diff --git a/Shorewall/accounting b/Shorewall/accounting index f46c8344d..5f2a6fbb0 100755 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -7,7 +7,7 @@ # that you define in this file. You may display these rules and their # packet and byte counters using the "shorewall show accounting" command. # -# Please see http://shorewall.net/Accounting.html for examples and +# Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # # @@ -21,7 +21,7 @@ # to match any other accounting rules # in the chain specified in the CHAIN # column. -# [:COUNT] +# [:COUNT] # - Where is the name of # a chain. Shorewall will create # the chain automatically if it @@ -29,18 +29,18 @@ # a jump to that chain. If :COUNT # is including, a counting rule # matching this record will be -# added to +# added to # -# CHAIN - The name of a chain. If specified as "-" the +# CHAIN - The name of a chain. If specified as "-" the # 'accounting' chain is assumed. This is the chain # where the accounting rule is added. The chain will # be created if it doesn't already exist. -# +# # SOURCE - Packet Source # # The name of an interface, an address (host or net) or # an interface name followed by ":" -# and a host or net address. +# and a host or net address. # # DESTINATION - Packet Destination # @@ -49,14 +49,15 @@ # PROTOCOL A protocol name (from /etc/protocols), a protocol # number, or "ipp2p" # -# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then -# this column must contain an ipp2p option ("iptables -m -# ipp2p --help") without the leading "--". If no option -# is given in this column, "ipp2p" is assumed. +# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" +# then this column must contain an ipp2p option +# ("iptables -m ipp2p --help") without the leading +# "--". If no option is given in this column, "ipp2p" +# is assumed. # # Service name from /etc/services or port number. May # only be specified if the protocol is TCP or UDP (6 -# or 17). +# or 17). # # SOURCE PORT Source Port number # @@ -69,7 +70,7 @@ # # The column may contain: # -# [!][][:][+] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -81,17 +82,17 @@ # joe #program must be run by joe # :kids #program must be run by a member of # #the 'kids' group -# !:kids #program must not be run by a member +# !:kids #program must not be run by a member # #of the 'kids' group -# +upnpd #program named upnpd +# +upnpd #program named upnpd # # In all of the above columns except ACTION and CHAIN, the values "-", # "any" and "all" may be used as wildcards # -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. # -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ +##################################################################################### +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ # PORT PORT GROUP -# #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.Drop b/Shorewall/action.Drop index 52f8c4c73..6cd27a4e5 100644 --- a/Shorewall/action.Drop +++ b/Shorewall/action.Drop @@ -1,21 +1,24 @@ # -# Shorewall 2.6 /usr/share/shorewall/action.Drop +# Shorewall version 2.6 - Drop Action +# +# /usr/share/shorewall/action.Drop # # The default DROP common rules # -# This action is invoked before a DROP policy is enforced. The purpose of the action -# is: +# This action is invoked before a DROP policy is enforced. The purpose +# of the action is: # -# a) Avoid logging lots of useless cruft. -# b) Ensure that 'auth' requests are rejected, even if the policy is DROP. -# Otherwise, you may experience problems establishing connections with -# servers that use auth. -# c) Ensure that certain ICMP packets that are necessary for successful +# a) Avoid logging lots of useless cruft. +# b) Ensure that 'auth' requests are rejected, even if the policy is +# DROP. Otherwise, you may experience problems establishing +# connections with servers that use auth. +# c) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! -###################################################################################### -#TARGET SOURCE DEST PROTO DPORT SPORT +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! +# +############################################################################### +#TARGET SOURCE DEST PROTO DPORT SPORT # # Reject 'auth' # @@ -27,10 +30,10 @@ dropBcast # # ACCEPT critical ICMP types # -AllowICMPs - - icmp +AllowICMPs - - icmp # -# Drop packets that in the INVALID state -- these are usually ICMP packets and just -# confuse people when they appear in the log. +# Drop packets that in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log. # dropInvalid # @@ -41,9 +44,10 @@ DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # -dropNotSyn - - tcp +dropNotSyn - - tcp # -# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. # DropDNSrep #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.Reject b/Shorewall/action.Reject index 2efe39266..c6b15ed5e 100644 --- a/Shorewall/action.Reject +++ b/Shorewall/action.Reject @@ -1,33 +1,37 @@ # -# Shorewall 2.6 /usr/share/shorewall/action.Reject +# Shorewall version 2.6 - Reject Action +# +# /usr/share/shorewall/action.Reject # # The default REJECT action common rules # -# This action is invoked before a REJECT policy is enforced. The purpose of the action -# is: +# This action is invoked before a REJECT policy is enforced. The purpose +# of the action is: # -# a) Avoid logging lots of useless cruft. -# b) Ensure that certain ICMP packets that are necessary for successful +# a) Avoid logging lots of useless cruft. +# b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # -# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! -###################################################################################### -#TARGET SOURCE DEST PROTO +# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! +############################################################################### +#TARGET SOURCE DEST PROTO # # Don't log 'auth' REJECT # Auth/REJECT # -# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). +# Drop Broadcasts so they don't clutter up the log +# (broadcasts must *not* be rejected). # dropBcast # # ACCEPT critical ICMP types # -AllowICMPs - - icmp +AllowICMPs - - icmp # -# Drop packets that in the INVALID state -- these are usually ICMP packets and just -# confuse people when they appear in the log (these ICMPs cannot be rejected). +# Drop packets that in the INVALID state -- these are usually ICMP packets +# and just confuse people when they appear in the log (these ICMPs cannot be +# rejected). # dropInvalid # @@ -38,9 +42,10 @@ DropUPnP # # Drop 'newnotsyn' traffic so that it doesn't get logged. # -dropNotSyn - - tcp +dropNotSyn - - tcp # -# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. +# Drop late-arriving DNS replies. These are just a nuisance and clutter up +# the log. # DropDNSrep #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/action.template b/Shorewall/action.template index 3c06098c9..73135df8e 100644 --- a/Shorewall/action.template +++ b/Shorewall/action.template @@ -1,7 +1,9 @@ # -# Shorewall 2.6 /etc/shorewall/action.template +# Shorewall version 2.6 - Template Action # -# This file is a template for files with names of the form +# /etc/shorewall/action.template +# +# This file is a template for files with names of the form # /etc/shorewall/action. where is an # ACTION defined in /etc/shorewall/actions. # @@ -20,20 +22,21 @@ # TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a # previously-defined # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. -# LOG -- Simply log the packet and continue. +# LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as p2pwall. # CONTINUE -- Discontinue processing this action # and return to the point where the # action was invoked. # -- An defined in -# /etc/shorewall/actions. The -# must appear in that file BEFORE the -# one being defined in this file. +# /etc/shorewall/actions. +# The must appear in that +# file BEFORE the one being defined +# in this file. # # The TARGET may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or @@ -58,7 +61,7 @@ # at the end of the log prefix generated by the # LOGPREFIX setting. # -# SOURCE Source hosts to which the rule applies. +# SOURCE Source hosts to which the rule applies. # A comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC # address; mac addresses must begin with "~" and must use @@ -72,21 +75,21 @@ # kernel and iptables must have # iprange match support. # -# +remote The name of an ipset prefaced -# by "+". Your kernel and +# +remote The name of an ipset prefaced +# by "+". Your kernel and # iptables must have set match # support # -# +remote[4] The name of the ipset may -# followed by a number of -# levels of ipset bindings -# enclosed in square brackets. +# +remote[4] The name of the ipset may +# followed by a number of +# levels of ipset bindings +# enclosed in square brackets. # # 192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2. -# ~00-A0-C9-15-39-78 Host with -# MAC address 00:A0:C9:15:39:78. +# ~00-A0-C9-15-39-78 Host with +# MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface # name. For example, eth1 specifies a @@ -95,14 +98,15 @@ # another colon (":") and an IP/MAC/subnet address # as described above (e.g., eth1:192.168.1.5). # -# DEST Location of destination host. Same as above with the exception that -# MAC addresses are not allowed and that you cannot specify -# an ipset name in both the SOURCE and DEST columns. +# DEST Location of destination host. Same as above with +# the exception that MAC addresses are not allowed and +# that you cannot specify an ipset name in both the +# SOURCE and DEST columns. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # "all". # -# DEST PORT(S) Destination Ports. A comma-separated list of Port +# DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). @@ -139,12 +143,12 @@ # Otherwise, a separate rule will be generated for each # port. # -# RATE LIMIT You may rate-limit the rule by placing a value in +# RATE LIMIT You may rate-limit the rule by placing a value in # this column: -# +# # /[:] # -# where is the number of connections per +# where is the number of connections per # ("sec" or "min") and is the # largest burst permitted. If no is given, # a value of 5 is assumed. There may be no @@ -157,7 +161,7 @@ # # The column may contain: # -# [!][][:][+] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -169,11 +173,11 @@ # joe #program must be run by joe # :kids #program must be run by a member of # #the 'kids' group -# !:kids #program must not be run by a member +# !:kids #program must not be run by a member # #of the 'kids' group -# +upnpd #program named upnpd +# +upnpd #program named upnpd # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP +############################################################################### +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/actions b/Shorewall/actions index 5cb360fd1..5a4856c79 100644 --- a/Shorewall/actions +++ b/Shorewall/actions @@ -1,7 +1,9 @@ # -# Shorewall 2.6 /etc/shorewall/actions +# Shorewall version 2.6 - Actions File # -# This file allows you to define new ACTIONS for use in rules +# /etc/shorewall/actions +# +# This file allows you to define new ACTIONS for use in rules # (/etc/shorewall/rules). You define the iptables rules to # be performed in an ACTION in # /etc/shorewall/action.. @@ -24,9 +26,8 @@ # If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by # itself, the associated policy will have no common action. # -# Please see http://shorewall.net/Actions.html for additional -# information. +# Please see http://shorewall.net/Actions.html for additional information. # +############################################################################### #ACTION - #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/actions.std b/Shorewall/actions.std index d6e704cbf..b6ac1dde4 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -1,27 +1,28 @@ # -# Shorewall 2.6 /usr/share/shorewall/actions.std +# Shorewall version 2.6 - Actions.std File +# +# /usr/share/shorewall/actions.std # # Please see http://shorewall.net/Actions.html for additional # information. # # Builtin Actions are: # -# allowBcast #Silently Allow Broadcast/multicast -# dropBcast #Silently Drop Broadcast/multicast -# dropNotSyn #Silently Drop Non-syn TCP packets -# rejNotSyn #Silently Reject Non-syn TCP packets -# dropInvalid #Silently Drop packets that are in the INVALID -# #conntrack state. -# allowInvalid #Accept packets that are in the INVALID -# #conntrack state. -# allowoutUPnP #Allow traffic from local command 'upnpd' -# allowinUPnP #Allow UPnP inbound (to firewall) traffic -# forwardUPnP #Allow traffic that upnpd has redirected from -# #'upnp' interfaces. +# allowBcast # Silently Allow Broadcast/multicast +# dropBcast # Silently Drop Broadcast/multicast +# dropNotSyn # Silently Drop Non-syn TCP packets +# rejNotSyn # Silently Reject Non-syn TCP packets +# dropInvalid # Silently Drop packets that are in the INVALID +# # conntrack state. +# allowInvalid # Accept packets that are in the INVALID +# # conntrack state. +# allowoutUPnP # Allow traffic from local command 'upnpd' +# allowinUPnP # Allow UPnP inbound (to firewall) traffic +# forwardUPnP # Allow traffic that upnpd has redirected from +# # 'upnp' interfaces. # +############################################################################### #ACTION - -Drop:DROP #Common Action for DROP policy -Reject:REJECT #Common Action for REJECT policy - +Drop:DROP # Common Action for DROP policy +Reject:REJECT # Common Action for REJECT policy #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/blacklist b/Shorewall/blacklist index d3b21f8e7..4f9311153 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,21 +1,22 @@ # -# Shorewall 2.6 -- Blacklist File +# Shorewall version 2.6 - Blacklist File # # /etc/shorewall/blacklist # -# This file contains a list of IP addresses, MAC addresses and/or subnetworks. +# This file contains a list of IP addresses, MAC addresses and/or +# subnetworks. # # Columns are: # -# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address +# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address # range (if your kernel and iptables contain iprange -# match support) or ipset name prefaced by "+" (if +# match support) or ipset name prefaced by "+" (if # your kernel supports ipset match). # -# MAC addresses must be prefixed with "~" and use "-" +# MAC addresses must be prefixed with "~" and use "-" # as a separator. # -# Example: ~00-A0-C9-15-39-78 +# Example: ~00-A0-C9-15-39-78 # # PROTOCOL - Optional. If specified, must be a protocol number # or a protocol name from /etc/protocols. @@ -24,33 +25,32 @@ # is TCP (6) or UDP (17). A comma-separated list # of port numbers or service names from /etc/services. # -# When a packet arrives on an interface that has the 'blacklist' option -# specified in /etc/shorewall/interfaces, its source IP address is checked -# against this file and disposed of according to the BLACKLIST_DISPOSITION and -# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf +# When a packet arrives on an interface that has the 'blacklist' option +# specified in /etc/shorewall/interfaces, its source IP address is +# checked against this file and disposed of according to the +# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in +# /etc/shorewall/shorewall.conf # -# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. +# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching +# the protocol (and one of the ports if PORTS supplied) are blocked. # -# Example: +# Example: # -# To block DNS queries from address 192.0.2.126: +# To block DNS queries from address 192.0.2.126: # -# ADDRESS/SUBNET PROTOCOL PORT -# 192.0.2.126 udp 53 +# ADDRESS/SUBNET PROTOCOL PORT +# 192.0.2.126 udp 53 # -# Example: +# Example: # -# To block DNS queries from addresses in the ipset 'dnsblack': +# To block DNS queries from addresses in the ipset 'dnsblack': # -# ADDRESS/SUBNET PROTOCOL PORT -# +dnsblack udp 53 +# ADDRESS/SUBNET PROTOCOL PORT +# +dnsblack udp 53 # -# Please see http://shorewall.net/blacklisting_support.htm for additional +# Please see http://shorewall.net/blacklisting_support.htm for additional # information. # ############################################################################### #ADDRESS/SUBNET PROTOCOL PORT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - diff --git a/Shorewall/configpath b/Shorewall/configpath index 8e4a04088..24ff35518 100644 --- a/Shorewall/configpath +++ b/Shorewall/configpath @@ -1,5 +1,5 @@ # -# Shorewall version 2.6 - Default Config Path +# Shorewall version 2.6 - Default Config Path # # /usr/share/shorewall/configpath # diff --git a/Shorewall/continue b/Shorewall/continue index 914293e2c..ec38e063d 100644 --- a/Shorewall/continue +++ b/Shorewall/continue @@ -1,8 +1,14 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/continue # -# Add commands below that you want to be executed after shorewall has -# cleared any existing Netfilter rules and has enabled existing connections. +# Shorewall version 2.6 - Continue File # -# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm +# /etc/shorewall/continue # +# Add commands below that you want to be executed after shorewall has +# cleared any existing Netfilter rules and has enabled existing +# connections. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/default.debian b/Shorewall/default.debian index f5eeaf87b..ca4ec8e3d 100644 --- a/Shorewall/default.debian +++ b/Shorewall/default.debian @@ -10,7 +10,7 @@ startup=0 # # Example: # wait_interface="ppp0" -# or +# or # wait_interface="ppp0 ppp1" # or, if you have defined in /etc/shorewall/params # wait_interface= diff --git a/Shorewall/ecn b/Shorewall/ecn index dad842aa1..6cbe9592e 100644 --- a/Shorewall/ecn +++ b/Shorewall/ecn @@ -1,11 +1,13 @@ # -# Shorewall 2.6 - /etc/shorewall/ecn +# Shorewall version 2.6 - Ecn File +# +# /etc/shorewall/ecn # # Use this file to list the destinations for which you want to # disable ECN. # # This feature requires kernel 2.4.20 or later. If you run 2.4.20, -# you also need the patch found at http://www.shorewall.net/ecn/patch. +# you also need the patch found at http://www.shorewall.net/ecn/patch. # That patch is included in kernels 2.4.21 and later. # # INTERFACE - Interface through which host(s) communicate with @@ -17,6 +19,7 @@ # are also permitted. # # For additional information, see http://shorewall.net/Documentation.htm#ECN -############################################################################## +# +############################################################################### #INTERFACE HOST(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/firewall b/Shorewall/firewall index 9476b96f1..3e3412c84 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -97,7 +97,7 @@ report () { # $* = message # # Write the passed args to $RESTOREBASE # -save_command() +save_command() { echo "$@" >> $RESTOREBASE } @@ -105,9 +105,9 @@ save_command() # # Write a progress_message command to $RESTOREBASE # -save_progress_message() +save_progress_message() { - + echo >> $RESTOREBASE echo "progress_message \"$@\"" >> $RESTOREBASE echo >> $RESTOREBASE @@ -119,7 +119,7 @@ save_progress_message() # # run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" # -run_and_save_command() +run_and_save_command() { echo "$@" >> $RESTOREBASE eval $* @@ -128,7 +128,7 @@ run_and_save_command() # # Run the passed command and if it succeeds, save it in the restore script. If it fails, stop the firewall and die # -ensure_and_save_command() +ensure_and_save_command() { if eval $* ; then echo "$@" >> $RESTOREBASE @@ -136,7 +136,7 @@ ensure_and_save_command() [ -z "$stopping" ] && { stop_firewall; exit 2; } fi } - + # # Append a file in /var/lib/shorewall to $RESTOREBASE # @@ -588,7 +588,7 @@ first_chains() #$1 = interface # # Horrible hack to work around an iptables limitation # -iprange_echo() +iprange_echo() { if [ -f $TMP_DIR/iprange ]; then echo $@ @@ -625,9 +625,9 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst *) ;; esac - + echo "--set ${setname#+} $options" -} +} # # Source IP range @@ -689,7 +689,7 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range { local rangeprefix= setprefix= rangematch= setmatch= - case $1 in + case $1 in *.*.*.*-*.*.*.*) rangeprefix="-m iprange" rangematch="--src-range $1" @@ -707,7 +707,7 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range ;; esac - case $2 in + case $2 in *.*.*.*-*.*.*.