forked from extern/shorewall_code
Back out Crossbeam documentaiton Changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2222 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1d62d894ef
commit
b4aea1680b
@ -1512,14 +1512,6 @@ deleteallchains() {
|
|||||||
run_iptables -X
|
run_iptables -X
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create rules to accept traffic into the crossbeam backbone
|
|
||||||
#
|
|
||||||
addcrossbeamrules() {
|
|
||||||
run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
|
|
||||||
run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
|
|
||||||
run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
|
|
||||||
}
|
|
||||||
|
|
||||||
##
|
##
|
||||||
# Source a user exit file if it exists
|
# Source a user exit file if it exists
|
||||||
#
|
#
|
||||||
@ -1805,8 +1797,6 @@ stop_firewall() {
|
|||||||
|
|
||||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1
|
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1
|
||||||
|
|
||||||
if [ -z "$CROSSBEAM" ]; then
|
|
||||||
|
|
||||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||||
for chain in INPUT OUTPUT FORWARD; do
|
for chain in INPUT OUTPUT FORWARD; do
|
||||||
setpolicy $chain DROP
|
setpolicy $chain DROP
|
||||||
@ -1827,40 +1817,6 @@ stop_firewall() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
else
|
|
||||||
|
|
||||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
|
||||||
for chain in INPUT OUTPUT FORWARD; do
|
|
||||||
setpolicy $chain ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
deleteallchains
|
|
||||||
addcrossbeamrules
|
|
||||||
|
|
||||||
for chain in INPUT OUTPUT FORWARD; do
|
|
||||||
setpolicy $chain DROP
|
|
||||||
done
|
|
||||||
|
|
||||||
else
|
|
||||||
for chain in INPUT FORWARD; do
|
|
||||||
setpolicy $chain ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
setpolicy OUTPUT ACCEPT
|
|
||||||
|
|
||||||
deleteallchains
|
|
||||||
addcrossbeamrules
|
|
||||||
|
|
||||||
for chain in INPUT FORWARD; do
|
|
||||||
setcontinue $chain
|
|
||||||
done
|
|
||||||
|
|
||||||
for chain in INPUT FORWARD; do
|
|
||||||
setpolicy $chain DROP
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
hosts=
|
hosts=
|
||||||
|
|
||||||
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||||
@ -6517,8 +6473,6 @@ initialize_netfilter () {
|
|||||||
exists_OUTPUT=Yes
|
exists_OUTPUT=Yes
|
||||||
exists_FORWARD=Yes
|
exists_FORWARD=Yes
|
||||||
|
|
||||||
if [ -z "$CROSSBEAM" ]; then
|
|
||||||
|
|
||||||
setpolicy INPUT DROP
|
setpolicy INPUT DROP
|
||||||
setpolicy OUTPUT DROP
|
setpolicy OUTPUT DROP
|
||||||
setpolicy FORWARD DROP
|
setpolicy FORWARD DROP
|
||||||
@ -6529,25 +6483,6 @@ initialize_netfilter () {
|
|||||||
setcontinue INPUT
|
setcontinue INPUT
|
||||||
setcontinue OUTPUT
|
setcontinue OUTPUT
|
||||||
|
|
||||||
else
|
|
||||||
|
|
||||||
setpolicy INPUT ACCEPT
|
|
||||||
setpolicy OUTPUT ACCEPT
|
|
||||||
setpolicy FORWARD ACCEPT
|
|
||||||
|
|
||||||
deleteallchains
|
|
||||||
addcrossbeamrules
|
|
||||||
|
|
||||||
setcontinue FORWARD
|
|
||||||
setcontinue INPUT
|
|
||||||
setcontinue OUTPUT
|
|
||||||
|
|
||||||
setpolicy INPUT DROP
|
|
||||||
setpolicy OUTPUT DROP
|
|
||||||
setpolicy FORWARD DROP
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
f=$(find_file ipsets)
|
f=$(find_file ipsets)
|
||||||
|
|
||||||
if [ -f $f ]; then
|
if [ -f $f ]; then
|
||||||
@ -8119,8 +8054,6 @@ do_initialize() {
|
|||||||
|
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
CROSSBEAM=
|
|
||||||
CROSSBEAM_BACKBONE=
|
|
||||||
ALL_INTERFACES=
|
ALL_INTERFACES=
|
||||||
ROUTEMARK_INTERFACES=
|
ROUTEMARK_INTERFACES=
|
||||||
ROUTEMARK=256
|
ROUTEMARK=256
|
||||||
@ -8319,9 +8252,6 @@ do_initialize() {
|
|||||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||||
# Check if we are on a crossbeam machine
|
|
||||||
CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
|
|
||||||
[ -z "$CROSSBEAM_BACKBONE" ] && CROSSBEAM_BACKBONE=eth0
|
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
#
|
#
|
||||||
|
@ -328,31 +328,7 @@ New Features in version 2.4.0
|
|||||||
GATEWAY The gateway that the packet is to be forewarded
|
GATEWAY The gateway that the packet is to be forewarded
|
||||||
through.
