forked from extern/shorewall_code
Back out Crossbeam documentaiton Changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2222 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1d62d894ef
commit
b4aea1680b
@ -1512,14 +1512,6 @@ deleteallchains() {
|
||||
run_iptables -X
|
||||
}
|
||||
|
||||
# Create rules to accept traffic into the crossbeam backbone
|
||||
#
|
||||
addcrossbeamrules() {
|
||||
run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
|
||||
run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
|
||||
run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
|
||||
}
|
||||
|
||||
##
|
||||
# Source a user exit file if it exists
|
||||
#
|
||||
@ -1805,62 +1797,26 @@ stop_firewall() {
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1
|
||||
|
||||
if [ -z "$CROSSBEAM" ]; then
|
||||
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
deleteallchains
|
||||
else
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
deleteallchains
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue $chain
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
deleteallchains
|
||||
else
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
deleteallchains
|
||||
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain ACCEPT
|
||||
done
|
||||
|
||||
deleteallchains
|
||||
addcrossbeamrules
|
||||
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
else
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain ACCEPT
|
||||
done
|
||||
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
deleteallchains
|
||||
addcrossbeamrules
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue $chain
|
||||
done
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
fi
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue $chain
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
hosts=
|
||||
|
||||
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||
@ -6517,36 +6473,15 @@ initialize_netfilter () {
|
||||
exists_OUTPUT=Yes
|
||||
exists_FORWARD=Yes
|
||||
|
||||
if [ -z "$CROSSBEAM" ]; then
|
||||
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
deleteallchains
|
||||
deleteallchains
|
||||
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
else
|
||||
|
||||
setpolicy INPUT ACCEPT
|
||||
setpolicy OUTPUT ACCEPT
|
||||
setpolicy FORWARD ACCEPT
|
||||
|
||||
deleteallchains
|
||||
addcrossbeamrules
|
||||
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
fi
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
f=$(find_file ipsets)
|
||||
|
||||
@ -8119,8 +8054,6 @@ do_initialize() {
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
CROSSBEAM=
|
||||
CROSSBEAM_BACKBONE=
|
||||
ALL_INTERFACES=
|
||||
ROUTEMARK_INTERFACES=
|
||||
ROUTEMARK=256
|
||||
@ -8319,9 +8252,6 @@ do_initialize() {
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
# Check if we are on a crossbeam machine
|
||||
CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
|
||||
[ -z "$CROSSBEAM_BACKBONE" ] && CROSSBEAM_BACKBONE=eth0
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -328,31 +328,7 @@ New Features in version 2.4.0
|
||||
GATEWAY The gateway that the packet is to be forewarded
|
||||
through.
|
||||
|
||||
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
|
||||
eneotecnologia.com)
|
||||
|
||||
If Shorewall is running in a Crossbeam System
|
||||
(www.crossbeamsystems.com) you need to activate this directive if
|
||||
you don't want the CPM to think the system is down and send a reset
|
||||
signal. Also Crossbeam has a backplane chassis that needs to be
|
||||
configured in such a way that it accepts all traffic.
|
||||
|
||||
This change adds two new options in /etc/shorewall/shorewall.conf:
|
||||
CROSSBEAM and CROSSBEAM_BACKBONE.
|
||||
|
||||
If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
|
||||
instead of setting the default policies to DROP and then activating
|
||||
established connections, Shorewall will first set the default
|
||||
policies to ACCEPT, activate established connections and then set
|
||||
the default policies to DROP. After that, Shorewall starts
|
||||
generating the rules as usual.
|
||||
|
||||
If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
|
||||
to Yes, CROSSBEAM_BACKBONE indicates the device used by the
|
||||
backbone. If not specified or if specified as empty (e.g.,
|
||||
CROSSBEAM="") then CROSSBEAM=No is assumed.
|
||||
|
||||
6) Normally when Shorewall is stopped, starting or restarting then
|
||||
5) Normally when Shorewall is stopped, starting or restarting then
|
||||
connections are allowed from hosts listed in
|
||||
/etc/shorewall/routestopped to the firewall and to other hosts
|
||||
listed in /etc/shorewall/routestopped.
|
||||
@ -367,7 +343,7 @@ New Features in version 2.4.0
|
||||
host. When 'source' is specified in an entry, it is unnecessary to
|
||||
also specify 'routeback'.
|
||||
|
||||
7) This change was implemented by Lorenzo Martignoni. It provides two
|
||||
6) This change was implemented by Lorenzo Martignoni. It provides two
|
||||
new commands: "safe-start" and "safe-restart".
|
||||
|
||||
safe-start starts Shorewall then prompts you to ask you if
|
||||
|
@ -816,34 +816,6 @@ MACLIST_TTL=
|
||||
|
||||
SAVE_IPSETS=No
|
||||
|
||||
#
|
||||
# CROSSBEAM SUPPORT
|
||||
#
|
||||
# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com)
|
||||
# you need to activate this directive if you don't want the CPM to think
|
||||
# the system is down and send a reset signal during firewall restarts. Also
|
||||
# Crossbeam has a backplane chassis that needs to be configured in such a
|
||||
# way that accepts all traffic.
|
||||
#
|
||||
# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead
|
||||
# of setting the default policies to DROP and then activating established
|
||||
# connections, Shorewall will first set the default policies to ACCEPT,
|
||||
# activate established connections and then set the default policies to
|
||||
# DROP. After that, Shorewall starts generating the rules as usual.
|
||||
#
|
||||
# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to
|
||||
# Yes, CROSSBEAM_BACKBONE will indicate the device used by the backbone.
|
||||
#
|
||||
# If not specified or if specified as empty (e.g., CROSSBEAM="") then
|
||||
# CROSSBEAM=No is assumed.
|
||||
#
|
||||
# FIXME: This needs to be replaced by better generalised routestopped
|
||||
# support.
|
||||
#
|
||||
|
||||
CROSSBEAM=No
|
||||
CROSSBEAM_BACKBONE=eth0
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user