*) rangeprefix="-m iprange" rangematch="$rangematch --dst-range $2" @@ -726,12 +726,12 @@ both_ip_ranges() # $1 = Source address or range, $2 = dest address or range esac echo "$rangeprefix $rangematch $setprefix $setmatch" -} +} # # Horrible hack to work around an iptables limitation # -physdev_echo() +physdev_echo() { if [ -f $TMP_DIR/physdev ]; then echo $@ @@ -784,7 +784,7 @@ match_dest_hosts() } # -# Similarly, the source or destination in a rule can be qualified by a device name. If +# Similarly, the source or destination in a rule can be qualified by a device name. If # the device is defined in /etc/shorewall/interfaces then a normal interface match is # generated (-i or -o); otherwise, a physdev match is generated. #------------------------------------------------------------------------------------- @@ -889,7 +889,7 @@ find_hosts() # $1 = host zone expandv hosts interface=${hosts%%:*} addresses=${hosts#*:} - for address in $(separate_list $addresses); do + for address in $(separate_list $addresses); do echo $interface:$address done fi @@ -1062,7 +1062,7 @@ validate_interfaces_file() { esac done done < $TMP_DIR/interfaces - + [ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined" } @@ -1071,21 +1071,21 @@ validate_interfaces_file() { # verify_mark() # $1 = value to test { - verify_mark1() + verify_mark1() { [ $1 -lt 256 ] } - + verify_mark2() { verify_mark1 $1 2> /dev/null } - + verify_mark2 $1 || fatal_error "Invalid Mark or Mask value: $1" } # -# Process the providers file +# Process the providers file # setup_providers() { @@ -1103,7 +1103,7 @@ setup_providers() done } - copy_and_edit_table() { + copy_and_edit_table() { run_ip route show table $duplicate | while read net route; do case $net in default|nexthop) @@ -1138,7 +1138,7 @@ setup_providers() if [ "x${duplicate:=-}" != x- ]; then if [ "x${copy:=-}" != "x-" ]; then - copy="$interface $(separate_list $copy)" + copy="$interface $(separate_list $copy)" copy_and_edit_table else copy_table @@ -1263,14 +1263,14 @@ EOF ensure_and_save_command ip route flush cache fi } - + # # Validate the zone names and options in the hosts file # validate_hosts_file() { local z hosts options r interface host option port ports - check_bridge_port() + check_bridge_port() { list_search $1 $ports || ports="$ports $1" list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}" @@ -1312,7 +1312,7 @@ validate_hosts_file() { *.*.*.*) ;; +*) - eval ${z}_is_complex=Yes + eval ${z}_is_complex=Yes ;; *) known_interface $host && \ @@ -1323,7 +1323,7 @@ validate_hosts_file() { else case $host in +*) - eval ${z}_is_complex=Yes + eval ${z}_is_complex=Yes ;; esac fi @@ -1353,7 +1353,7 @@ validate_hosts_file() { eval ${iface}_ports=\"$ports\" eval ${z}_ports=\"$zports\" fi - + done < $TMP_DIR/hosts [ -n "$all_ports" ] && echo " Bridge ports are: $all_ports" @@ -1596,7 +1596,7 @@ find_hosts_by_option() # $1 = option expandv hosts interface=${hosts%%:*} addresses=${hosts#*:} - for address in $(separate_list $addresses); do + for address in $(separate_list $addresses); do echo ${ipsec}^$interface:$address done fi @@ -1807,7 +1807,7 @@ process_routestopped() # $1 = command esac done fi - + done < $TMP_DIR/routestopped @@ -1864,7 +1864,7 @@ process_criticalhosts() ;; esac done - fi + fi done < $TMP_DIR/routestopped if [ -n "$criticalhosts" ]; then @@ -1873,12 +1873,12 @@ process_criticalhosts() fi } - + # # For each entry in the CRITICALHOSTS global list, add INPUT and OUTPUT rules to # enable traffic to/from those hosts. # -enable_critical_hosts() +enable_critical_hosts() { for host in $CRITICALHOSTS; do interface=${host%:*} @@ -1892,7 +1892,7 @@ enable_critical_hosts() # For each entry in the CRITICALHOSTS global list, delete the INPUT and OUTPUT rules that # enable traffic to/from those hosts. # -disable_critical_hosts() +disable_critical_hosts() { for host in $CRITICALHOSTS; do interface=${host%:*} @@ -1925,7 +1925,7 @@ stop_firewall() { [ -z "$RESTOREFILE" ] && RESTOREFILE=restore RESTOREPATH=/var/lib/shorewall/$RESTOREFILE - + if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ]; then @@ -1946,7 +1946,7 @@ stop_firewall() { set_state "Started" else set_state "Unknown" - fi + fi my_mutex_off kill $$ @@ -2028,7 +2028,7 @@ stop_firewall() { setcontinue $chain done fi - + process_routestopped -A $IPTABLES -A INPUT -i lo -j ACCEPT @@ -2278,7 +2278,7 @@ setup_tunnels() # $1 = name of tunnels file pptpclient|PPTPCLIENT) setup_pptp_client $gateway ;; - pptpserver|PPTPSERVER) + pptpserver|PPTPSERVER) setup_pptp_server $gateway ;; openvpn|OPENVPN|openvpn:*|OPENVPN:*) @@ -2342,7 +2342,7 @@ setup_ipsec() { done fi } - + do_options() # $1 = _in, _out or "" - $2 = option list { local option opts newoptions= val @@ -2355,7 +2355,7 @@ setup_ipsec() { val=${option#*=} case $option in - mss=[0-9]*) set_mss $val $1 ;; + mss=[0-9]*) set_mss $val $1 ;; strict) newoptions="$newoptions --strict" ;; next) newoptions="$newoptions --next" ;; reqid=*) newoptions="$newoptions --reqid $val" ;; @@ -2414,7 +2414,7 @@ setup_ipsec() { fatal_error "Invalid IPSEC column value: $ipsec" ;; esac - + do_options "" $options do_options "_in" $in_options do_options "_out" $out_options @@ -2710,7 +2710,7 @@ delete_proxy_arp() { setup_nat() { local external= interface= internal= allints= localnat= policyin= policyout= - validate_one() #1 = Variable Name, $2 = Column name, $3 = value + validate_one() #1 = Variable Name, $2 = Column name, $3 = value { case $3 in Yes|yes) @@ -2804,7 +2804,7 @@ delete_nat() { # Setup Network Mapping (NETMAP) # setup_netmap() { - + while read type net1 interface net2 ; do expandv type net1 interface net2 @@ -2899,7 +2899,7 @@ process_tc_rule() case $source in $FW:*) chain=tcout - r="$(source_ip_range ${source#*:}) " + r="$(source_ip_range ${source#*:}) " ;; *.*.*|+*|!+*) r="$(source_ip_range $source) " @@ -2910,7 +2910,7 @@ process_tc_rule() $FW) chain=tcout ;; - *) + *) verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; @@ -2923,7 +2923,7 @@ process_tc_rule() fatal_error "Invalid use of a user/group: rule \"$rule\"" r="$r-m owner" - + case "$user" in *+*) r="$r --cmd-owner ${user#*+} " @@ -2934,7 +2934,7 @@ process_tc_rule() case "$user" in *:*) temp="${user%:*}" - [ -n "$temp" ] && r="$r --uid-owner $temp " + [ -n "$temp" ] && r="$r --uid-owner $temp " temp="${user#*:}" [ -n "$temp" ] && r="$r --gid-owner $temp " ;; @@ -3037,7 +3037,7 @@ process_tc_rule() verify_mark $mark fi ;; - esac + esac case $testval in -) @@ -3152,7 +3152,7 @@ delete_tc() clear_one_tc() { run_and_save_command "tc qdisc del dev $1 root 2> /dev/null" - run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" + run_and_save_command "tc qdisc del dev $1 ingress 2> /dev/null" } @@ -3319,7 +3319,7 @@ process_accounting_rule() { if [ "$user1" != "!:" ]; then temp="${user1#!}" temp="${temp%:*}" - [ -n "$temp" ] && rule="$rule ! --uid-owner $temp " + [ -n "$temp" ] && rule="$rule ! --uid-owner $temp " temp="${user1#*:}" [ -n "$temp" ] && rule="$rule ! --gid-owner $temp " fi @@ -3327,7 +3327,7 @@ process_accounting_rule() { *:*) if [ "$user1" != ":" ]; then temp="${user1%:*}" - [ -n "$temp" ] && rule="$rule --uid-owner $temp " + [ -n "$temp" ] && rule="$rule --uid-owner $temp " temp="${user1#*:}" [ -n "$temp" ] && rule="$rule --gid-owner $temp " fi @@ -3381,7 +3381,7 @@ process_accounting_rule() { # setup_accounting() # $1 = Name of accounting file { - + echo "Setting up Accounting..." strip_file accounting $1 @@ -3399,7 +3399,7 @@ setup_accounting() # $1 = Name of accounting file } -# +# # Check the configuration # check_config() { @@ -3661,7 +3661,7 @@ add_an_action() log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi - + run_iptables2 -A $chain $proto $multiport $cli $sports \ $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target done @@ -3671,7 +3671,7 @@ add_an_action() log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) fi - + run_iptables2 -A $chain $proto $multiport $cli $dest_interface $sports \ $dports $ratelimit $userandgroup -j $target fi @@ -3744,7 +3744,7 @@ process_action() # $1 = chain (Chain to add the rules to) if [ "$userspec" != "!:" ]; then temp="${userspec#!}" temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" + [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" temp="${userspec#*:}" [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" fi @@ -3752,10 +3752,10 @@ process_action() # $1 = chain (Chain to add the rules to) *:*) if [ "$userspec" != ":" ]; then temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" + [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" temp="${userspec#*:}" [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi + fi ;; !*) [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" @@ -3813,7 +3813,7 @@ process_action() # $1 = chain (Chain to add the rules to) if [ -n "$XMULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ - $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] then # # Extended MULTIPORT is enabled, and less than @@ -3880,7 +3880,7 @@ process_action() # $1 = chain (Chain to add the rules to) # # Create and record a log action chain -- Log action chains have names # that are formed from the action name by prepending a "%" and appending -# a 1- or 2-digit sequence number. In the functions that follow, +# a 1- or 2-digit sequence number. In the functions that follow, # the CHAIN, LEVEL and TAG variable serves as arguments to the user's # exit. We call the exit corresponding to the name of the action but we # set CHAIN to the name of the iptables chain where rules are to be added. @@ -3889,16 +3889,16 @@ process_action() # $1 = chain (Chain to add the rules to) # For each , we maintain two variables: # # _actchain - The action chain number. -# _chains - List of ( level[:tag] , chainname ) pairs +# _chains - List of ( level[:tag] , chainname ) pairs # -# The maximum length of a chain name is 30 characters -- since the log -# action chain name is 2-3 characters longer than the base chain name, -# this function truncates the original chain name where necessary before +# The maximum length of a chain name is 30 characters -- since the log +# action chain name is 2-3 characters longer than the base chain name, +# this function truncates the original chain name where necessary before # it adds the leading "%" and trailing sequence number. createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] { - local actchain= action=$1 level=$2 + local actchain= action=$1 level=$2 eval actchain=\${${action}_actchain} @@ -3910,7 +3910,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] CHAIN=${action} ;; esac - + [ "$COMMAND" != check ] && \ while havechain %${CHAIN}${actchain}; do actchain=$(($actchain + 1)) @@ -4000,13 +4000,13 @@ find_logactionchain() # $1 = Action, including log level and tag if any # # This function determines the logging for a subordinate action or a rule within a subordinate action -# +# merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called { local superior=$1 subordinate=$2 - + set -- $(split $1) - + case $superior in *:*:*) case $2 in @@ -4064,9 +4064,9 @@ merge_levels() # $1=level at which superior action is called, $2=level at which # This function substitutes the second argument for the first part of the first argument up to the first colon (":") # -# Example: +# Example: # -# substitute_action DNAT PARAM:info:FTP +# substitute_action DNAT PARAM:info:FTP # # produces "DNAT:info:FTP" # @@ -4139,18 +4139,18 @@ map_old_action() # $1 = Potential Old Action # # a) The related action definition file is located and scanned. # b) Forward and unresolved action references are trapped as errors. -# c) A dependency graph is created. For each , the variable 'requiredby_' lists the +# c) A dependency graph is created. For each , the variable 'requiredby_' lists the # action[:level[:tag]] of each action invoked by . -# d) All actions are listed in the global variable ACTIONS. +# d) All actions are listed in the global variable ACTIONS. # e) Common actions are recorded (in variables of the name _common) and are added to the global # USEDACTIONS # -# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an +# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an # is merged onto this list, its action chain is created. Where logging is specified, a chain with the name # %n is used where the name is truncated on the right where necessary to ensure that the total # length of the chain name does not exceed 30 characters. # -# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of +# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of # USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created. # # The final phase (process_actions3) is to traverse the USEDACTIONS list populating each chain appropriately @@ -4160,7 +4160,7 @@ map_old_action() # $1 = Potential Old Action process_actions1() { ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" - + USEDACTIONS= strip_file actions @@ -4190,13 +4190,13 @@ process_actions1() { esac [ -z "$xaction" ] && continue - + [ "$xaction" = "$(chain_base $xaction)" ] || startup_error "Invalid Action Name: $xaction" if ! list_search $xaction $ACTIONS; then f=action.$xaction fn=$(find_file $f) - + eval requiredby_${action}= if [ -f $fn ]; then @@ -4232,7 +4232,7 @@ process_actions1() { f1=macro.${temp} fn=$(find_file $f1) - + if [ ! -f $TMP_DIR/$f1 ]; then # # We must only verify macros once to ensure that they don't invoke any non-standard actions @@ -4241,7 +4241,7 @@ process_actions1() { strip_file $f1 $fn progress_message " ..Expanding Macro $fn..." - + while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do expandv mtarget temp="${mtarget%%:*}" @@ -4251,9 +4251,9 @@ process_actions1() { *) rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec" startup_error "Invalid TARGET in rule \"$rule\"" - esac + esac done < $TMP_DIR/$f1 - + progress_message " ..End Macro" else rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" @@ -4262,7 +4262,7 @@ process_actions1() { fi fi ;; - + esac done < $TMP_DIR/$f else @@ -4277,7 +4277,7 @@ process_actions1() { process_actions2() { - local interfaces="$(find_interfaces_by_option upnp)" + local interfaces="$(find_interfaces_by_option upnp)" if [ -n "$interfaces" ]; then if ! list_search forwardUPnP $USEDACTIONS; then @@ -4293,7 +4293,7 @@ process_actions2() { while [ -n "$changed" ]; do changed= for xaction in $USEDACTIONS; do - + eval required=\"\$requiredby_${xaction%%:*}\" for xaction1 in $required; do @@ -4318,7 +4318,7 @@ process_actions2() { } process_actions3() { - + for xaction in $USEDACTIONS; do # # Find the chain associated with this action:level:tag @@ -4362,7 +4362,7 @@ process_actions3() { log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address ;; esac - + run_iptables -A $xchain -d $address -j DROP done fi @@ -4394,7 +4394,7 @@ process_actions3() { log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address ;; esac - + run_iptables -A $xchain -d $address -j ACCEPT done fi @@ -4476,8 +4476,8 @@ process_actions3() { param= xtarget1=${xaction2%%:*} - - case $xtarget1 in + + case $xtarget1 in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) # # Builtin target -- Nothing to do @@ -4515,7 +4515,7 @@ process_actions3() { progress_message "..Expanding Macro $(find_file macro.$xtarget1)..." while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec - + mtarget=$(merge_levels $xaction2 $mtarget) case $mtarget in @@ -4523,7 +4523,7 @@ process_actions3() { [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" ;; esac - + if [ -n "$mclients" ]; then case $mclients in -) @@ -4722,7 +4722,7 @@ add_nat_rule() { log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) fi - + addnatrule $chain $proto $ratelimit $cli $sports \ -d $adr $multiport $dports -j $target1 done @@ -5122,7 +5122,7 @@ process_rule() # $1 = target if [ "$userspec" != "!:" ]; then temp="${userspec#!}" temp="${temp%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" + [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" temp="${userspec#*:}" [ -n "$temp" ] && userandgroup="$userandgroup ! --gid-owner $temp" fi @@ -5130,10 +5130,10 @@ process_rule() # $1 = target *:*) if [ "$userspec" != ":" ]; then temp="${userspec%:*}" - [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" + [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" temp="${userspec#*:}" [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp" - fi + fi ;; !*) [ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}" @@ -5270,7 +5270,7 @@ process_rule() # $1 = target fatal_error "Rules may not override a NONE policy: rule \"$rule\"" # Create the canonical chain if it doesn't already exist - + [ $COMMAND = check ] || ensurechain $chain # Generate Netfilter rule(s) @@ -5442,7 +5442,7 @@ process_macro() # $1 = target PARAM|PARAM:*) [ -n "$param" ] && mtarget=$(substitute_action $param $mtarget) || fatal_error "PARAM requires that a parameter be supplied in macro invocation" ;; - esac + esac if [ -n "$mclients" ]; then case $mclients in @@ -5480,7 +5480,7 @@ process_macro() # $1 = target process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec done < $TMP_DIR/macro.${itarget%%:*} - + progress_message "..End Macro" } @@ -5516,7 +5516,7 @@ process_rules() # $1 = "Yes" if the target is a macro. } do_it() # $1 = "Yes" if the target is a macro. - { + { expandv xprotocol xports xcports xaddress xratelimit xuserspec if [ "x$xclients" = xall ]; then @@ -5563,11 +5563,11 @@ process_rules() # $1 = "Yes" if the target is a macro. fi xtarget=$(find_logactionchain $xtarget) - do_it No + do_it No else xtarget1=$(map_old_action ${xtarget%%:*}) - case $xtarget1 in + case $xtarget1 in */*) xparam=${xtarget1#*/} xtarget1=${xtarget1%%/*} @@ -5579,7 +5579,7 @@ process_rules() # $1 = "Yes" if the target is a macro. esac f=macro.$xtarget1 - + if [ -f $TMP_DIR/$f ]; then do_it Yes else @@ -5810,7 +5810,7 @@ policy_rules() # $1 = chain to add rules to case $3 in QUEUE) - run_iptables -I $1 -m state --state RELATED -j ACCEPT + run_iptables -I $1 -m state --state RELATED -j ACCEPT run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE ;; ACCEPT) @@ -5826,11 +5826,11 @@ policy_rules() # $1 = chain to add rules to [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common ;; REJECT) - [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common + [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common target=reject ;; QUEUE) - [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common + [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common ;; CONTINUE) target= @@ -5841,7 +5841,7 @@ policy_rules() # $1 = chain to add rules to esac if [ $# -eq 4 -a "x${4}" != "x-" ]; then - log_rule $4 $1 $2 + log_rule $4 $1 $2 fi [ -n "$target" ] && run_iptables -A $1 -j $target @@ -5866,7 +5866,7 @@ default_policy() # $1 = client $2 = server jump_to_policy_chain() { # - # Insert a rule of ESTABLISHED,RELATED packets at the head of the + # Insert a rule of ESTABLISHED,RELATED packets at the head of the # canonical chain. # # Add a jump to from the canonical chain to the policy chain. On return, @@ -5893,7 +5893,7 @@ default_policy() # $1 = client $2 = server # eval policy=\$${chain1}_policy eval loglevel=\$${chain1}_loglevel - eval synparams=\$${chain1}_synparams + eval synparams=\$${chain1}_synparams eval epolicy=\$${chain1}_epolicy # # Add the appropriate rules to the canonical chain ($chain) to enforce @@ -5982,7 +5982,7 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone if [ -n "$policychain" ]; then eval policy=\$${policychain}_policy eval loglevel=\$${policychain}_loglevel - eval + eval policy_rules $1 $policy NONE $loglevel else @@ -6064,7 +6064,7 @@ setup_routes() setup_masq() { do_ipsec_options() { - local options="$(separate_list $ipsec)" option + local options="$(separate_list $ipsec)" option policy="-m policy --pol ipsec --dir out" for option in $options; do @@ -6186,7 +6186,7 @@ setup_masq() if [ -n "$address" ]; then for addr in $(ip_range_explicit ${address%:*}) ; do if ! list_search $addr $aliases_to_add; then - [ -n "$RETAIN_ALIASES" ] || save_command qt ip addr del $addr dev $interface + [ -n "$RETAIN_ALIASES" ] || save_command qt ip addr del $addr dev $interface aliases_to_add="$aliases_to_add $addr $fullinterface" case $fullinterface in *:*) @@ -6244,7 +6244,7 @@ setup_masq() [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" ;; esac - + proto="-p $proto" else displayproto="(all)" @@ -6373,7 +6373,7 @@ setup_masq() for destnet in $(separate_list $destnets); do addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist done - + if [ -n "$addresses" ]; then progress_message " To $destination $displayproto from $source through ${interface} using $addresses" else @@ -6523,7 +6523,7 @@ setup_blacklist() { for chain in $(first_chains $interface); do run_iptables -A $chain $state $(match_source_hosts $network) $policy -j blacklst done - + [ $network = 0/0.0.0.0 ] && network= || network=":$network" progress_message " Blacklisting enabled on ${interface}${network}" @@ -6608,7 +6608,7 @@ add_ip_aliases() { local addresses external interface inet cidr rest val arping=$(mywhich arping) - address_details() + address_details() { # # Folks feel uneasy if they don't see all of the same @@ -6617,7 +6617,7 @@ add_ip_aliases() # the anxiety level, we have the following code which sets # the VLSM and BRD from an existing address in the same networks # - # Get all of the lines that contain inet addresses with broadcast + # Get all of the lines that contain inet addresses with broadcast # ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do case $cidr in @@ -6705,7 +6705,7 @@ save_load_kernel_modules() ;; esac done < $modules - + save_command __EOF__ save_command "" @@ -6718,7 +6718,7 @@ verify_ip() { startup_error "Shorewall $version requires the iproute package ('ip' utility)" } -# +# # Determine which optional facilities are supported by iptables/netfilter # determine_capabilities() { @@ -6749,14 +6749,14 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes - + qt $IPTABLES -t mangle -N fooX1234 qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes qt $IPTABLES -t mangle -F fooX1234 qt $IPTABLES -t mangle -X fooX1234 - + if qt mywhich ipset; then qt ipset -X fooX1234 # Just in case something went wrong the last time @@ -6773,7 +6773,7 @@ determine_capabilities() { if [ -n "$PKTTYPE" ]; then qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= fi - + qt $IPTABLES -F fooX1234 qt $IPTABLES -X fooX1234 } @@ -6891,11 +6891,11 @@ initialize_netfilter () { exists_INPUT=Yes exists_OUTPUT=Yes exists_FORWARD=Yes - + process_criticalhosts if [ -n "$CRITICALHOSTS" ]; then - + setpolicy INPUT ACCEPT setpolicy OUTPUT ACCEPT setpolicy FORWARD DROP @@ -6950,7 +6950,7 @@ initialize_netfilter () { # run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT - + # # Allow DNS lookups during startup for FQDNs @@ -7072,7 +7072,7 @@ add_common_rules() { # for address in $broadcasts ; do run_iptables -A reject -s $address -j DROP - done + done run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset run_iptables -A reject -p udp -j REJECT @@ -7166,10 +7166,10 @@ add_common_rules() { # We'll generate two chains - one for source and one for destination # chain=rfc1918d - createchain $chain no + createchain $chain no elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then # - # Mangling is enabled but conntrack match isn't available -- + # Mangling is enabled but conntrack match isn't available -- # create a chain in the mangle table to filter RFC1918 destination # addresses. This must be done in the mangle table before we apply # any DNAT rules in the nat table @@ -7218,7 +7218,7 @@ add_common_rules() { done < $TMP_DIR/rfc1918 [ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d - + for host in $hosts; do ipsec=${host%^*} host=${host#*^} @@ -7249,10 +7249,10 @@ add_common_rules() { [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ] || LOGPARMS="$LOGPARMS --log-ip-options" - log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION + log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION LOGPARMS="$savelogparms" - + case $TCP_FLAGS_DISPOSITION in REJECT) run_iptables -A logflags -j REJECT --reject-with tcp-reset @@ -7518,7 +7518,7 @@ apply_policy_rules() { # # Activate the rules -# +# activate_rules() { local PREROUTING_rule=1 @@ -7554,14 +7554,14 @@ activate_rules() eval run_iptables2 -t nat -I $sourcechain \ \$${sourcechain}_rule $@ -j $destchain eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) - else + else [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange fi - } + } - # + # # Create a dynamic chain for a zone and jump to it from a second chain # create_zone_dyn_chain() # $1 = zone, $2 = second chain @@ -7621,7 +7621,7 @@ activate_rules() for host in $source_hosts; do interface=${host%%:*} networks=${host#*:} - + run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain done fi @@ -7721,7 +7721,7 @@ activate_rules() routeback= num_ifaces=0 fi - + if [ -n "$complex" ]; then for host1 in $dest_hosts; do interface1=${host1%%:*} @@ -7738,9 +7738,9 @@ activate_rules() for host in $source_hosts; do interface=${host%%:*} networks=${host#*:} - + chain3=$(forward_chain $interface) - + for host1 in $dest_hosts; do interface1=${host1%%:*} networks1=${host1#*:} @@ -7795,7 +7795,7 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done - + process_routestopped -D if [ -n "$LOGALLNEW" ]; then @@ -7952,7 +7952,7 @@ define_firewall() # $1 = Command (Start or Restart) rm -rf $TMP_DIR mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base - mv -f $RESTOREBASE /var/lib/shorewall/restore-tail + mv -f $RESTOREBASE /var/lib/shorewall/restore-tail } # @@ -8089,7 +8089,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone error_message "$h already in zone $zone" fi done - + [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" fi @@ -8138,7 +8138,7 @@ add_to_zone() # $1...${n-1} = [:] $n = zone for h in $dest_hosts; do iface=${h%%:*} hosts=${h#*:} - + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain fi @@ -8169,9 +8169,9 @@ add_to_zone() # $1...${n-1} = [:] $n = zone fi fi done < /var/lib/shorewall/chains - + progress_message "$newhost added to zone $zone" - + done rm -rf $TMP_DIR @@ -8185,7 +8185,7 @@ delete_from_zone() # $1 = [:] $2 = zone local interface host zone z h z1 z2 chain delhost local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces local rulenum source_chain dest_hosts iface hosts hostlist= - + # # Load $zones # @@ -8202,7 +8202,7 @@ delete_from_zone() # $1 = [:] $2 = zone # Validate IPSec File # f=$(find_file ipsec) - + [ -f $f ] && setup_ipsec $f # @@ -8255,7 +8255,7 @@ delete_from_zone() # $1 = [:] $2 = zone if [ "$z" = "$zone" ]; then temp=$hosts hosts= - + for host in $hostlist; do found= for h in $temp; do @@ -8312,11 +8312,11 @@ delete_from_zone() # $1 = [:] $2 = zone eval dest_hosts=\"\$${z2}_hosts\" [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" - + for h in $dest_hosts; do iface=${h%%:*} hosts=${h#*:} - + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain fi @@ -8328,7 +8328,7 @@ delete_from_zone() # $1 = [:] $2 = zone qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain else eval source_hosts=\"\$${z1}_hosts\" - + for h in $source_hosts; do iface=${h%%:*} hosts=${h#*:} @@ -8348,7 +8348,7 @@ delete_from_zone() # $1 = [:] $2 = zone progress_message "$delhost removed from zone $zone" done - + rm -rf $TMP_DIR } @@ -8402,7 +8402,7 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value # Initialize this program # do_initialize() { - + # Run all utility programs using the C locale # # Thanks to Vincent Planchenault for this tip # @@ -8532,7 +8532,7 @@ do_initialize() { ensure_config_path # # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to accurately determine + # We load the kernel modules here to accurately determine # capabilities when module autoloading isn't enabled. # @@ -8584,7 +8584,7 @@ do_initialize() { fi [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP - + case "$CLAMPMSS" in [0-9]*) ;; @@ -8592,7 +8592,7 @@ do_initialize() { CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) ;; esac - + ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) @@ -8644,7 +8644,7 @@ do_initialize() { else CLEAR_TC= fi - + if [ -n "$LOGFORMAT" ]; then if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then LOGRULENUMBERS=Yes @@ -8674,7 +8674,7 @@ do_initialize() { LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) - MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) + MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) case ${IPSECFILE:=ipsec} in ipsec|zones) @@ -8696,7 +8696,7 @@ do_initialize() { # [ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh - temp=$(decodeaddr 192.168.1.1) + temp=$(decodeaddr 192.168.1.1) if [ $(encodeaddr $temp) != 192.168.1.1 ]; then startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fi @@ -8737,7 +8737,7 @@ case "$COMMAND" in # # Don't want to do a 'stop' when startup is disabled # - check_disabled_startup + check_disabled_startup echo -n "Stopping Shorewall..." stop_firewall [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK diff --git a/Shorewall/functions b/Shorewall/functions index 18a7016fb..b116c040e 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -128,7 +128,7 @@ ensure_config_path() { . $F fi } - + # # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall # @@ -245,7 +245,7 @@ loadmodule() # $1 = module name, $2 - * arguments local suffix moduleloader=modprobe - if ! qt mywhich modprobe; then + if ! qt mywhich modprobe; then moduleloader=insmod fi @@ -278,7 +278,7 @@ reload_kernel_modules() { [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - while read command; do + while read command; do eval $command done @@ -398,8 +398,8 @@ mktempfile() { # mktempdir() { - [ -z "$MKTEMP" ] && find_mktemp - + [ -z "$MKTEMP" ] && find_mktemp + case "$MKTEMP" in STD) mktemp -td shorewall.XXXXXX @@ -483,7 +483,7 @@ decodeaddr() { local x local temp=0 local ifs=$IFS - + IFS=. for x in $1; do @@ -517,7 +517,7 @@ encodeaddr() { # # Comes in two flavors: # -# ip_range() - produces a mimimal list of network/host addresses that spans +# ip_range() - produces a mimimal list of network/host addresses that spans # the range. # # ip_range_explicit() - explicitly enumerates the range. @@ -571,7 +571,7 @@ ip_range() { ip_range_explicit() { local first last - case $1 in + case $1 in [0-9]*.*.*.*-*.*.*.*) ;; *) @@ -700,7 +700,7 @@ if_match() # $1 = Name in interfaces file - may end in "+" # $2 = Full interface name - may also end in "+" { local pattern=${1%+} - + case $1 in *+) test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" @@ -721,7 +721,7 @@ find_device() { shift done } - + # # Find the value 'via' in the passed arguments then echo the next value # @@ -732,7 +732,7 @@ find_gateway() { shift done } - + # # Find the value 'peer' in the passed arguments then echo the next value up to # "/" @@ -744,7 +744,7 @@ find_peer() { shift done } - + # # Find the interfaces that have a route to the passed address - the default # route is not used. @@ -768,12 +768,12 @@ find_rt_interface() { } # -# Try to find the gateway through an interface looking for 'nexthop' +# Try to find the gateway through an interface looking for 'nexthop' find_nexthop() # $1 = interface { echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`) -} +} # # Find the default route's interface diff --git a/Shorewall/help b/Shorewall/help index 9885d64b8..65a31a7ea 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -51,11 +51,11 @@ add) ;; address|host) - echo "<$1>: + echo "<$1>: May be either a host IP address such as 192.168.1.4 or a network address in CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange match support then IP address ranges of the form - - are also permitted. If your kernel and iptables contain ipset match support + are also permitted. If your kernel and iptables contain ipset match support then you may specify the name of an ipset prefaced by "+". The name of the ipsec may be optionally followed by a number of levels of ipset bindings (1 - 6) that are to be followed" @@ -141,7 +141,7 @@ dump) shorewall [-x] dump Produce a verbose report about the firewall for problem analysis. - + (iptables -L -n -) When -x is given, that option is also passed to iptables to display actual packet and byte counts." @@ -215,22 +215,22 @@ restart) safe-restart) echo "safe-restart: safe-restart - Restart the same way as a shorewall restart except that previous firewall + Restart the same way as a shorewall restart except that previous firewall configuration is backed up and will be restored if you notice any anomalies or you are not able to reach the firewall any more." ;; safe-start) echo "safe-start: safe-start - Start the same way as a shorewall start except that in case of anomalies + Start the same way as a shorewall start except that in case of anomalies shorewall clear is issued. " ;; restore) echo "restore: restore [ ] Restore Shorewall to a state saved using the 'save' command - Existing connections are maintained. The names a restore file in - /var/lib/shorewall created using "shorewall save"; if no is given + Existing connections are maintained. The names a restore file in + /var/lib/shorewall created using "shorewall save"; if no is given then Shorewall will be restored from the file specified by the RESTOREFILE option in shorewall.conf. @@ -239,7 +239,7 @@ restore) save) echo "save: save [ ] - The dynamic data is stored in /var/lib/shorewall/save. The state of the + The dynamic data is stored in /var/lib/shorewall/save. The state of the firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' and 'shorewall -f start' commands. If is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf. @@ -305,8 +305,8 @@ status) Displays the Shorewall status (running/not-running). Also displays the Shorewall state as shown in the state diagram at - http://www.shorewall.net/starting_and_stopping_shorewall. The time and - date when that state was reached is also displayed." + http://www.shorewall.net/starting_and_stopping_shorewall. The time and + date when that state was reached is also displayed." ;; trace) diff --git a/Shorewall/hosts b/Shorewall/hosts index 2980a3bf5..2c09ad7dd 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,5 +1,7 @@ # -# Shorewall 2.6 - /etc/shorewall/hosts +# Shorewall version 2.6 - Hosts file +# +# /etc/shorewall/hosts # # THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. @@ -17,7 +19,7 @@ # The order of entries in this file is not significant in # determining zone composition. Rather, the order that the zones # are defined in /etc/shorewall/zones determines the order in -# which the records in this file are interpreted. +# which the records in this file are interpreted. # # ZONE - The name of a zone defined in /etc/shorewall/zones # @@ -37,7 +39,8 @@ # be defined in /etc/shorewall/interfaces and may # optionally followed by a colon (":") and a # host or network IP or a range. -# See http://www.shorewall.net/Bridge.html for details. +# See http://www.shorewall.net/Bridge.html +# for details. # e) The name of an ipset (preceded by "+"). # # Examples: @@ -60,19 +63,20 @@ # an ethernet NIC and must be up before # Shorewall is started. # -# routeback - Shorewall should set up the infrastructure -# to pass packets from this/these -# address(es) back to themselves. This is -# necessary if hosts in this group use the -# services of a transparent proxy that is +# routeback - Shorewall should set up the +# infrastructure to pass packets +# from this/these address(es) back +# to themselves. This is necessary if +# hosts in this group use the services +# of a transparent proxy that is # a member of the group or if DNAT is used -# to send requests originating from this +# to send requests originating from this # group to a server in the group. # # norfc1918 - This option only makes sense for ports # on a bridge. # -# The port should not accept +# The port should not accept # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" @@ -100,7 +104,7 @@ # # nosmurfs - This option only makes sense for ports # on a bridge. -# +# # Filter packets for smurfs # (packets with a broadcast # address as the source). @@ -110,24 +114,26 @@ # shorewall.conf. After logging, the # packets are dropped. # -# newnotsyn - TCP packets that don't have the SYN +# newnotsyn - TCP packets that don't have the SYN # flag set and which are not part of an # established connection will be accepted -# from these hosts, even if +# from these hosts, even if # NEWNOTSYN=No has been specified in # /etc/shorewall/shorewall.conf. # -# This option has no effect if +# This option has no effect if # NEWNOTSYN=Yes. # -# ipsec - The zone is accessed via a +# ipsec - The zone is accessed via a # kernel 2.6 ipsec SA. Note that if the -# zone named in the ZONE column is +# zone named in the ZONE column is # specified as an IPSEC zone in the -# /etc/shorewall/zones file then you do NOT -# need to specify the 'ipsec' option here. +# /etc/shorewall/zones file then you +# do NOT need to specify the 'ipsec' +# option here. # # For additional information, see http://shorewall.net/Documentation.htm#Hosts # -#ZONE HOST(S) OPTIONS +############################################################################### +#ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/init b/Shorewall/init index 4abff4c54..117a3063c 100644 --- a/Shorewall/init +++ b/Shorewall/init @@ -1,8 +1,13 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/init # -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. +# Shorewall version 2.4 - Init File # -# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm +# /etc/shorewall/init # +# Add commands below that you want to be executed at the beginning of +# a "shorewall start" or "shorewall restart" command. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/init.debian.sh b/Shorewall/init.debian.sh index d4ca5dc98..232736a47 100755 --- a/Shorewall/init.debian.sh +++ b/Shorewall/init.debian.sh @@ -9,7 +9,7 @@ OPTIONS="-f" test -x $SRWL || exit 0 test -n $INITLOG || { - echo "INITLOG cannot be empty, please configure $0" ; + echo "INITLOG cannot be empty, please configure $0" ; exit 1; } @@ -21,9 +21,9 @@ fi echo_notdone () { - if [ "$INITLOG" = "/dev/null" ] ; then + if [ "$INITLOG" = "/dev/null" ] ; then "not done." - else + else "not done (check $INITLOG)." fi @@ -62,7 +62,7 @@ else not_configured fi -# wait an unconfigured interface +# wait an unconfigured interface wait_for_pppd () { if [ "$wait_interface" != "" ] then diff --git a/Shorewall/initdone b/Shorewall/initdone index 080bc7757..41eb4d2e0 100755 --- a/Shorewall/initdone +++ b/Shorewall/initdone @@ -1,9 +1,14 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/initdone # -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. +# Shorewall version 2.6 - Initdone File # -# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm +# /etc/shorewall/initdone # +# Add commands below that you want to be executed during +# "shorewall start" or "shorewall restart" commands at the point where +# Shorewall has not yet added any perminent rules to the builtin chains. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 75f707858..2313fdca1 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 2.6 -- Interfaces File +# Shorewall version 2.6 - Interfaces File # # /etc/shorewall/interfaces # @@ -25,7 +25,7 @@ # interfaces, use 'ppp+'. # # There is no need to define the loopback interface (lo) -# in this file. +# in this file. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this @@ -49,14 +49,14 @@ # dhcp - Specify this option when any of # the following are true: # 1. the interface gets its IP address -# via DHCP +# via DHCP # 2. the interface is used by -# a DHCP server running on the firewall +# a DHCP server running on the firewall # 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP +# segment with lots of Laptop DHCP # clients. # 4. the interface is a bridge with -# a DHCP server on one port and DHCP +# a DHCP server on one port and DHCP # clients on another port. # # norfc1918 - This interface should not receive @@ -71,7 +71,7 @@ # # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This -# option can also be enabled globally in +# option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. # # logmartians - turn on kernel martian logging (logging @@ -112,30 +112,31 @@ # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # -# newnotsyn - TCP packets that don't have the SYN +# newnotsyn - TCP packets that don't have the SYN # flag set and which are not part of an # established connection will be accepted -# from this interface, even if +# from this interface, even if # NEWNOTSYN=No has been specified in # /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this interface -# are processed as if NEWNOTSYN=Yes had been -# specified in /etc/shorewall/shorewall.conf. +# words, packets coming in on this +# interface are processed as if +# NEWNOTSYN=Yes had been specified in +# /etc/shorewall/shorewall.conf. # -# This option has no effect if +# This option has no effect if # NEWNOTSYN=Yes. # # It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence # making the use of the 'newnotsyn' # interface option unnecessary). # # routeback - If specified, indicates that Shorewall -# should include rules that allow filtering -# traffic arriving on this interface back -# out that same interface. +# should include rules that allow +# filtering traffic arriving on this +# interface back out that same interface. # # arp_filter - If specified, this interface will only # respond to ARP who-has requests for IP @@ -143,39 +144,39 @@ # If not specified, the interface can # respond to ARP who-has requests for # IP addresses on any of the firewall's -# interface. The interface must be up +# interface. The interface must be up # when Shorewall is started. # # arp_ignore[=] -# - If specified, this interface will +# - If specified, this interface will # respond to arp requests based on the -# value of . +# value of . # -# 1 - reply only if the target IP address -# is local address configured on the -# incoming interface +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface # -# 2 - reply only if the target IP address -# is local address configured on the -# incoming interface and both with the -# sender's IP address are part from same -# subnet on this interface +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface # -# 3 - do not reply for local addresses -# configured with scope host, only -# resolutions for global and link -# addresses are replied +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied # -# 4-7 - reserved +# 4-7 - reserved # -# 8 - do not reply for all local -# addresses +# 8 - do not reply for all local +# addresses # -# If no is given then the value -# 1 is assumed +# If no is given then the value +# 1 is assumed # -# WARNING -- DO NOT SPECIFY arp_ignore -# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. # # nosmurfs - Filter packets for smurfs # (packets with a broadcast @@ -190,18 +191,18 @@ # in the ZONE column to include only those # hosts routed through the interface. # -# upnp - Incoming requests from this interface may -# be remapped via UPNP (upnpd). +# upnp - Incoming requests from this interface +# may be remapped via UPNP (upnpd). # -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE. # # The order in which you list the options is not # significant but the list should have no embedded white # space. # # GATEWAY This column is only meaningful if the 'default' OPTION -# is given -- it is ignored otherwise. You may specify +# is given -- it is ignored otherwise. You may specify # the default gateway IP address for this interface here # and Shorewall will use that IP address rather than any # that it finds in the main routing table. @@ -231,9 +232,9 @@ # # net ppp0 - # -# For additional information, see http://shorewall.net/Documentation.htm#Interfaces -# -############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS GATEWAY +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces # +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS GATEWAY #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/ipsec b/Shorewall/ipsec index 8ec38bf90..9537ea736 100644 --- a/Shorewall/ipsec +++ b/Shorewall/ipsec @@ -1,7 +1,7 @@ # -# The /etc/shorewall/ipsec file is obsolete -- the information +# The /etc/shorewall/ipsec file is obsolete -- the information # previously contained in this file is now placed in the # /etc/shorewall/zones file. # # See the IPSECFILE option in shorewall.conf for further information. - +# diff --git a/Shorewall/ipsecvpn b/Shorewall/ipsecvpn index 74d031157..8d56a58f3 100644 --- a/Shorewall/ipsecvpn +++ b/Shorewall/ipsecvpn @@ -54,7 +54,7 @@ NETWORKS="192.168.1.0/24" # CERTS=/etc/certs # -# Certificate to be used for this connection. The cert +# Certificate to be used for this connection. The cert # directory must contain: # # ${CERT}.pem - the certificate @@ -180,14 +180,14 @@ make_racoon_conf() { # # Make a setkey configuration file using the variables above # -make_setkey_conf() +make_setkey_conf() { echo "flush;" echo "spdflush;" echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" - + for network in $NETWORKS; do echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" @@ -197,7 +197,7 @@ make_setkey_conf() # # Start the Tunnel # -start() +start() { # # Get the first IP address configured on the device in INTERFACE @@ -242,7 +242,7 @@ start() # # Stop the Tunnel # -stop() +stop() { # # Kill any racoon daemons @@ -257,7 +257,7 @@ stop() # # Display command syntax and abend # -usage() +usage() { error_message "usage: $(basename $0) [start|stop|restart]" exit 1 @@ -286,7 +286,7 @@ case $1 in esac - + diff --git a/Shorewall/maclist b/Shorewall/maclist index bed3465e4..72e8de3da 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -1,13 +1,13 @@ # -# Shorewall 2.6 - MAC list file +# Shorewall version 2.6 - Maclist file +# +# /etc/shorewall/maclist # # This file is used to define the MAC addresses and optionally their # associated IP addresses to be allowed to use the specified interface. # The feature is enabled by using the maclist option in the interfaces # or hosts configuration file. # -# /etc/shorewall/maclist -# # Columns are: # # INTERFACE Network interface to a host. If the interface @@ -21,11 +21,11 @@ # IP ADDRESSES Optional -- if specified, both the MAC and IP address # must match. This column can contain a comma-separated # list of host and/or subnet addresses. If your kernel -# and iptables have iprange match support then IP +# and iptables have iprange match support then IP # address ranges are also allowed. # # For additional information, see http://shorewall.net/MAC_Validation.html # -############################################################################## -#INTERFACE MAC IP ADDRESSES (Optional) +############################################################################### +#INTERFACE MAC IP ADDRESSES (Optional) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/macro.AllowICMPs b/Shorewall/macro.AllowICMPs index 81207766f..e4ecfdadb 100644 --- a/Shorewall/macro.AllowICMPs +++ b/Shorewall/macro.AllowICMPs @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs +# Shorewall version 2.6 - AllowICMPs Macro +# +# /usr/share/shorewall/macro.AllowICMPs # # ACCEPT needed ICMP types # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -# -ACCEPT - - icmp fragmentation-needed -ACCEPT - - icmp time-exceeded +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +ACCEPT - - icmp fragmentation-needed +ACCEPT - - icmp time-exceeded +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Amanda b/Shorewall/macro.Amanda index 15a78c0ba..cf9aabc0f 100644 --- a/Shorewall/macro.Amanda +++ b/Shorewall/macro.Amanda @@ -1,10 +1,12 @@ # -# Shorewall macro.Amanda +# Shorewall version 2.6 - Amanda Macro +# +# /usr/share/shorewall/macro.Amanda # # This macro handles connections to the AMANDA backup system. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - udp 10080 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 10080 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Auth b/Shorewall/macro.Auth index d27667026..a0a25889a 100644 --- a/Shorewall/macro.Auth +++ b/Shorewall/macro.Auth @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.Auth +# Shorewall version 2.6 - Auth Macro +# +# /usr/share/shorewall/macro.Auth # # This macro handles Auth (identd) traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 113 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 113 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.BitTorrent b/Shorewall/macro.BitTorrent index 173078cec..0ce0d0438 100644 --- a/Shorewall/macro.BitTorrent +++ b/Shorewall/macro.BitTorrent @@ -1,10 +1,12 @@ # -# Shorewall macro.BitTorrent +# Shorewall version 2.6 - BitTorrent Macro +# +# /usr/share/shorewall/macro.BitTorrent # # This macro handles BitTorrent traffic. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 6881:6889 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 6881:6889 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.CVS b/Shorewall/macro.CVS index 27e237cfc..5d94abfc8 100644 --- a/Shorewall/macro.CVS +++ b/Shorewall/macro.CVS @@ -1,10 +1,12 @@ # -# Shorewall macro.CVS +# Shorewall version 2.6 - CVS Macro +# +# /usr/share/shorewall/macro.CVS # # This macro handles connections to the CVS pserver. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 2401 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 2401 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.DNS b/Shorewall/macro.DNS index 8d8cda0a6..970b0d249 100644 --- a/Shorewall/macro.DNS +++ b/Shorewall/macro.DNS @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.DNS +# Shorewall version 2.6 - DNS Macro +# +# /usr/share/shorewall/macro.DNS # # This macro handles DNS traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - udp 53 -PARAM - - tcp 53 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 53 +PARAM - - tcp 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Distcc b/Shorewall/macro.Distcc index 9454e981d..2a8e3245e 100644 --- a/Shorewall/macro.Distcc +++ b/Shorewall/macro.Distcc @@ -1,11 +1,13 @@ # -# Shorewall macro.Distcc +# Shorewall version 2.6 - Distoc Macro +# +# /usr/share/shorewall/macro.Distcc # # This macro handles connections to the Distributed Compiler # service. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 3632 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 3632 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.DropDNSrep b/Shorewall/macro.DropDNSrep index 56d793eb5..23e8d570b 100644 --- a/Shorewall/macro.DropDNSrep +++ b/Shorewall/macro.DropDNSrep @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep +# Shorewall version 2.6 - DropDNSrep Macro +# +# /usr/share/shorewall/macro.DropDNSrep # # This macro silently drops DNS UDP replies # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp - 53 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +DROP - - udp - 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.DropUPnP b/Shorewall/macro.DropUPnP index 6f8b3bdb5..9ca0ab549 100644 --- a/Shorewall/macro.DropUPnP +++ b/Shorewall/macro.DropUPnP @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP +# Shorewall version 2.6 - DropUPnP Macro +# +# /usr/share/shorewall/macro.DropUPnP # # This macro silently drops UPnP probes on UDP port 1900 # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -DROP - - udp 1900 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +DROP - - udp 1900 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Edonkey b/Shorewall/macro.Edonkey index 7ac7f0517..cd121d199 100644 --- a/Shorewall/macro.Edonkey +++ b/Shorewall/macro.Edonkey @@ -1,31 +1,35 @@ # -# Shorewall macro.Edonkey +# Shorewall version 2.6 - Edonkey Macro +# +# /usr/share/shorewall/macro.Edonkey # # This macro handles Edonkey traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 4662 -PARAM - - udp 4665 # -# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm -# says to use udp 5737 rather than 4665 +# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm +# says to use udp 5737 rather than 4665. # -# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: -# 4661 TCP (outgoing) -# Port, on which a server listens for connection (defined by server). -#4665 UDP (outgoing) -# used for global server searches and global source queries. This is -#always Server TCP port (in this case 4661) + 4. -#4662 TCP (outgoing and incoming) -# Client to client transfers. -#4672 UDP (outgoing and incoming) -# Extended eMule protocol, Queue Rating, File Reask Ping -#4711 TCP -# WebServer listening port. -#4712 TCP -# External Connection port. Used to communicate aMule with other -#applications such as aMule WebServer or aMuleCMD. +# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: # +# 4661 TCP (outgoing) Port, on which a server listens for connection +# (defined by server). +# +# 4665 UDP (outgoing) used for global server searches and global source +# queries. This is always Server TCP port (in this case 4661) + 4. +# +# 4662 TCP (outgoing and incoming) Client to client transfers. +# +# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue +# Rating, File Reask Ping +# +# 4711 TCP WebServer listening port. +# +# 4712 TCP External Connection port. Used to communicate aMule with other +# applications such as aMule WebServer or aMuleCMD. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 4662 +PARAM - - udp 4665 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.FTP b/Shorewall/macro.FTP index 15a2811bb..d76204db1 100644 --- a/Shorewall/macro.FTP +++ b/Shorewall/macro.FTP @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.FTP +# Shorewall version 2.6 - FTP Macro +# +# /usr/share/shorewall/macro.FTP # # This macro handles FTP traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 21 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 21 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Gnutella b/Shorewall/macro.Gnutella index 43a402d39..aa37453d4 100644 --- a/Shorewall/macro.Gnutella +++ b/Shorewall/macro.Gnutella @@ -1,11 +1,13 @@ # -# Shorewall macro.Gnutella +# Shorewall version 2.6 - Gnutella Macro +# +# /usr/share/shorewall/macro.Gnutella # # This macro handles gnutella traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 6346 -PARAM - - udp 6346 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 6346 +PARAM - - udp 6346 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.ICQ b/Shorewall/macro.ICQ index c2bf4987a..c688d92a7 100644 --- a/Shorewall/macro.ICQ +++ b/Shorewall/macro.ICQ @@ -1,10 +1,12 @@ # -# Shorewall macro.ICQ +# Shorewall version 2.6 - ICQ Macro +# +# /usr/share/shorewall/macro.ICQ # # This macro handles ICQ traffic. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 5190 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 5190 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.IMAP b/Shorewall/macro.IMAP index e95832f67..bdd03d0c1 100644 --- a/Shorewall/macro.IMAP +++ b/Shorewall/macro.IMAP @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.IMAP +# Shorewall version 2.6 - IMAP Macro +# +# /usr/share/shorewall/macro.IMAP # # This macro handles IMAP traffic (secure and insecure): # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 143 #Unsecure IMAP -PARAM - - tcp 993 #Secure IMAP +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 143 # Unsecure IMAP +PARAM - - tcp 993 # Secure IMAP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.LDAP b/Shorewall/macro.LDAP index c25d54cbd..25272bde2 100644 --- a/Shorewall/macro.LDAP +++ b/Shorewall/macro.LDAP @@ -1,11 +1,13 @@ # -# Shorewall macro.LDAP +# Shorewall version 2.6 - LDAP Macro +# +# /usr/share/shorewall/macro.LDAP # # This macro handles LDAP traffic (secure and insecure) # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 389 -PARAM - - tcp 636 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 389 +PARAM - - tcp 636 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.MySQL b/Shorewall/macro.MySQL index 1d15049f8..e2a58d0de 100644 --- a/Shorewall/macro.MySQL +++ b/Shorewall/macro.MySQL @@ -1,10 +1,12 @@ # -# Shorewall macro.MySQL +# Shorewall version 2.6 - MySQL Macro +# +# /usr/share/shorewall/macro.MySQL # # This action macro.handles connections to the MySQL server. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 3306 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 3306 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.NNTP b/Shorewall/macro.NNTP index 1e1033df8..851c42cd3 100644 --- a/Shorewall/macro.NNTP +++ b/Shorewall/macro.NNTP @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.NNTP +# Shorewall version 2.6 NNTP Macro +# +# /usr/share/shorewall/macro.NNTP # # This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS) # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 119 -PARAM - - tcp 563 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 119 +PARAM - - tcp 563 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.NTP b/Shorewall/macro.NTP index 2e756121f..95b98dc75 100644 --- a/Shorewall/macro.NTP +++ b/Shorewall/macro.NTP @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.NTP +# Shorewall version 2.6 - NTP Macro +# +# /usr/share/shorewall/macro.NTP # # This macro handles NTP traffic (ntpd). +# For broadcast NTP traffic, use NTPbrd Macro. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -PARAM - - udp 123 -PARAM - - udp 1024: 123 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 123 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.NTPbrd b/Shorewall/macro.NTPbrd new file mode 100644 index 000000000..60975cac3 --- /dev/null +++ b/Shorewall/macro.NTPbrd @@ -0,0 +1,18 @@ +# +# Shorewall version 2.6 - NTPbrd Macro +# +# /usr/share/shorewall/macro.NTPbrd +# +# This macro handles NTP traffic (ntpd) including replies to Broadcast +# NTP traffic. +# +# It is recommended only to use this where the source host is trusted - +# otherwise it opens up a large hole in your firewall because +# Netfilter doesn't track connections for broadcast traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 123 +PARAM - - udp 1024: 123 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.PCA b/Shorewall/macro.PCA index c34cfaa08..bb2334df0 100644 --- a/Shorewall/macro.PCA +++ b/Shorewall/macro.PCA @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.PCA +# Shorewall version 2.6 - PCA Macro +# +# /usr/share/shorewall/macro.PCA # # This macro handles PCAnywere (tm) # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - udp 5632 -PARAM - - tcp 5631 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 5632 +PARAM - - tcp 5631 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.POP3 b/Shorewall/macro.POP3 index 07b5e3e6d..fa1d3b1c1 100644 --- a/Shorewall/macro.POP3 +++ b/Shorewall/macro.POP3 @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.POP3 +# Shorewall version 2.6 - POP3 Macro +# +# /usr/share/shorewall/macro.POP3 # # This macro handles POP3 traffic (secure and insecure): # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -PARAM - - tcp 110 #Unsecure POP3 -PARAM - - tcp 995 #Secure POP3 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 110 # Unsecure POP3 +PARAM - - tcp 995 # Secure POP3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Ping b/Shorewall/macro.Ping index 5177756f2..0df903d48 100644 --- a/Shorewall/macro.Ping +++ b/Shorewall/macro.Ping @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.Ping +# Shorewall version 2.6 - Ping Macro +# +# /usr/share/shorewall/macro.Ping # # This macro handles 'ping' requests. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - icmp 8 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - icmp 8 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.PostgreSQL b/Shorewall/macro.PostgreSQL index 02e962904..c342aca31 100644 --- a/Shorewall/macro.PostgreSQL +++ b/Shorewall/macro.PostgreSQL @@ -1,10 +1,12 @@ # -# Shorewall macro.PostgreSQL +# Shorewall version 2.6 - PostgreSQL Macro +# +# /usr/share/shorewall/macro.PostgreSQL # # This macro handles connections to the PostgreSQL server. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 5432 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 5432 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Rdate b/Shorewall/macro.Rdate index 487cab8bc..f1fae1d44 100644 --- a/Shorewall/macro.Rdate +++ b/Shorewall/macro.Rdate @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.Rdate +# Shorewall version 2.6 - Rdate Macro +# +# /usr/share/shorewall/macro.Rdate # # This macro handles remote time retrieval (rdate). # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 37 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 37 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Rsync b/Shorewall/macro.Rsync index 214fa2d18..0c89a4bea 100644 --- a/Shorewall/macro.Rsync +++ b/Shorewall/macro.Rsync @@ -1,10 +1,12 @@ # -# Shorewall macro.Rsync +# Shorewall version 2.6 - Rsync Macro +# +# /usr/share/shorewall/macro.Rsync # # This macro handles connections to the rsync server. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 873 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SMB b/Shorewall/macro.SMB index 456cdc3e6..5aaa3ecd6 100644 --- a/Shorewall/macro.SMB +++ b/Shorewall/macro.SMB @@ -1,14 +1,16 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.SMB +# Shorewall version 2.6 - SMB Macro +# +# /usr/share/shorewall/macro.SMB # # Handle Microsoft SMB traffic. You need to invoke this macro in # both directions. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - udp 135,445 -PARAM - - udp 137:139 -PARAM - - udp 1024: 137 -PARAM - - tcp 135,139,445 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SMBswat b/Shorewall/macro.SMBswat index bf1bb8a69..9d91bcc6a 100644 --- a/Shorewall/macro.SMBswat +++ b/Shorewall/macro.SMBswat @@ -1,11 +1,13 @@ # -# Shorewall macro.SMBswat +# Shorewall version 2.6 - SMBswat Macro +# +# /usr/share/shorewall/macro.SMBswat # # This macro handles connections to the Samba Web Administration # Tool (SWAT). # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 901 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 901 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SMTP b/Shorewall/macro.SMTP index f048724b8..bd903da09 100644 --- a/Shorewall/macro.SMTP +++ b/Shorewall/macro.SMTP @@ -1,5 +1,7 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.SMTP +# Shorewall version 2.6 - SMTP Macro +# +# /usr/share/shorewall/macro.SMTP # # This macro handles SMTP (email) traffic. # @@ -8,8 +10,8 @@ # reading of email via POP3 or IMAP. For those you need to use # the POP3 or IMAP macros. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 25 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 25 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SNMP b/Shorewall/macro.SNMP index 2240ebdcd..8538dbe6c 100644 --- a/Shorewall/macro.SNMP +++ b/Shorewall/macro.SNMP @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.SNMP +# Shorewall version 2.6 - SNMP Macro +# +# /usr/share/shorewall/macro.SNMP # # This macro accepts SNMP traffic (including traps): # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - udp 161:162 -PARAM - - tcp 161 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 161:162 +PARAM - - tcp 161 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SPAMD b/Shorewall/macro.SPAMD index c59b42ad8..f24006ef2 100644 --- a/Shorewall/macro.SPAMD +++ b/Shorewall/macro.SPAMD @@ -1,10 +1,12 @@ # -# Shorewall macro.SPAMD +# Shorewall version 2.6 - SPAMD Macro +# +# /usr/share/shorewall/macro.SPAMD # # This macro handles Spam Assassin SPAMD traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 783 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 783 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SSH b/Shorewall/macro.SSH index 1a64367ed..454cc02f6 100644 --- a/Shorewall/macro.SSH +++ b/Shorewall/macro.SSH @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.SSH +# Shorewall version 2.6 - SSH Macro +# +# /usr/share/shorewall/macro.SSH # # This macro handles secure shell (SSH) traffic. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 22 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 22 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.SVN b/Shorewall/macro.SVN index 89de62af6..c169a1bcd 100644 --- a/Shorewall/macro.SVN +++ b/Shorewall/macro.SVN @@ -1,10 +1,12 @@ # -# Shorewall macro.SVN +# Shorewall version 2.6 - SVN Macro # -# This macro handles connections to the Subversion server. +# /usr/share/shorewall/macro.SVN # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - tcp 3690 +# This macro handles connections to the Subversion (SVN) server. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 3690 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Submission b/Shorewall/macro.Submission new file mode 100644 index 000000000..331170ee9 --- /dev/null +++ b/Shorewall/macro.Submission @@ -0,0 +1,12 @@ +# +# Shorewall version 2.6 - Submission Macro +# +# /usr/share/shorewall/macro.Submission +# +# This macro handles mail message submission traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 587 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Syslog b/Shorewall/macro.Syslog index ebf89dacf..aef57cb5d 100644 --- a/Shorewall/macro.Syslog +++ b/Shorewall/macro.Syslog @@ -1,10 +1,12 @@ # -# Shorewall macro.Syslog +# Shorewall version 2.6 - Syslog Macro +# +# /usr/share/shorewall/macro.Syslog # # This macro handles syslog UDP traffic. # -################################################################################ -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT -PARAM - - udp 514 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 514 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Telnet b/Shorewall/macro.Telnet index 17971c4db..e3666129a 100644 --- a/Shorewall/macro.Telnet +++ b/Shorewall/macro.Telnet @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.Telnet +# Shorewall version 2.6 - Telnet Macro +# +# /usr/share/shorewall/macro.Telnet # # This macro handles Telnet traffic. For traffic over the # internet, telnet is inappropriate; use SSH instead # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 23 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 23 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Trcrt b/Shorewall/macro.Trcrt index ed9b63fbc..7633748bd 100644 --- a/Shorewall/macro.Trcrt +++ b/Shorewall/macro.Trcrt @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt +# Shorewall version 2.6 -Trcrt Macro +# +# /usr/share/shorewall/macro.Trcrt # # This macro handles Traceroute (for up to 30 hops): # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - udp 33434:33524 #UDP Traceroute -PARAM - - icmp 8 #ICMP Traceroute +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - udp 33434:33524 # UDP Traceroute +PARAM - - icmp 8 # ICMP Traceroute #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.VNC b/Shorewall/macro.VNC index defad75e4..8d429f859 100644 --- a/Shorewall/macro.VNC +++ b/Shorewall/macro.VNC @@ -1,10 +1,12 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.VNC +# Shorewall version 2.6 - VNC Macro +# +# /usr/share/shorewall/macro.VNC # # This macro handles VNC traffic for VNC display's 0 - 9. # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 5900:5909 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 5900:5909 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.VNCL b/Shorewall/macro.VNCL index 86c59b63d..1f38a8668 100644 --- a/Shorewall/macro.VNCL +++ b/Shorewall/macro.VNCL @@ -1,10 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.VNCL +# Shorewall version 2.6 -VNCL Macro # -# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode. +# /usr/share/shorewall/macro.VNCL # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 5500 +# This macro handles VNC traffic from Vncservers to Vncviewers in listen +# mode. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 5500 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.Web b/Shorewall/macro.Web index 783d66471..60a1b2a13 100644 --- a/Shorewall/macro.Web +++ b/Shorewall/macro.Web @@ -1,11 +1,13 @@ # -# Shorewall 2.6 /usr/share/shorewall/macro.Web +# Shorewall version 2.6 - Web Macro +# +# /usr/share/shorewall/macro.Web # # This macro handles WWW traffic (secure and insecure): # -###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - tcp 80 -PARAM - - tcp 443 +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +PARAM - - tcp 80 +PARAM - - tcp 443 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/macro.template b/Shorewall/macro.template index e345f34d2..0c7431f8c 100644 --- a/Shorewall/macro.template +++ b/Shorewall/macro.template @@ -1,21 +1,24 @@ # -# Shorewall version 2.6 - Macro Template File +# Shorewall version 2.6 - Template Macro # # /usr/share/shorewall/macro.template # # Macro files are similar to template files with the following exceptions: # -# - A macro file is not processed unless the marcro that it defines is referenced in the -# /etc/shorewall/rules file or in an action definition file. +# - A macro file is not processed unless the marcro that it defines is +# referenced in the /etc/shorewall/rules file or in an action +# definition file. # -# - Macros are translated directly into one or more rules whereas actions become their own -# chain. +# - Macros are translated directly into one or more rules whereas +# actions become their own chain. # -# - All entries in a macro undergo substitution when the macro is invoked in the rules file. +# - All entries in a macro undergo substitution when the macro is +# invoked in the rules file. # # - Macros may not invoke other macros. # -# The columns in a macro definition are the same as those in the action.template file. +# The columns in a macro definition are the same as those in the +# action.template file. # A few examples should help show how Macros work. # # /etc/shorewall/macro.FwdFTP: @@ -26,44 +29,52 @@ # # /etc/shorewall/rules: # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT PORT(S) DEST LIMIT GROUP # FwdFTP net loc:192.168.1.5 # # The result is equivalent to: # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# # PORT PORT(S) DEST LIMIT GROUP # DNAT net loc:192.168.1.5 tcp 21 # # The substitution rules are as follows: # -# ACTION column If in the invocation of the macro, the macro name is followed by -# slash ("/") and a second name, the second name is substituted for -# each entry in the macro whose ACTION is PARAM +# ACTION column If in the invocation of the macro, the macro +# name is followed by slash ("/") and a second +# name, the second name is substituted for each +# entry in the macro whose ACTION is PARAM # -# For example, if macro FOO is invoked as FOO/ACCEPT then when -# expanding macro.FOO, Shorewall will substitute ACCEPT in each -# entry in macro.FOO whose ACTION column contains PARAM. PARAM may -# be optionally followed by a colon and a log level. -# -# Any logging specified when the macro is invoked is applied to each -# entry in the macros. -# -# SOURCE and DEST If the column in the macro is empty then the value in the rules -# columns file is used. If the column in the macro is non-empty then any -# value in the rules file is appended with a ":" separator. -# -# Example: Macro File DNAT net loc tcp 21 -# rules File FwdFTP - 192.168.1.5 -# Result DNAT net loc:192.168.1.5 tcp 21 +# For example, if macro FOO is invoked as +# FOO/ACCEPT then when expanding macro.FOO, +# Shorewall will substitute ACCEPT in each +# entry in macro.FOO whose ACTION column +# contains PARAM. PARAM may be optionally +# followed by a colon and a log level. # -# Remaining Any value in the rules file REPLACES the value given in the macro -# columns file. +# Any logging specified when the macro is +# invoked is applied to each entry in the macros. # +# SOURCE and DEST If the column in the macro is empty then the +# columns value in the rules file is used. If the column +# in the macro is non-empty then any value in +# the rules file is appended with a ":" +# separator. +# +# +# Example: ############################################### +# #ACTION SOURCE DEST PROTO DEST +# # PORT +# Macro File DNAT net loc tcp 21 +# rules File FwdFTP - 192.168.1.5 +# Result DNAT net loc:192.168.1.5 tcp 21 +# +# Remaining Any value in the rules file REPLACES the value +# columns given in the macro file. # # -#################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/masq b/Shorewall/masq index e41211a3f..275cc8c5b 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,10 +1,10 @@ # -# Shorewall 2.6 - Masquerade file +# Shorewall version 2.6 - Masq file # # /etc/shorewall/masq # -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). +# Use this file to define dynamic NAT (Masquerading) and to define +# Source NAT (SNAT). # # Columns are: # @@ -12,13 +12,13 @@ # interface. If ADD_SNAT_ALIASES=Yes in # /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to +# that name (e.g., eth0:0). This will allow the alias to # be displayed with ifconfig. THAT IS THE ONLY USE FOR # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION. # # This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# ":" followed by a destination host or subnet. # # If you wish to inhibit the action of ADD_SNAT_ALIASES # for this entry then include the ":" but omit the digit: @@ -35,7 +35,7 @@ # +eth0:192.0.2.32/27 # +eth0:2 # -# This feature should only be required if you need to +# This feature should only be required if you need to # insert rules in this file that preempt entries in # /etc/shorewall/nat. # @@ -53,7 +53,7 @@ # In that example traffic from eth1 would be masqueraded unless # it came from 192.168.1.4 or 196.168.32.0/27 # -# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# ADDRESS -- (Optional). If you specify an address here, SNAT will be # used and this will be the source address. If # ADD_SNAT_ALIASES is set to Yes or yes in # /etc/shorewall/shorewall.conf then Shorewall @@ -74,11 +74,11 @@ # This column may not contain DNS Names. # # Normally, Netfilter will attempt to retain -# the source port number. You may cause +# the source port number. You may cause # netfilter to remap the source port by following # an address or range (if any) by ":" and # a port range with the format - -# . If this is done, you must +# . If this is done, you must # specify "tcp" or "udp" in the PROTO column. # # Examples: @@ -86,29 +86,32 @@ # 192.0.2.4:5000-6000 # :4000-5000 # -# You can invoke the SAME target using the +# You can invoke the SAME target using the # following in this column: # -# SAME:[nodst:][,...] +# SAME:[nodst:][,...] # -# The may be single addresses. +# The may be single addresses. # -# SAME works like SNAT with the exception that the -# same local IP address is assigned to each connection -# from a local address to a given remote address. If -# the 'nodst:' option is included, then the same source -# address is used for a given internal system regardless -# of which remote system is involved. +# SAME works like SNAT with the exception that +# the same local IP address is assigned to each +# connection from a local address to a given +# remote address. +# +# If the 'nodst:' option is included, then the +# same source address is used for a given +# internal system regardless of which remote +# system is involved. # # If you want to leave this column empty # but you need to specify the next column then # place a hyphen ("-") here. # -# PROTO -- (Optional) If you wish to restrict this entry to a +# PROTO -- (Optional) If you wish to restrict this entry to a # particular protocol then enter the protocol # name (from /etc/protocols) or number here. # -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) # or UDP (protocol 17) then you may list one # or more port numbers (or names from # /etc/services) separated by commas or you @@ -117,31 +120,32 @@ # # Where a comma-separated list is given, your # kernel and iptables must have multiport match -# support and a maximum of 15 ports may be +# support and a maximum of 15 ports may be # listed. # # IPSEC -- (Optional) If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and +# column, you must be running kernel 2.6 and # your kernel and iptables must include policy # match support. # -# Comma-separated list of options from the following. -# Only packets that will be encrypted via an SA that -# matches these options will have their source address -# changed. +# Comma-separated list of options from the +# following. Only packets that will be encrypted +# via an SA that matches these options will have +# their source address changed. # -# Yes or yes -- must be the only option listed -# and matches all outbound traffic that will be -# encrypted. +# Yes or yes -- must be the only option +# listed and matches all outbound +# traffic that will be encrypted. # -# reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. +# reqid= where is +# specified using setkey(8) using the +# 'unique: option for the SPD +# level. # -# spi= where is the SPI of -# the SA. +# spi= where is the +# SPI of the SA. # -# proto=ah|esp|ipcomp +# proto=ah|esp|ipcomp # # mode=transport|tunnel # @@ -149,13 +153,13 @@ # available with mode=tunnel) # # tunnel-dst=
[/] (only -# available with mode=tunnel) +# available with mode=tunnel) # -# strict Means that packets must match all -# rules. +# strict Means that packets must match +# all rules. # -# next Separates rules; can only be used -# with strict.. +# next Separates rules; can only be +# used with strict.. # # Example 1: # @@ -179,13 +183,13 @@ # # eth0 192.168.1.0/24 # -# Example 3: +# Example 3: # -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: # -# ipsec0:10.1.1.0/24 196.168.1.0/24 +# ipsec0:10.1.1.0/24 196.168.1.0/24 # # Example 4: # @@ -199,8 +203,8 @@ # Example 5: # # You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic # from eth1 to be sent from eth0 with source IP address # 206.124.146.176. # @@ -212,5 +216,5 @@ # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/modules b/Shorewall/modules index 124dd0709..e365c39ad 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -1,27 +1,31 @@ -############################################################################## -# Shorewall 2.6 /etc/shorewall/modules # -# This file loads the modules needed by the firewall. +# Shorewall version 2.6 - Modules File # -# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in -# dependency order. i.e., if M2 depends on M1 then you must load M1 before -# you load M2. +# /etc/shorewall/modules # -# For additional information, see http://shorewall.net/Documentation.htm#modules - - loadmodule ip_tables - loadmodule iptable_filter - loadmodule ip_conntrack - loadmodule ip_conntrack_ftp - loadmodule ip_conntrack_tftp - loadmodule ip_conntrack_irc - loadmodule iptable_nat - loadmodule ip_nat_ftp - loadmodule ip_nat_tftp - loadmodule ip_nat_irc - loadmodule ip_set - loadmodule ip_set_iphash - loadmodule ip_set_ipmap - loadmodule ip_set_macipmap - loadmodule ip_set_portmap - +# This file loads the modules needed by the firewall. +# +# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in +# dependency order. i.e., if M2 depends on M1 then you must load M1 +# before you load M2. +# +# For additional information, see +# http://shorewall.net/Documentation.htm#modules +# +############################################################################### +loadmodule ip_tables +loadmodule iptable_filter +loadmodule ip_conntrack +loadmodule ip_conntrack_ftp +loadmodule ip_conntrack_tftp +loadmodule ip_conntrack_irc +loadmodule iptable_nat +loadmodule ip_nat_ftp +loadmodule ip_nat_tftp +loadmodule ip_nat_irc +loadmodule ip_set +loadmodule ip_set_iphash +loadmodule ip_set_ipmap +loadmodule ip_set_macipmap +loadmodule ip_set_portmap +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/nat b/Shorewall/nat index 3de32e577..edf3f50df 100755 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,6 +1,5 @@ -############################################################################## # -# Shorewall 2.6 -- Network Address Translation Table +# Shorewall version 2.6 - Nat File # # /etc/shorewall/nat # @@ -8,17 +7,17 @@ # (NAT). # # WARNING: If all you want to do is simple port forwarding, do NOT use this -# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most +# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most # cases, Proxy ARP is a better solution that one-to-one NAT. # -# Columns must be separated by white space and are: +# Columns are: # # EXTERNAL External IP Address - this should NOT be the primary # IP address of the interface named in the next # column and must not be a DNS Name. # # INTERFACE Interface that you want to EXTERNAL address to appear -# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may +# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may # follow the interface name with ":" and a digit to # indicate that you want Shorewall to add the alias # with this name (e.g., "eth0:0"). That allows you to @@ -31,17 +30,17 @@ # ":" and no digit (e.g., "eth0:"). # INTERNAL Internal Address (must not be a DNS Name). # -# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. -# If No or no (or left empty) then NAT will be effective -# only through the interface named in the INTERFACE -# column +# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. +# If No or no (or left empty) then NAT will be effective +# only through the interface named in the INTERFACE +# column # -# LOCAL If Yes or yes, NAT will be effective from the firewall -# system +# LOCAL If Yes or yes, NAT will be effective from the firewall +# system # # For additional information, see http://shorewall.net/NAT.htm -############################################################################## +# +############################################################################### #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES -# #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/netmap b/Shorewall/netmap index 96aaa8ee1..b593273c9 100644 --- a/Shorewall/netmap +++ b/Shorewall/netmap @@ -1,6 +1,5 @@ -############################################################################## # -# Shorewall 2.6 -- Network Mapping Table +# Shorewall version 2.6 - Netmap File # # /etc/shorewall/netmap # @@ -10,9 +9,9 @@ # WARNING: To use this file, your kernel and iptables must have # NETMAP support included. # -# Columns must be separated by white space and are: +# Columns are: # -# TYPE Must be DNAT or SNAT. +# TYPE Must be DNAT or SNAT. # # If DNAT, traffic entering INTERFACE and addressed to # NET1 has it's destination address rewritten to the @@ -32,7 +31,6 @@ # See http://shorewall.net/netmap.html for an example and usage # information. # -############################################################################## +############################################################################### #TYPE NET1 INTERFACE NET2 -# #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/params b/Shorewall/params index fe67d793f..379ca7afe 100644 --- a/Shorewall/params +++ b/Shorewall/params @@ -1,25 +1,27 @@ # -# Shorewall 2.6 /etc/shorewall/params +# Shorewall version 2.4 - Params File # -# Assign any variables that you need here. +# /etc/shorewall/params # -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs +# Assign any variables that you need here. # -# Example: +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs # -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 +# Example: # -# Example (/etc/shorewall/interfaces record): +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter,norfc1918 # -# net $NET_IF $NET_BCAST $NET_OPTIONS +# Example (/etc/shorewall/interfaces record): # -# The result will be the same as if the record had been written +# net $NET_IF $NET_BCAST $NET_OPTIONS # -# net eth0 130.252.100.255 routefilter,norfc1918 +# The result will be the same as if the record had been written # -############################################################################## +# net eth0 130.252.100.255 routefilter,norfc1918 +# +############################################################################### #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/policy b/Shorewall/policy index 04a7e3d7f..4a205a632 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,9 +1,9 @@ # -# Shorewall 2.6 -- Policy File +# Shorewall version 2.6 - Policy File # # /etc/shorewall/policy # -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file . For each @@ -23,39 +23,43 @@ # # ACCEPT - Accept the connection # DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, send -# "port unreachable" ICMP. +# REJECT - For TCP, send RST. For all other, +# send "port unreachable" ICMP. # QUEUE - Send the request to a user-space # application using the QUEUE target. # CONTINUE - Pass the connection request past # any other rules that it might also -# match (where the source or destination -# zone in those rules is a superset of -# the SOURCE or DEST in this policy). +# match (where the source or +# destination zone in those rules is +# a superset of the SOURCE or DEST +# in this policy). # NONE - Assume that there will never be any # packets from this SOURCE -# to this DEST. Shorewall will not set up -# any infrastructure to handle such -# packets and you may not have any rules -# with this SOURCE and DEST in the -# /etc/shorewall/rules file. If such a -# packet _is_ received, the result is -# undefined. NONE may not be used if the -# SOURCE or DEST columns contain the -# firewall zone ($FW) or "all". +# to this DEST. Shorewall will not set +# up any infrastructure to handle such +# packets and you may not have any +# rules with this SOURCE and DEST in +# the /etc/shorewall/rules file. If +# such a packet _is_ received, the +# result is undefined. NONE may not be +# used if the SOURCE or DEST columns +# contain the firewall zone ($FW) or +# "all". # -# If this column contains ACCEPT, DROP or REJECT and a +# If this column contains ACCEPT, DROP or REJECT and a # corresponding common action is defined in -# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) -# then that action will be invoked before the policy named in -# this column is inforced. +# /etc/shorewall/actions (or +# /usr/share/shorewall/actions.std) then that action +# will be invoked before the policy named in this column +# is inforced. # -# The policy determined the default treatment of new -# connection requests and may optionally be followed by ":" -# and an ESTABLISHED policy which determines what -# is to be done with packets that are part of an established -# connection. The choices are ACCEPT (the default) and QUEUE -# (to queue the packet to a user-space filter like Snort Inline). +# The policy determined the default treatment of new +# connection requests and may optionally be followed by +# ":" and an ESTABLISHED policy which determines what +# is to be done with packets that are part of an +# established connection. The choices are ACCEPT (the +# default) and QUEUE (to queue the packet to a +# user-space filter like Snort Inline). # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no @@ -90,9 +94,10 @@ # # # # THE FOLLOWING POLICY MUST BE LAST # # -# all all REJECT info +# all all REJECT info # # See http://shorewall.net/Documentation.htm#Policy for additional information. +# ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL diff --git a/Shorewall/providers b/Shorewall/providers index a5a3c2206..3dcd392dc 100755 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -1,21 +1,20 @@ -############################################################################## # -# Shorewall 2.6 -- Internet Service Providers +# Shorewall version 2.6 - Providers File # # /etc/shorewall/providers # -# This file is used to define additional routing tables. You will +# This file is used to define additional routing tables. You will # want to define an additional table if: # # - You have connections to more than one ISP or multiple connections # to the same ISP # -# - You run Squid as a transparent proxy on a host other than the +# - You run Squid as a transparent proxy on a host other than the # firewall. # # To omit a column, enter "-". # -# Columns must be separated by white space and are: +# Columns are: # # NAME The provider name. # @@ -47,14 +46,14 @@ # balance The providers that have 'default' specified will # get outbound traffic load-balanced among them. By # default, all interfaces with 'balance' specified -# will have the same weight (1). You can change the +# will have the same weight (1). You can change the # weight of an interface by specifiying balance= # where is the weight of the route out of # this interface. # # loose Normally, Shorewall adds routing rules to prohibit # firewall marks from working with traffic generated -# on the firewall itself. By setting the 'loose' +# on the firewall itself. By setting the 'loose' # option, generation of these rules is avoided. # # COPY A comma-separated lists of other interfaces on your @@ -68,7 +67,7 @@ # #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS # Squid 1 1 - eth2 192.168.2.99 - # -# Example: +# Example: # # eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and # the ISP's gateway router has IP address 206.124.146.254. @@ -76,11 +75,13 @@ # eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the # ISP's gateway router has IP address 130.252.99.254. # -# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -# ISP1 1 1 main eth0 206.124.146.254 track,balance -# ISP2 2 2 main eth1 130.252.99.254 track,balance +# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +# ISP1 1 1 main eth0 206.124.146.254 track,balance +# ISP2 2 2 main eth1 130.252.99.254 track,balance # -# For additional information, see http://shorewall.net/Shorewall_and_Routing.html -############################################################################################## +# For additional information, see +# http://shorewall.net/Shorewall_and_Routing.html +# +############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index 74cce43c5..1fb061d69 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,12 +1,11 @@ -############################################################################## # -# Shorewall 2.6 -- Proxy ARP +# Shorewall version 2.6 - Proxyarp File # # /etc/shorewall/proxyarp # # This file is used to define Proxy ARP. # -# Columns must be separated by white space and are: +# Columns are: # # ADDRESS IP Address # @@ -41,6 +40,7 @@ # 155.186.235.6 eth1 eth0 # # See http://shorewall.net/ProxyARP.htm for additional information. -############################################################################## +# +############################################################################### #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 935df8216..60c71b59b 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -29,7 +29,7 @@ Migration Considerations: 1) The "monitor" command has been eliminated. 2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones - file have been removed and have been replaced by the former + file have been removed and have been replaced by the former columns of the /etc/shorewall/ipsec file. The latter file has been removed. @@ -46,7 +46,7 @@ Migration Considerations: The shorewall.conf file included in this release sets IPSECFILE=zones so that new users are expected to use the new zone - file format. + file format. As a result, the columns in the /etc/shorewall/zones file are now as follows: @@ -80,7 +80,7 @@ Migration Considerations: proto=ah|esp|ipcomp mss= (sets the MSS field in TCP - packets) + packets) mode=transport|tunnel @@ -124,7 +124,7 @@ Migration Considerations: 5) Most of the standard actions have been replaced by parameterized macros (see below). So for example, the action.AllowSMTP and action.DropSMTP have been removed an a parameterized macro - macro.SMTP has been added to replace them. + macro.SMTP has been added to replace them. In order that current users don't have to immediately update their rules and user-defined actions, Shorewall can substitute an @@ -232,7 +232,7 @@ New Features in Shorewall 2.5.0 the macro. The first three columns get special treatment: TARGET If you code PARAM as the target in a macro then - when you invoke the macro, you can include the + when you invoke the macro, you can include the name of the macro followed by a slash ("/") and an ACTION (either builtin or user-defined. All instances of PARAM in the body of the macro will be @@ -241,11 +241,11 @@ New Features in Shorewall 2.5.0 Any logging applied when the action is invoked is applied following the same rules as for actions. - SOURCE and + SOURCE and DEST If the rule in the macro file specifies a value and the invocation of the rule also specifies a value then the value in the invocation is appended to the value - in the rule using ":" as a separator. + in the rule using ":" as a separator. Example: @@ -298,5 +298,5 @@ New Features in Shorewall 2.5.0 WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN PROXY ARP. - + diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index 7542760ab..589cf85af 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -1,43 +1,45 @@ # -# Shorewall 2.6 -- RFC1918 File +# Shorewall version 2.6 - Rfc1918 File # # /etc/shorewall/rfc1918 # -# Lists the subnetworks that are blocked by the 'norfc1918' interface option. +# Lists the subnetworks that are blocked by the 'norfc1918' interface +# option. # -# The default list includes those IP addresses listed in RFC 1918. +# The default list includes those IP addresses listed in RFC 1918. # # DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE # TO /etc/shorewall AND MODIFY THE COPY. # # Columns are: # -# SUBNETS A comma-separated list of subnet addresses +# SUBNETS A comma-separated list of subnet addresses # (host addresses also allowed as are IP # address ranges provided that your kernel and iptables -# have iprange match support). +# have iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet # logdrop - log then drop # -# By default, the RETURN target causes 'norfc1918' processing to cease for a -# packet if the packet's source IP address matches the rule. Thus, if you have: +# By default, the RETURN target causes 'norfc1918' processing to cease +# for a packet if the packet's source IP address matches the rule. Thus, +# if you have: # -# SUBNETS TARGET -# 192.168.1.0/24 RETURN +# SUBNETS TARGET +# 192.168.1.0/24 RETURN # -# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you -# also have: +# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though +# you also have: # -# SUBNETS TARGET -# 10.0.0.0/8 logdrop +# SUBNETS TARGET +# 10.0.0.0/8 logdrop # -# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be -# logged and dropped since while the packet's source matches the RETURN rule, -# the packet's destination matches the 'logdrop' rule. +# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic +# to be logged and dropped since while the packet's source matches the +# RETURN rule, the packet's destination matches the 'logdrop' rule. # -################################################################################ +############################################################################### #SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 diff --git a/Shorewall/routestopped b/Shorewall/routestopped index 38e1198b4..bcdaae8ec 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -1,6 +1,5 @@ -############################################################################## # -# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped +# Shorewall version 2.6 - Routestopped File # # /etc/shorewall/routestopped # @@ -8,7 +7,7 @@ # firewall is stopped or when it is in the process of being # [re]started. # -# Columns must be separated by white space and are: +# Columns are: # # INTERFACE - Interface through which host(s) communicate with # the firewall @@ -19,7 +18,7 @@ # # If left empty or supplied as "-", # 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of +# OPTIONS - (Optional) A comma-separated list of # options. The currently-supported options are: # # routeback - Set up a rule to ACCEPT traffic from @@ -27,15 +26,15 @@ # # source - Allow traffic from these hosts to ANY # destination. Without this option or the 'dest' -# option, only traffic from this host to other +# option, only traffic from this host to other # listed hosts (and the firewall) is allowed. If -# 'source' is specified then 'routeback' is redundent. +# 'source' is specified then 'routeback' is redundent. # # dest - Allow traffic to these hosts from ANY # source. Without this option or the 'source' -# option, only traffic from this host to other +# option, only traffic from this host to other # listed hosts (and the firewall) is allowed. If -# 'dest' is specified then 'routeback' is redundent. +# 'dest' is specified then 'routeback' is redundent. # # critical - Allow traffic between the firewall and # these hosts throughout '[re]start', 'stop' and @@ -53,8 +52,9 @@ # eth3 - source # # See http://shorewall.net/Documentation.htm#Routestopped and -# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# http://shorewall.net/starting_and_stopping_shorewall.htm for additional # information. -############################################################################## -#INTERFACE HOST(S) OPTIONS +# +############################################################################### +#INTERFACE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/rules b/Shorewall/rules index 1232f8423..f2b8edf30 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -5,9 +5,9 @@ # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. +# particular (source,dest) pair of zones, the rules are evaluated in the +# order in which they appear in this file and the first match is the one +# that determines the disposition of the request. # # In most places where an IP address or subnet is allowed, you # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to @@ -15,40 +15,40 @@ # given. Notice that no white space is permitted between "!" and the # address/subnet. #------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to # that system. You *must* use a DNAT rule instead. -#-------------------------------------------------------------------------------# +#------------------------------------------------------------------------------ # Columns are: # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, # LOG, QUEUE or an . # -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the # connection from any subsequent # DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any +# NONAT -- Excludes the connection from any # subsequent DNAT[-] or REDIRECT[-] # rules but doesn't generate a rule # to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an +# DROP -- ignore the request +# REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another +# DNAT -- Forward the request to another # system (and optionally another # port). -# DNAT- -- Advanced users only. +# DNAT- -- Advanced users only. # Like DNAT but only generates the # DNAT iptables rule and not # the companion ACCEPT rule. # SAME -- Similar to DNAT except that the # port may not be remapped and when -# multiple server addresses are +# multiple server addresses are # listed, all requests from a given # remote system go to the same # server. -# SAME- -- Advanced users only. +# SAME- -- Advanced users only. # Like SAME but only generates the # NAT iptables rule and not # the companion ACCEPT rule. @@ -69,12 +69,12 @@ # connection request will be passed # to the rules defined for that # (those) zone(s). -# LOG -- Simply log the packet and continue. +# LOG -- Simply log the packet and continue. # QUEUE -- Queue the packet to a user-space # application such as ftwall # (http://p2pwall.sf.net). # -- The name of an action defined in -# /etc/shorewall/actions or in +# /etc/shorewall/actions or in # /usr/share/shorewall/actions.std. # # The ACTION may optionally be followed @@ -90,7 +90,7 @@ # in the action are logged at the log level. # # - If the log level is not followed by "!" then only -# those rules in the action that do not specify +# those rules in the action that do not specify # logging are logged at the specified level. # # - The special log level 'none!' suppresses logging @@ -104,24 +104,24 @@ # Actions specifying logging may be followed by a # log tag (a string of alphanumeric characters) # are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# LOGPREFIX (in /etc/shorewall/shorewall.conf). # # Example: ACCEPT:info:ftp would include 'ftp ' # at the end of the log prefix generated by the # LOGPREFIX setting. # # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all" or "none" If the ACTION is DNAT or -# REDIRECT, sub-zones of the specified zone may be +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, "all" or "none" If the ACTION is DNAT +# or REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with # "!' and a comma-separated list of sub-zone names. # -# When "none" is used either in the SOURCE or DEST column, -# the rule is ignored. +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. # # When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add +# intra-zone traffic is not affected. You must add # separate rules to handle that traffic. # # Except when "all" is specified, clients may be further @@ -134,11 +134,12 @@ # Hosts may be specified as an IP address range using the # syntax -. This requires that # your kernel and iptables contain iprange match support. -# If you kernel and iptables have ipset match support then -# you may give the name of an ipset prefaced by "+". The -# ipset name may be optionally followed by a number from -# 1 to 6 enclosed in square brackets ([]) to indicate the -# number of levels of source bindings to be matched. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # @@ -148,8 +149,8 @@ # loc:192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. # # net:192.0.2.11-192.0.2.17 # Hosts 192.0.2.11-192.0.2.17 in @@ -167,11 +168,11 @@ # /etc/shorewall/zones, $FW to indicate the firewall # itself, "all" or "none". # -# When "none" is used either in the SOURCE or DEST column, -# the rule is ignored. +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. # # When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add +# intra-zone traffic is not affected. You must add # separate rules to handle that traffic. # # Except when "all" is specified, the server may be @@ -194,13 +195,13 @@ # the connections will be assigned to addresses in the # range in a round-robin fashion. # -# If you kernel and iptables have ipset match support then -# you may give the name of an ipset prefaced by "+". The -# ipset name may be optionally followed by a number from -# 1 to 6 enclosed in square brackets ([]) to indicate the -# number of levels of destination bindings to be matched. -# Only one of the SOURCE and DEST columns may specify an -# ipset name. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. # # The port that the server is listening on may be # included and separated from the server's IP address by @@ -220,7 +221,7 @@ # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # "all". # -# DEST PORT(S) Destination Ports. A comma-separated list of Port +# DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). @@ -246,8 +247,8 @@ # ranges. # # If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then place -# "-" in this column. +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in @@ -257,43 +258,43 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then -# if included and different from the IP +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] +# then if included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port # specified in the DEST column. # -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target # where you want to redirect traffic destined for # particular set of hosts. # # Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original +# the rule will be followed only if the original # destination address in the connection request does not # match any of the addresses listed. # # For other actions, this column may be included and may # contain one or more addresses (host or network) # separated by commas. Address ranges are not allowed. -# When this column is supplied, rules are generated -# that require that the original destination address matches -# one of the listed addresses. This feature is most useful when -# you want to generate a filter rule that corresponds to a -# DNAT- or REDIRECT- rule. In this usage, the list of -# addresses should not begin with "!". +# When this column is supplied, rules are generated +# that require that the original destination address +# matches one of the listed addresses. This feature is +# most useful when you want to generate a filter rule +# that corresponds to a DNAT- or REDIRECT- rule. In this +# usage, the list of addresses should not begin with "!". # -# See http://shorewall.net/PortKnocking.html for an +# See http://shorewall.net/PortKnocking.html for an # example of using an entry in this column with a # user-defined action rule. # -# RATE LIMIT You may rate-limit the rule by placing a value in +# RATE LIMIT You may rate-limit the rule by placing a value in # this colume: -# +# # /[:] # -# where is the number of connections per +# where is the number of connections per # ("sec" or "min") and is the # largest burst permitted. If no is given, # a value of 5 is assumed. There may be no @@ -306,7 +307,7 @@ # # The column may contain: # -# [!][][:][+] +# [!][][:][+] # # When this column is non-empty, the rule applies only # if the program generating the output is running under @@ -318,54 +319,54 @@ # joe #program must be run by joe # :kids #program must be run by a member of # #the 'kids' group -# !:kids #program must not be run by a member +# !:kids #program must not be run by a member # #of the 'kids' group -# +upnpd #program named 'upnpd' +# +upnpd #program named 'upnpd' # # Example: Accept SMTP requests from the DMZ to the internet # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST # ACCEPT dmz net tcp smtp # -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 +# Example: Forward all ssh and http connection requests from the +# internet to local system 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST # DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Forward all http connection requests from the internet # to local system 192.168.1.3 with a limit of 3 per second and # a maximum burst of 10 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 # # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 # # Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 +# 130.252.100.69 are to be forwarded to 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # -# Example: You want to accept SSH connections to your firewall only +# Example: You want to accept SSH connections to your firewall only # from internet IP addresses 130.252.100.69 and 130.252.100.70 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST # ACCEPT net:130.252.100.69,130.252.100.70 fw \ # tcp 22 -#################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +############################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/shorewall b/Shorewall/shorewall index b6922e663..2b5a5963b 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -101,11 +101,11 @@ # a list of network/host addresses. # # shorewall safe-start Starts the firewall and promtp for a c -# confirmation to accept or reject the new +# confirmation to accept or reject the new # configuration # -# shorewall safe-restart Restarts the firewall and prompt for a -# confirmation to accept or reject the new +# shorewall safe-restart Restarts the firewall and prompt for a +# confirmation to accept or reject the new # configuration # # Fatal Error @@ -175,7 +175,7 @@ validate_restorefile() # $* = label echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2 exit 2 ;; - esac + esac } # @@ -418,12 +418,12 @@ save_config() { echo __EOF__ >> /var/lib/shorewall/restore-$$ [ -f /var/lib/shorewall/restore-tail ] && \ cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ - mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH + mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH chmod +x $RESTOREPATH echo " Currently-running Configuration Saved to $RESTOREPATH" rm -f ${RESTOREPATH}-ipsets - + case ${SAVE_IPSETS:-No} in [Yy][Ee][Ss]) RESTOREPATH=${RESTOREPATH}-ipsets @@ -446,7 +446,7 @@ save_config() { echo "ipset -R << __EOF__" >> $f ipset -S >> $f echo "__EOF__" >> $f - mv -f $f $RESTOREPATH + mv -f $f $RESTOREPATH chmod +x $RESTOREPATH echo " Current Ipset Contents Saved to $RESTOREPATH" ;; @@ -472,7 +472,7 @@ save_config() { else echo "Shorewall isn't started" fi - + [ "$nolock" ] || mutex_off } # @@ -483,7 +483,7 @@ help() [ -x $HELP ] && { export version; exec $HELP $*; } echo "Help subsystem is not installed at $HELP" } - + # # Give Usage Information # @@ -518,7 +518,7 @@ usage() # $1 = exit status echo " version" echo " safe-start" echo " safe-restart" - echo + echo exit $1 } @@ -534,12 +534,12 @@ show_reset() { # # Display's the passed file name followed by "=" and the file's contents. # -show_proc() # $1 = name of a file +show_proc() # $1 = name of a file { [ -f $1 ] && echo " $1 = $(cat $1)" } -read_yesno_with_timeout() { +read_yesno_with_timeout() { read -t 60 yn 2> /dev/null if [ $? -eq 2 ] then @@ -593,7 +593,7 @@ while [ $done -eq 0 ]; do option=${option#-} [ -z "$option" ] && usage 1 - + while [ -n "$option" ]; do case $option in c) @@ -755,7 +755,7 @@ case "$1" in fi if [ -n "$FAST" ]; then - + RESTOREPATH=/var/lib/shorewall/$RESTOREFILE if [ -x $RESTOREPATH ]; then @@ -893,7 +893,7 @@ case "$1" in ;; *) shift - + echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" echo show_reset @@ -931,7 +931,7 @@ case "$1" in fi echo "State:$state" echo - exit $status + exit $status ;; dump) [ -n "$debugging" ] && set -x @@ -990,7 +990,7 @@ case "$1" in ip rule ls ip rule ls | while read rule; do echo ${rule##* } - done | sort -u | while read table; do + done | sort -u | while read table; do echo echo "Table $table:" echo @@ -1226,7 +1226,7 @@ case "$1" in [ -n "$nolock" ] || mutex_on - if [ -x $RESTOREPATH ]; then + if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ] ; then echo Restoring Ipsets... iptables -F @@ -1243,7 +1243,7 @@ case "$1" in exit 2 fi ;; - call) + call) [ -n "$debugging" ] && set -x # # Undocumented way to call functions in /usr/share/shorewall/functions directly @@ -1257,7 +1257,7 @@ case "$1" in help $@ ;; safe-restart|safe-start) - # test is the shell supports timed read + # test is the shell supports timed read read -t 0 junk 2> /dev/null if [ $? -eq 2 -a ! -x /bin/bash ] then @@ -1314,10 +1314,10 @@ case "$1" in then $0 nolock $debugging restore "safe-start-restart" rm /var/lib/shorewall/safe-start-restart - else + else $0 nolock $debugging clear fi - + mutex_off echo "New configuration has been rejected and the old one restored" exit 2 diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 182418595..81756adbf 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -1,4 +1,4 @@ -############################################################################## +############################################################################### # /etc/shorewall/shorewall.conf V2.6 - Change the following variables to # match your setup # @@ -7,17 +7,19 @@ # This file should be placed in /etc/shorewall # # (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) -############################################################################## -# S T A R T U P E N A B L E D -############################################################################## +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### +# # Once you have configured Shorewall, you may change the setting of # this variable to 'Yes' +# STARTUP_ENABLED=No -############################################################################## -# L O G G I N G -############################################################################## +############################################################################### +# L O G G I N G +############################################################################### # # General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters @@ -26,7 +28,7 @@ STARTUP_ENABLED=No # These levels are defined by syslog and are used to determine the destination # of the messages through entries in /etc/syslog.conf (5). The syslog # documentation refers to these as "priorities"; Netfilter calls them "levels" -# and Shorewall also uses that term. +# and Shorewall also uses that term. # # Valid levels are: # @@ -53,7 +55,7 @@ STARTUP_ENABLED=No # installed by default). Ulogd is also available from # http://www.gnumonks.org/projects/ulogd and can be configured to log all # Shorewall message to their own log file -################################################################################ +############################################################################### # # LOG FILE LOCATION # @@ -62,10 +64,11 @@ STARTUP_ENABLED=No # /var/log/messages is assumed. # # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to -# look for Shorewall messages.It does NOT control the destination for -# these messages. For information about how to do that, see +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/shorewall_logging.html # -# http://www.shorewall.net/shorewall_logging.html LOGFILE=/var/log/messages @@ -77,8 +80,8 @@ LOGFILE=/var/log/messages # template is expected to accept either two or three arguments; the first is # the chain name, the second (optional) is the logging rule number within that # chain and the third is the ACTION specifying the disposition of the packet -# being logged. You must use the %d formatting type for the rule number; if your -# template does not contain %d then the rule number will not be included. +# being logged. You must use the %d formatting type for the rule number; if +# your template does not contain %d then the rule number will not be included. # # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: # @@ -86,21 +89,22 @@ LOGFILE=/var/log/messages # # If not specified or specified as empty (LOGFORMAT="") then the value # "Shorewall:%s:%s:" is assumed. -# -# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up +# +# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up # to but not including the first '%') to find log messages in the 'show log', -# 'status' and 'hits' commands. This part should not be omitted (the +# 'status' and 'hits' commands. This part should not be omitted (the # LOGFORMAT should not begin with "%") and the leading part should be # sufficiently unique for /sbin/shorewall to identify Shorewall messages. +# LOGFORMAT="Shorewall:%s:%s:" # # LOG FORMAT Continued # -# Using the default LOGFORMAT, chain names may not exceed 11 characters or +# Using the default LOGFORMAT, chain names may not exceed 11 characters or # truncation of the log prefix may occur. Longer chain names may be used with -# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is +# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # specified then the tag is included in the log prefix in place of the chain # name. # @@ -141,8 +145,8 @@ LOGBURST= # LOG ALL NEW # # This option should only be used when you are trying to analyze a problem. -# It causes all packets in the Netfilter NEW state to be logged as the -# first rule in each builtin chain. To use this option, set LOGALLNEW to +# It causes all packets in the Netfilter NEW state to be logged as the +# first rule in each builtin chain. To use this option, set LOGALLNEW to # the log level that you want these packets logged at (e.g., # LOGALLNEW=debug). # @@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL= # See the comment at the top of this section for a description of log levels # # Example: LOGNEWNOTSYN=debug +# LOGNEWNOTSYN=info @@ -219,8 +224,7 @@ RFC1918_LOG_LEVEL=info # Specifies the logging level for smurf packets dropped by the #'nosmurfs' interface option in /etc/shorewall/interfaces and in # /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" -# ) then dropped smurfs are not logged. - +# ) then dropped smurfs are not logged. # # See the comment at the top of this section for a description of log levels # @@ -231,20 +235,20 @@ SMURF_LOG_LEVEL=info # MARTIAN LOGGING # # Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets -# that have impossible source IP addresses. This logging may be enabled +# that have impossible source IP addresses. This logging may be enabled # on individual interfaces by using the 'logmartians' option in # /etc/shorewall/interfaces. # LOG_MARTIANS=No -################################################################################ -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -################################################################################ +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### # # IPTABLES # -# Full path to iptables executable Shorewall uses to build the firewall. If +# Full path to iptables executable Shorewall uses to build the firewall. If # not specified or if specified with an empty value (e.g., IPTABLES="") then # the iptables executable located via the PATH setting below is used. # @@ -253,7 +257,7 @@ IPTABLES= # # PATH - Change this if you want to change the order in which Shorewall -# searches directories for executable files. +# searches directories for executable files. # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin @@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # The firewall script is normally interpreted by /bin/sh. If you wish to change # the shell used to interpret that script, specify the shell here. +# SHOREWALL_SHELL=/bin/sh @@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall # If your netfilter kernel modules are in a directory other than # /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that # directory in this variable. Example: MODULESDIR=/etc/modules. +# MODULESDIR= @@ -296,6 +302,7 @@ MODULESDIR= # # If not specified or specified as null ("CONFIG_PATH=""), # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. +# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall @@ -314,23 +321,26 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall # directory /var/lib/shorewall. If this option is not set or if it is # set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is # assumed. +# RESTOREFILE= # # OLD ZONE FILE FORMAT # -# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file. -# Beginning with 2.5.0, those files were combined. For users who haven't +# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file. +# Beginning with 2.5.0, those files were combined. For users who haven't # converted, we offer this variable that sets the name of the file for ipsec -# information. This option must take the value "zones" or "ipsec". If the option -# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed. +# information. This option must take the value "zones" or "ipsec". If the +# option is not set or is set to the empty value (IPSECFILE="") then "ipsec" +# is assumed. +# IPSECFILE=zones -################################################################################ -# F I R E W A L L O P T I O N S -################################################################################ +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### # NAME OF THE FIREWALL ZONE # @@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes # AUTOMATICALLY ADD SNAT IP ADDRESSES # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses -# for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless -# you are sure that you need it -- most people don't!!! +# for each SNAT external address that you give in /etc/shorewall/masq. If you +# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" +# unless you are sure that you need it -- most people don't!!! # ADD_SNAT_ALIASES=No @@ -383,11 +393,11 @@ ADD_SNAT_ALIASES=No # will first delete the address then re-add it. This is to ensure that the # address is added with the specified label. Unfortunately, this can cause # problems if it results in the deletion of the last IP address on an -# interface because then all routes through the interface are automatically +# interface because then all routes through the interface are automatically # removed. # # You can cause Shorewall to retain existing addresses by setting -# RETAIN_ALIASES=Yes. +# RETAIN_ALIASES=Yes. # RETAIN_ALIASES=No @@ -395,8 +405,9 @@ RETAIN_ALIASES=No # # ENABLE TRAFFIC SHAPING # -# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If -# you say "No" or "no" then traffic shaping is not enabled. +# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. +# If you say "No" or "no" then traffic shaping is not enabled. +# TC_ENABLED=No @@ -413,6 +424,7 @@ TC_ENABLED=No # classifier based on packet marking defined in /etc/shorewall/tcrules. # # If omitted, CLEAR_TC=Yes is assumed. +# CLEAR_TC=Yes @@ -425,14 +437,15 @@ CLEAR_TC=Yes # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # # Marking packets in the FORWARD chain has the advantage that inbound -# packets destined for Masqueraded/SNATed local hosts have had their destination -# address rewritten so they can be marked based on their destination. When -# packets are marked in the PREROUTING chain, packets destined for -# Masqueraded/SNATed local hosts still have a destination address corresponding -# to the firewall's external interface. +# packets destined for Masqueraded/SNATed local hosts have had their +# destination address rewritten so they can be marked based on their +# destination. When packets are marked in the PREROUTING chain, packets +# destined for Masqueraded/SNATed local hosts still have a destination address +# corresponding to the firewall's external interface. # # Note: Older kernels do not support marking packets in the FORWARD chain and -# setting this variable to Yes may cause startup problems. +# setting this variable to Yes may cause startup problems. +# MARK_IN_FORWARD_CHAIN=No @@ -456,7 +469,7 @@ MARK_IN_FORWARD_CHAIN=No # problem are that everything works fine from your Linux # firewall/router, but machines behind it can never exchange large # packets: -# 1) Web browsers connect, then hang with no data received. +# 1) Web browsers connect, then hang with no data received. # 2) Small mail works fine, but large emails hang. # 3) ssh works fine, but scp hangs after initial handshaking. # ] @@ -481,12 +494,14 @@ CLAMPMSS=No # interfaces started while Shorewall is started (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. -# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering -# on individual interfaces using the 'routefilter' option in the +# Regardless of the setting of ROUTE_FILTER, you can still enable route +# filtering on individual interfaces using the 'routefilter' option in the # /etc/shorewall/interfaces file. +# ROUTE_FILTER=No +# # DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: @@ -515,6 +530,7 @@ ROUTE_FILTER=No # one of the interfaces associated with the source zone. Note that this # requires all interfaces to the source zone to be up when the firewall # is [re]started. +# DETECT_DNAT_IPADDRS=No @@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a "shorewall restart" command. +# MUTEX_TIMEOUT=60 @@ -541,8 +558,8 @@ MUTEX_TIMEOUT=60 # CLIENT SERVER # # SYN--------------------> -# <------------------SYN,ACK -# ACK--------------------> +# <------------------SYN,ACK +# ACK--------------------> # # The first packet in that exchange (packet with the SYN flag on and the ACK # and RST flags off) is referred to in Netfilter terminology as a "syn" packet. @@ -552,7 +569,7 @@ MUTEX_TIMEOUT=60 # The NEWNOTSYN option determines the handling of non-SYN packets (those with # SYN off or with ACK or RST on) that are not associated with an already # established connection. -# +# # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not # part of an already established connection will be dropped by the # firewall. The setting of LOGNEWNOTSYN above determines if these packets are @@ -565,7 +582,7 @@ MUTEX_TIMEOUT=60 # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # also need to select NEWNOTSYN=Yes. # -# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis +# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # using the 'newnotsyn' option in /etc/shorewall/interfaces and on a # network or host basis using the same option in /etc/shorewall/hosts. # @@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60 # connection from the conntrack