|
through.
|
||||||
|
|
||||||
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
|
5) Normally when Shorewall is stopped, starting or restarting then
|
||||||
eneotecnologia.com)
|
|
||||||
|
|
||||||
If Shorewall is running in a Crossbeam System
|
|
||||||
(www.crossbeamsystems.com) you need to activate this directive if
|
|
||||||
you don't want the CPM to think the system is down and send a reset
|
|
||||||
signal. Also Crossbeam has a backplane chassis that needs to be
|
|
||||||
configured in such a way that it accepts all traffic.
|
|
||||||
|
|
||||||
This change adds two new options in /etc/shorewall/shorewall.conf:
|
|
||||||
CROSSBEAM and CROSSBEAM_BACKBONE.
|
|
||||||
|
|
||||||
If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
|
|
||||||
instead of setting the default policies to DROP and then activating
|
|
||||||
established connections, Shorewall will first set the default
|
|
||||||
policies to ACCEPT, activate established connections and then set
|
|
||||||
the default policies to DROP. After that, Shorewall starts
|
|
||||||
generating the rules as usual.
|
|
||||||
|
|
||||||
If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
|
|
||||||
to Yes, CROSSBEAM_BACKBONE indicates the device used by the
|
|
||||||
backbone. If not specified or if specified as empty (e.g.,
|
|
||||||
CROSSBEAM="") then CROSSBEAM=No is assumed.
|
|
||||||
|
|
||||||
6) Normally when Shorewall is stopped, starting or restarting then
|
|
||||||
connections are allowed from hosts listed in
|
connections are allowed from hosts listed in
|
||||||
/etc/shorewall/routestopped to the firewall and to other hosts
|
/etc/shorewall/routestopped to the firewall and to other hosts
|
||||||
listed in /etc/shorewall/routestopped.
|
listed in /etc/shorewall/routestopped.
|
||||||
@ -367,7 +343,7 @@ New Features in version 2.4.0
|
|||||||
host. When 'source' is specified in an entry, it is unnecessary to
|
host. When 'source' is specified in an entry, it is unnecessary to
|
||||||
also specify 'routeback'.
|
also specify 'routeback'.
|
||||||
|
|
||||||
7) This change was implemented by Lorenzo Martignoni. It provides two
|
6) This change was implemented by Lorenzo Martignoni. It provides two
|
||||||
new commands: "safe-start" and "safe-restart".
|
new commands: "safe-start" and "safe-restart".
|
||||||
|
|
||||||
safe-start starts Shorewall then prompts you to ask you if
|
safe-start starts Shorewall then prompts you to ask you if
|
||||||
|
@ -816,34 +816,6 @@ MACLIST_TTL=
|
|||||||
|
|
||||||
SAVE_IPSETS=No
|
SAVE_IPSETS=No
|
||||||
|
|
||||||
#
|
|
||||||
# CROSSBEAM SUPPORT
|
|
||||||
#
|
|
||||||
# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com)
|
|
||||||
# you need to activate this directive if you don't want the CPM to think
|
|
||||||
# the system is down and send a reset signal during firewall restarts. Also
|
|
||||||
# Crossbeam has a backplane chassis that needs to be configured in such a
|
|
||||||
# way that accepts all traffic.
|
|
||||||
#
|
|
||||||
# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead
|
|
||||||
# of setting the default policies to DROP and then activating established
|
|
||||||
# connections, Shorewall will first set the default policies to ACCEPT,
|
|
||||||
# activate established connections and then set the default policies to
|
|
||||||
# DROP. After that, Shorewall starts generating the rules as usual.
|
|
||||||
#
|
|
||||||
# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to
|
|
||||||
# Yes, CROSSBEAM_BACKBONE will indicate the device used by the backbone.
|
|
||||||
#
|
|
||||||
# If not specified or if specified as empty (e.g., CROSSBEAM="") then
|
|
||||||
# CROSSBEAM=No is assumed.
|
|
||||||
#
|
|
||||||
# FIXME: This needs to be replaced by better generalised routestopped
|
|
||||||
# support.
|
|
||||||
#
|
|
||||||
|
|
||||||
CROSSBEAM=No
|
|
||||||
CROSSBEAM_BACKBONE=eth0
|
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
################################################################################
|
################################################################################
|
||||||
|
Loading…
Reference in New Issue
Block a user