compiled firewall script
|
||||
#
|
||||
verify_firewall_script() {
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
echo " ERROR: Shorewall Lite is not properly installed" >&2
|
||||
if [ -L $FIREWALL ]; then
|
||||
echo " $FIREWALL is a symbolic link to a" >&2
|
||||
echo " non-existant file" >&2
|
||||
else
|
||||
echo " The file $FIREWALL does not exist" >&2
|
||||
fi
|
||||
|
||||
exit 2
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Save currently running configuration
|
||||
#
|
||||
save_config() {
|
||||
verify_firewall_script
|
||||
|
||||
if shorewall_is_started ; then
|
||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
||||
|
||||
@ -471,6 +492,8 @@ start_command() {
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
}
|
||||
|
||||
verify_firewall_script
|
||||
|
||||
if shorewall_is_started; then
|
||||
error_message "Shorewall is already running"
|
||||
exit 1
|
||||
@ -574,6 +597,8 @@ start_command() {
|
||||
restart_command() {
|
||||
local finished=0
|
||||
|
||||
verify_firewall_script
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
case $option in
|
||||
@ -668,6 +693,10 @@ show_command() {
|
||||
SHOWMACS=Yes
|
||||
option=${option#m}
|
||||
;;
|
||||
f*)
|
||||
FILEMODE=Yes
|
||||
option=${option#f}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@ -744,7 +773,11 @@ show_command() {
|
||||
[ $# -gt 1 ] && usage 1
|
||||
determine_capabilities
|
||||
VERBOSE=2
|
||||
report_capabilities
|
||||
if [ -n "$FILEMODE" ]; then
|
||||
report_capabilities1
|
||||
else
|
||||
report_capabilities
|
||||
fi
|
||||
;;
|
||||
config)
|
||||
. ${SHAREDIR}/configpath
|
||||
@ -964,7 +997,6 @@ usage() # $1 = exit status
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " allow <address> ..."
|
||||
echo " check [ -e ] [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " drop <address> ..."
|
||||
echo " dump [ -x ]"
|
||||
@ -982,7 +1014,7 @@ usage() # $1 = exit status
|
||||
echo " restart [ -n ] [ <directory> ]"
|
||||
echo " restore [ -n ] [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [ -x ] [ -m ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
|
||||
echo " show [ -x ] [ -m ] [ -f ] [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|log|mangle|nat|tc|zones]"
|
||||
echo " start [ -f ] [ -n ] [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
@ -1214,18 +1246,6 @@ get_config
|
||||
|
||||
FIREWALL=$LITEDIR/firewall
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
echo " ERROR: Shorewall Lite is not properly installed" >&2
|
||||
if [ -L $FIREWALL ]; then
|
||||
echo " $FIREWALL is a symbolic link to a" >&2
|
||||
echo " non-existant file" >&2
|
||||
else
|
||||
echo " The file $FIREWALL does not exist" >&2
|
||||
fi
|
||||
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [ -f $VERSION_FILE ]; then
|
||||
version=$(cat $VERSION_FILE)
|
||||
else
|
||||
@ -1263,6 +1283,7 @@ case "$COMMAND" in
|
||||
;;
|
||||
stop|reset|clear)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
verify_firewall_script
|
||||
export NOROUTES
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
|
||||
;;
|
||||
@ -1270,10 +1291,6 @@ case "$COMMAND" in
|
||||
shift
|
||||
restart_command $@
|
||||
;;
|
||||
check)
|
||||
shift
|
||||
check_command $@
|
||||
;;
|
||||
show|list)
|
||||
shift
|
||||
show_command $@
|
||||
|
@ -12,8 +12,11 @@
|
||||
# N 0 T E
|
||||
###############################################################################
|
||||
# Entries in this file override entries in the shorewall.conf file in the
|
||||
# configuration directory when the firewall script was compiled. Any variable
|
||||
# export directory when the firewall script was compiled. Any variable
|
||||
# not set here assumes the value defined at firewall compilation time.
|
||||
#
|
||||
# PROVIDED THAT shorewall.conf IN THE EXPORT DIRECTORY IS CORRECT, YOU DO NOT
|
||||
# NEED TO MODIFY THIS FILE IN ANY WAY
|
||||
###############################################################################
|
||||
# V E R B O S I T Y
|
||||
###############################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user