table but the end-points haven't # completed shutting down the connection). I therefore have chosen # NEWNOTSYN=Yes as the default value. +# NEWNOTSYN=Yes @@ -584,7 +602,7 @@ NEWNOTSYN=Yes # Normally, when a "shorewall stop" command is issued or an error occurs during # the execution of another shorewall command, Shorewall puts the firewall into # a state where only traffic to/from the hosts listed in -# /etc/shorewall/routestopped is accepted. +# /etc/shorewall/routestopped is accepted. # # When performing remote administration on a Shorewall firewall, it is # therefore recommended that the IP address of the computer being used for @@ -592,11 +610,11 @@ NEWNOTSYN=Yes # # Some administrators have a hard time remembering to do this with the result # that they get to drive across town in the middle of the night to restart -# a remote firewall (or worse, they have to get someone out of bed to drive +# a remote firewall (or worse, they have to get someone out of bed to drive # across town to restart a very remote firewall). # -# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, -# when the firewall enters the 'stopped' state: +# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this +# setting, when the firewall enters the 'stopped' state: # # All traffic that is part of or related to established connections is still # allowed and all OUTPUT traffic is allowed. This is in addition to traffic @@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes # # Shorewall offers two types of blacklisting: # -# - static blacklisting through the /etc/shorewall/blacklist file together -# with the 'blacklist' interface option. +# - static blacklisting through the /etc/shorewall/blacklist file +# together with the 'blacklist' interface option. # - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. # # The following variable determines whether the blacklist is checked for each @@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes # time and that new connections are disabled during that time. By setting # DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections # before loading the blacklist. +# DELAYBLACKLISTLOAD=No @@ -654,7 +673,7 @@ DELAYBLACKLISTLOAD=No # All of the file names listed should have the same suffix (extension). Set # MODULE_SUFFIX to that suffix. # -# Examples: +# Examples: # # If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" # If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" @@ -668,7 +687,7 @@ MODULE_SUFFIX= # Distributions (notably SuSE) are beginning to ship with IPV6 # enabled. If you are not using IPV6, you are at risk of being # exploited by users who do. Setting DISABLE_IPV6=Yes will cause -# Shorewall to disable IPV6 traffic to/from and through your +# Shorewall to disable IPV6 traffic to/from and through your # firewall system. This requires that you have ip6tables installed. DISABLE_IPV6=Yes @@ -677,7 +696,7 @@ DISABLE_IPV6=Yes # BRIDGING # # If you wish to control traffic through a bridge (see http://bridge.sf.net), -# then set BRIDGING=Yes. Your kernel must have the physdev match option +# then set BRIDGING=Yes. Your kernel must have the physdev match option # enabled; that option is available at the above URL for 2.4 kernels and # is included as a standard part of the 2.6 series kernels. If not # specified or specified as empty (BRIDGING="") then "No" is assumed. @@ -694,12 +713,13 @@ BRIDGING=No DYNAMIC_ZONES=No # -# USE PKTTYPE MATCH +# USE PKTTYPE MATCH # # Some users have reported problems with the PKTTYPE match extension not being # able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall -# will use IP addresses to detect broadcasts rather than pkttype. If not given +# will use IP addresses to detect broadcasts rather than pkttype. If not given # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. +# PKTTYPE=Yes @@ -713,7 +733,7 @@ PKTTYPE=Yes # SUBNETS TARGET # 192.168.1.0/24 RETURN # -# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you +# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you # also have: # # SUBNETS TARGET @@ -727,7 +747,8 @@ PKTTYPE=Yes # RFC1918_STRICT=No is assumed. # # WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support -# 'conntrack state' match. +# 'conntrack state' match. +# RFC1918_STRICT=No @@ -747,10 +768,11 @@ RFC1918_STRICT=No # the entries. After $MACLIST_TTL from the first accepted connection request, # the next connection request from that IP address will be checked against # the entire list. -# -# If MACLIST_TTL is not specified or is specified as empty (e.g, +# +# If MACLIST_TTL is not specified or is specified as empty (e.g, # MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not # be cached. +# MACLIST_TTL= @@ -762,9 +784,10 @@ MACLIST_TTL= # Restore the last saved ipset contents during "shorewall [re]start" # Save the current ipset contents during "shorewall save" # -# Regardless of the setting of SAVE_IPSETS, if ipset contents were +# Regardless of the setting of SAVE_IPSETS, if ipset contents were # saved during a "shorewall save" then they will be restored during # a subsequent "shorewall restore". +# SAVE_IPSETS=No @@ -776,12 +799,13 @@ SAVE_IPSETS=No # compatibility, Shorewall can map the old names into invocations of the new # macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to # the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed +# MAPOLDACTIONS=No -################################################################################ -# P A C K E T D I S P O S I T I O N -################################################################################ +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### # # BLACKLIST DISPOSITION # @@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP # that is not listed for that interface in /etc/shorewall/maclist. Valid # values are ACCEPT, DROP and REJECT. If not specified or specified as # empty (MACLIST_DISPOSITION="") then REJECT is assumed +# MACLIST_DISPOSITION=REJECT @@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT # 'tcpflags' option specified in /etc/shorewall/interfaces or in # /etc/shorewall/hosts. If not specified or specified as empty # (TCP_FLAGS_DISPOSITION="") then DROP is assumed. +# TCP_FLAGS_DISPOSITION=DROP diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index cd6970b6e..f7dda42f2 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -152,7 +152,7 @@ fi %changelog * Tue Jul 26 2005 Tom Eastep tom@shorewall.net -- Fix omissions/errors +- Fix omissions/errors * Mon Jul 25 2005 Tom Eastep tom@shorewall.net - Updated to 2.5.0-1 - Add macros and convert most actions to macros diff --git a/Shorewall/start b/Shorewall/start index 8598d535a..89f81b0b8 100644 --- a/Shorewall/start +++ b/Shorewall/start @@ -1,8 +1,13 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/start # -# Add commands below that you want to be executed after shorewall has -# been started or restarted. +# Shorewall version 2.4 - Start File # -# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# /etc/shorewall/start +# +# Add commands below that you want to be executed after shorewall has +# been started or restarted. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/started b/Shorewall/started index cb136c81c..c215cdd81 100644 --- a/Shorewall/started +++ b/Shorewall/started @@ -1,17 +1,23 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/started # -# Add commands below that you want to be executed after shorewall has -# been completely started or restarted. The difference between this -# extension script and /etc/shorewall/start is that this one is invoked -# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and -# after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up. +# Shorewall version 2.6 - Started File # -# This script should not change the firewall configuration directly but may -# do so indirectly by running /sbin/shorewall with the 'nolock' option. +# /etc/shorewall/started # -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. Note though that the "ensure_and_save_command" function +# Add commands below that you want to be executed after shorewall has +# been completely started or restarted. The difference between this +# extension script and /etc/shorewall/start is that this one is invoked +# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and +# after the 'shorewall' chain has been created (thus signaling that the +# firewall is completely up. +# +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. Note though that the "ensure_and_save_command" function # should not be used in this script because Shorewall is already running # when this function is called. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/stop b/Shorewall/stop index 7ebe2cf2d..cf00dd4a1 100644 --- a/Shorewall/stop +++ b/Shorewall/stop @@ -1,8 +1,13 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/stop # -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Shorewall version 2.6 - Stop File # -# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/stopped b/Shorewall/stopped index 3af813268..89960bf46 100644 --- a/Shorewall/stopped +++ b/Shorewall/stopped @@ -1,8 +1,13 @@ -############################################################################ -# Shorewall 2.6 -- /etc/shorewall/stopped # -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. +# Shorewall version 2.4 - Stopped File # -# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# /etc/shorewall/stopped +# +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/tcrules b/Shorewall/tcrules index 34c27774b..e77edae3a 100755 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,18 +1,18 @@ # -# Shorewall version 2.6 - Traffic Control Rules File +# Shorewall version 2.6 - Tcrules File # # /etc/shorewall/tcrules # # Entries in this file cause packets to be marked as a means of # classifying them for traffic control or policy routing. # -# I M P O R T A N T ! ! ! ! +# I M P O R T A N T ! ! ! ! # # FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET # TC_ENABLED=Yes in /etc/shorewall/shorewall.conf # # Unlike rules in the /etc/shorewall/rules file, evaluation -# of rules in this file will continue after a match. So the +# of rules in this file will continue after a match. So the # final mark for each packet will be the one assigned by the # LAST tcrule that matches. # @@ -24,33 +24,35 @@ # # # MARK/ a) A mark value which is an integer in the range 1-255 -# CLASSIFY +# CLASSIFY # May optionally be followed by ":P" or ":F" # where ":P" indicates that marking should occur in # the PREROUTING chain and ":F" indicates that marking # should occur in the FORWARD chain. If neither -# ":P" nor ":F" follow the mark value then the chain is -# determined by the setting of MARK_IN_FORWARD_CHAIN in +# ":P" nor ":F" follow the mark value then the chain +# is determined by the setting of +# MARK_IN_FORWARD_CHAIN in # /etc/shorewall/shorewall.conf. # # If your kernel and iptables include CONNMARK support # then you can also mark the connection rather than # the packet. # -# The mark value may be optionally followed by "/" -# and a mask value (used to determine those bits of -# the connection mark to actually be set). The -# mark and optional mask are then followed by one of: +# The mark value may be optionally followed by "/" +# and a mask value (used to determine those bits of +# the connection mark to actually be set). The +# mark and optional mask are then followed by one of: # # C - Mark the connection in the chain determined -# by the setting of MARK_IN_FORWARD_CHAIN +# by the setting of MARK_IN_FORWARD_CHAIN # -# CF: Mark the connection in the FORWARD chain +# CF: Mark the connection in the FORWARD chain # -# CP: Mark the connection in the PREROUTING chain. +# CP: Mark the connection in the PREROUTING +# chain. # # b) A classification of the form : where -# and are integers. Corresponds to +# and are integers. Corresponds to # the 'class' specification in these traffic shaping # modules: # @@ -65,19 +67,24 @@ # # c) RESTORE[/mask] -- restore the packet's mark from the # connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK support. +# Your kernel and iptables must include CONNMARK +# support. +# # As in a) above, may be followed by ":P" or ":F # # c) SAVE[/mask] -- save the packet's mark to the # connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK support. +# Your kernel and iptables must include CONNMARK +# support. +# # As in a) above, may be followed by ":P" or ":F # # d) CONTINUE -- don't process any more marking rules in -# the table. As in a) above, may be followed by ":P" or -# ":F". +# the table. # -# SOURCE Source of the packet. A comma-separated list of +# As in a) above, may be followed by ":P" or ":F". +# +# SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses # and/or subnets. If your kernel and iptables include # iprange match support, IP address ranges are also @@ -93,15 +100,15 @@ # Example: ~00-A0-C9-15-39-78 # # DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. If your kernel and +# IP addresses and/or subnets. If your kernel and # iptables include iprange match support, IP address # ranges are also allowed. # -# If the MARK column specificies a classification of -# the form : then this column may also -# contain an interface name. +# If the MARK column specificies a classification of +# the form : then this column may also +# contain an interface name. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # a number, or "all". "ipp2p" requires ipp2p match # support in your kernel and iptables. # @@ -111,8 +118,8 @@ # interpreted as the destination icmp-type(s). # # If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no PORT is given, "ipp2p" is +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no PORT is given, "ipp2p" is # assumed. # # This column is ignored if PROTOCOL = all but must be @@ -134,27 +141,29 @@ # # It may contain : # -# []:[][+] +# []:[][+] # -# The colon is optionnal when specifying only a user +# The colon is optionnal when specifying only a user # or a program name. -# Examples : john: , john , :users , john:users , +mozilla-bin +# Examples : john: , john , :users , john:users , +# +mozilla-bin # -# TEST Defines a test on the existing packet or connection mark. -# The rule will match only if the test returns true. Tests -# have the format [!][/][:C] +# TEST Defines a test on the existing packet or connection +# mark. The rule will match only if the test returns +# true. Tests have the format [!][/][:C] # # Where: # # ! Inverts the test (not equal) # Value of the packet or connection mark. -# A mask to be applied to the mark before -# testing -# :C Designates a connection mark. If omitted, -# the packet mark's value is tested. +# A mask to be applied to the mark before +# testing +# :C Designates a connection mark. If +# omitted, the packet mark's value is +# tested. # # See http://shorewall.net/traffic_shaping.htm for additional information. -############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) +############################################################################### +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST +# PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/tos b/Shorewall/tos index 147bfc0a7..14b2d76ed 100755 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,5 +1,7 @@ # -# Shorewall 2.6 -- /etc/shorewall/tos +# Shorewall version 2.6 - Tos File +# +# /etc/shorewall/tos # # This file defines rules for setting Type Of Service (TOS) # @@ -10,7 +12,7 @@ # # If not "all" or $FW, may optionally be followed by # ":" and an IP address, a MAC address, a subnet -# specification or the name of an interface. +# specification or the name of an interface. # # Example: loc:192.168.2.3 # @@ -41,6 +43,7 @@ # Minimize-Cost (2) # Normal-Service (0) # -############################################################################## -#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS +############################################################################### +#SOURCE DEST PROTOCOL SOURCE DEST TOS +# PORTS PORTS #LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/Shorewall/tunnels b/Shorewall/tunnels index e80dd54c4..ffd8eb8a4 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -1,5 +1,7 @@ # -# Shorewall 2.4 - /etc/shorewall/tunnels +# Shorewall version 2.6 - Tunnels File +# +# /etc/shorewall/tunnels # # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # @@ -9,13 +11,13 @@ # # The columns are: # -# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip" -# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or -# "generic" +# TYPE -- must start in column 1 and be "ipsec", "ipsecnat", +# "ipip", "gre", "6to4", "pptpclient", "pptpserver", +# "openvpn" or "generic" # -# If the type is "ipsec" or "ipsecnat", it may be followed -# by ":noah" to indicate that the Authentication Header -# protocol (51) is not used by the tunnel. +# If the type is "ipsec" or "ipsecnat", it may be +# followed by ":noah" to indicate that the Authentication +# Header protocol (51) is not used by the tunnel. # # If type is "openvpn", it may optionally be followed # by ":" and the port number used by the tunnel. if no @@ -34,7 +36,7 @@ # # GATEWAY -- The IP address of the remote tunnel gateway. If the # remote getway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. May be +# then specify the gateway as 0.0.0.0/0. May be # specified as a network address and if your kernel and # iptables include iprange match support then IP address # ranges are also allowed. @@ -102,16 +104,17 @@ # # Example 8: # -# You have a tunnel that is not one of the supported types. -# Your tunnel uses UDP port 4444. The other end of the -# tunnel is 4.3.99.124. +# You have a tunnel that is not one of the supported +# types. Your tunnel uses UDP port 4444. The other end +# of the tunnel is 4.3.99.124. # # generic:udp:4444 net 4.3.99.124 # -# -# See http://shorewall.net/Documentation.htm#Tunnels for additional information. # -# TYPE ZONE GATEWAY GATEWAY +# See http://shorewall.net/Documentation.htm#Tunnels for additional +# information. +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY # ZONE -# #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/zones b/Shorewall/zones index f8c0ef503..d76534177 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,20 +1,24 @@ # -# Shorewall 2.6 /etc/shorewall/zones +# Shorewall version 2.6 - Zones File # -# This file determines your network zones. Columns are: +# /etc/shorewall/zones +# +# This file determines your network zones. +# +# Columns are: # # ZONE Short name of the zone (5 Characters or less in length). # The names "all" and "none" are reserved and may not be # used as zone names. # -# IPSEC Yes -- Communication with all zone hosts is encrypted +# IPSEC Yes -- Communication with all zone hosts is encrypted # ONLY Your kernel and iptables must include policy # match support. -# No -- Communication with some zone hosts may be encrypted. +# No -- Communication with some zone hosts may be encrypted. # Encrypted hosts are designated using the 'ipsec' -# option in /etc/shorewall/hosts. +# option in /etc/shorewall/hosts. # -# OPTIONS, A comma-separated list of options as follows: +# OPTIONS, A comma-separated list of options as follows: # IN OPTIONS, # OUT OPTIONS reqid= where is specified # using setkey(8) using the 'unique: @@ -25,7 +29,7 @@ # # proto=ah|esp|ipcomp # -# mss= (sets the MSS field in TCP packets) +# mss= (sets the MSS field in TCP packets) # # mode=transport|tunnel # @@ -35,36 +39,38 @@ # tunnel-dst=
[/] (only # available with mode=tunnel) # -# strict Means that packets must match all rules. +# strict Means that packets must match all rules. # -# next Separates rules; can only be used with -# strict.. +# next Separates rules; can only be used with +# strict.. # # Example: # mode=transport,reqid=44 # # The options in the OPTIONS column are applied to both incoming # and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# traffic (in addition to OPTIONS) and the OUT OPTIONS are # applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry # in a following column, use "-". # -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. # # See http://www.shorewall.net/Documentation.htm#Nested -#-------------------------------------------------------------------------------- +#------------------------------------------------------------------------------ # Example zones: # -# You have a three interface firewall with internet, local and DMZ interfaces. +# You have a three interface firewall with internet, local and DMZ +# interfaces. # # #ZONE IPSEC OPTIONS IN OUT # net # loc # dmz # +############################################################################### #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE