holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Large merge of function from EXPERIMENTAL to HEAD.

Browse Source 
1) Elimination of the "shorewall monitor" command.

2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into
a single /etc/shorewall/zones file. This is done in an upwardly-compatible
way so that current users can continue to use their existing files.

3) Support has been added for the arp_ignore interface option.

4) DROPINVALID has been removed from shorewall.conf. Behavior is as if
DROPINVALID=No was specified.

5) The 'nobogons' option and BOGON_LOG_LEVEL are removed.

6) Error and warning messages have been made easier to spot by using
capitalization (e.g., ERROR: and WARNING:).

7) The /etc/shorewall/policy file now contains a new connection policy and a
policy for ESTABLISHED packets. Useful for users of snort-inline who want to
pass all packets to the QUEUE target.

8) A new 'critical' option has been added to /etc/shorewall/routestopped.
Shorewall insures communication between the firewall and 'critical' hosts
throughout start, restart, stop and clear. Useful for diskless firewall's
with NFS-mounted file systems, LDAP servers, Crossbow, etc.

9) Macros. Macros are very similar to actions but are easier to use, allow
parameter substitution and are more efficient. Almost all of the standard
actions have been converted to macros in the EXPERIMENTAL branch.

10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No.

11) If you have 'make' installed on your firewall, then when you use
the '-f' option to 'shorewall start' (as happens when you reboot),
if your /etc/shorewall/ directory contains files that were modified
after Shorewall was last restarted then Shorewall is started using
the config files rather than using the saved configuration.


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-07-25 23:08:09 +00:00
parent 0d56188e7a
commit b66929a65e
105 changed files with 1639 additions and 1823 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/INSTALL
View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 2.4
Shoreline Firewall (Shorewall) Version 2.6
----- ----
-----------------------------------------------------------------------------

16
Shorewall/Makefile Normal file
View File

@ -0,0 +1,16 @@
# Shorewall Makefile to restart if config-files are newer than last restart
VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall
all: $(VARDIR)/restarted
$(VARDIR)/restarted: $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \
if \
/sbin/shorewall -q restart >/dev/null 2>&1; \
then \
/sbin/shorewall -q save >/dev/null; \
else \
/sbin/shorewall -q restart 2>&1 | tail >&2; \
fi
# EOF

6
Shorewall/README.txt
View File

@ -1 +1,5 @@
This is the Shorewall development branch of CVS.
This is the Shorewall EXPERIMENTAL branch of CVS.
The Shorewall EXPERIMENTAL branch is NOT SUPPORTED in any way.
YOU MIGHT BREAK YOUR FIREWALL BY USING THIS CODE!! If so, don't
come complaining to us!

2
Shorewall/accounting
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.4 - Accounting File
# Shorewall version 2.6 - Accounting File
#
# /etc/shorewall/accounting
#

13
Shorewall/action.AllowAmanda
View File

@ -1,13 +0,0 @@
#
# Shorewall action.AllowAmanda
#
# This action accepts connections to the AMANDA backup system.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - udp 10080
# Not sure why this is necessary - using ip_conntrack_amanda along with
# the above should be sufficient.
#ACCEPT - - tcp 50000:50100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/action.AllowIMAP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 143 #Unsecure IMAP
ACCEPT - - tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/action.AllowLDAP
View File

@ -1,12 +0,0 @@
#
# Shorewall action.AllowLDAP
#
# This action accepts LDAP traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 389
# This is LDAPS - should it be included?
#ACCEPT - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/action.AllowNNTP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 119
ACCEPT - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowPostgreSQL
View File

@ -1,10 +0,0 @@
#
# Shorewall action.AllowPostgreSQL
#
# This action accepts connections to the PostgreSQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowRdate
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowRsync
View File

@ -1,10 +0,0 @@
#
# Shorewall action.AllowRsync
#
# This action accepts connections to the rsync server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/action.AllowSMB
View File

@ -1,14 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/action.AllowSNMP
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 161:162
ACCEPT - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowSVN
View File

@ -1,10 +0,0 @@
#
# Shorewall action.AllowSVN
#
# This action accepts connections to the Subversion server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/action.AllowTrcrt
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 33434:33524 #UDP Traceroute
ACCEPT - - icmp 8 #ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowVNC
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowVNCL
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/action.AllowWeb
View File

@ -1,11 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 80
ACCEPT - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/action.Drop
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.Drop
# Shorewall 2.6 /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
@ -15,11 +15,11 @@
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Reject 'auth'
#
RejectAuth
Auth/REJECT
#
# Don't log broadcasts
#
@ -36,7 +36,7 @@ dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
DropSMB
SMB/DROP
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.

11
Shorewall/action.DropGnutella
View File

@ -1,11 +0,0 @@
#
# Shorewall action.DropGnutella
#
# This action silently drops Gnutella traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
DROP - - tcp 6346
DROP - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.DropPing
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/action.DropSMB
View File

@ -1,15 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 135
DROP - - udp 137:139
DROP - - udp 445
DROP - - tcp 135
DROP - - tcp 139
DROP - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.Reject
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.Reject
# Shorewall 2.6 /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
@ -16,7 +16,7 @@
#
# Don't log 'auth' REJECT
#
RejectAuth
Auth/REJECT
#
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
#
@ -33,7 +33,7 @@ dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the lot.
#
RejectSMB
SMB/REJECT
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.

10
Shorewall/action.RejectAuth
View File

@ -1,10 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/action.RejectSMB
View File

@ -1,15 +0,0 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - udp 135
REJECT - - udp 137:139
REJECT - - udp 445
REJECT - - tcp 135
REJECT - - tcp 139
REJECT - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/action.template
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /etc/shorewall/action.template
# Shorewall 2.6 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an

2
Shorewall/actions
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /etc/shorewall/actions
# Shorewall 2.6 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to

51
Shorewall/actions.std
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /usr/share/shorewall/actions.std
# Shorewall 2.6 /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
@ -21,54 +21,7 @@
#
#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
DropEdonkey # silently drop edonkey traffic
DropGnutella # silently drop gnutella traffic
AllowPing #Accept Ping
AllowFTP #Accept FTP
AllowDNS #Accept DNS
AllowSSH #Accept SSH
AllowWeb #Allow Web Browsing
AllowSMB #Allow MS Networking
AllowAuth #Allow Auth (identd)
AllowSMTP #Allow SMTP (Email)
AllowPOP3 #Allow reading mail via POP3
AllowICMPs #Allows critical ICMP types
AllowIMAP #Allow reading mail via IMAP
AllowTelnet #Allow Telnet Access (not recommended for use over the Internet)
AllowVNC #Allow VNC viewer->server, Displays 0-9
AllowVNCL #Allow VNC server->viewer in listening mode
AllowNTP #Allow Network Time Protocol (ntpd)
AllowRdate #Allow remote time (rdate).
AllowNNTP #Allow network news (Usenet).
AllowTrcrt #Allows Traceroute (20 hops)
AllowSNMP #Allows SNMP (including traps)
AllowPCA #Allows PCAnywhere (tm)
# Added in Debian Packaging
AllowSPAMD #Allows SpamAssassin daemon
AllowSyslog #Allows syslog udp traffic
AllowAmanda # Allow connections required by the Amanda backup system
AllowLDAP # accepts LDAP traffic
AllowICQ # Accepts ICQ traffic
AllowBitTorrent # Accepts BitTorrent traffic
AllowSMBswat # Allows Samba Swat
DropSMTP # silently drops SMTP traffic
AllowCVS # accept cvs pserver traffic
AllowSVN # accept Subversion traffic
AllowMySQL # accept MySQL traffic
AllowPostgreSQL # accept PostgreSQL traffic
AllowRsync # accept rsync traffic
AllowDistcc # accept Distributed Compiler traffic
AllowEdonkey # accept edonkey traffic
AllowGnutella # accept edonkey traffic
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

2
Shorewall/blacklist
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 -- Blacklist File
# Shorewall 2.6 -- Blacklist File
#
# /etc/shorewall/blacklist
#

53
Shorewall/changelog.txt
View File

@ -1,50 +1,29 @@
Changes in 2.4.0-Final
Changes in 2.5.1ex
1) Add the ability to specify a weight in the balance option.
1) Clean up handling of zones
2) Remove "ipp2p" support in the rules file.
2) Make the removal of the ipsec file upward compatible.
3) Fix duplicate routing table listings from "shorewall status"
3) Improve CONTINUE policy handling.
Changes in 2.4.0-RC2
4) Implement arp_ignore support.
1) Relax "detect" restriction.
Changes in 2.5.0ex
2) Fix detection via 'nexthop' so it will work with BusyBox
1) Make warning and error messages easier to find by using
capitalization.
3) Merge Tuomo Soini's fix for "shorewall add"
2) Remove /etc/shorewall/ipsec and merge it's function with
/etc/shorewall/zones.
Changes in 2.4.0-RC1
3) Apply small fix to the above patch.
1) Fix output from firewall itself vis-a-vis multiple providers.
4) Remove dynamic zone support.
2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
5) Add "established policy" support.
Changes in 2.3.2
1) Add support for -j ROUTE
2) Add TEST column to /etc/shorewall/routes
3) Add support for different providers.
4) Merge patch from Juan Jesús Prieto.
5) Implement 'loose' routestopped option.
6) Change 'loose' to 'source' and 'dest'
7) Fix routing of connections from the firewall with multiple ISPs.
Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
Shorewall configuration directories.
Changes in 2.3.0
1) Implement support for --cmd-owner
2) Implement support for ipsets.
6) Add CRITICALHOSTS support.
7) Remove 'bogon' stuff.
8) Implement Macros.

2
Shorewall/configpath
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.4 - Default Config Path
# Shorewall version 2.6 - Default Config Path
#
# /usr/share/shorewall/configpath
#

2
Shorewall/continue
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/continue
# Shorewall 2.6 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.

2
Shorewall/ecn
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 - /etc/shorewall/ecn
# Shorewall 2.6 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.4.0
VERSION=2.5.0
usage() # $1 = exit status
{

1295
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

87
Shorewall/functions
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall 2.4 -- /usr/share/shorewall/functions
# Shorewall 2.6 -- /usr/share/shorewall/functions
# Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and
@ -262,85 +262,6 @@ reload_kernel_modules() {
}
#
# Find the zones
#
find_zones() # $1 = name of the zone file
{
while read zone display comments; do
expandv zone display
[ -n "$zone" ] && case "$zone" in
[0-9*])
echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
;;
\#*)
;;
$FW|all|none)
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
echo $zone
;;
esac
done < $1
}
find_display() # $1 = zone, $2 = name of the zone file
{
grep ^$1 $2 | while read z display comments; do
[ "x$1" = "x$z" ] && echo $display
done
}
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
determine_zones()
{
local zonefile=$(find_file zones)
multi_display=Multi-zone
strip_file zones $zonefile
zones=$(find_zones $TMP_DIR/zones)
newzones=
for zone in $zones; do
dsply=$(find_display $zone $TMP_DIR/zones)
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
eval ${zone}_display=\$dsply
newzones="$newzones $zone"
done
zones=${newzones# }
}
#
# The following functions may be used by apps that wish to ensure that
# the state of Shorewall isn't changing
#
# This function loads the STATEDIR variable (directory where Shorewall is to
# store state files). If your application supports alternate Shorewall
# configurations then the name of the alternate configuration directory should
# be in $SHOREWALL_DIR at the time of the call.
#
# If the shorewall.conf file does not exist, this function does not return
#
get_statedir()
{
MUTEX_TIMEOUT=
local config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
else
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
}
#
# Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
@ -353,13 +274,13 @@ get_statedir()
mutex_on()
{
local try=0
local lockf=$STATEDIR/lock
local lockf=/var/lib/shorewall/lock
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
if [ $MUTEX_TIMEOUT -gt 0 ]; then
[ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if qt which lockfile; then
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
@ -384,7 +305,7 @@ mutex_on()
#
mutex_off()
{
rm -f $STATEDIR/lock
rm -f /var/lib/shorewall/lock
}
#

13
Shorewall/help
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall help subsystem - V2.4
# Shorewall help subsystem - V2.6
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -172,17 +172,6 @@ logwatch)
and produces an audible alarm when new Shorewall messages are logged."
;;
monitor)
echo "monitor: monitor [<refresh_interval>]
shorewall [-x] monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
refresh)
echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces,

2
Shorewall/hosts
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 - /etc/shorewall/hosts
# Shorewall 2.6 - /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.

2
Shorewall/init
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/init
# Shorewall 2.6 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.

2
Shorewall/initdone
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/initdone
# Shorewall 2.6 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where

29
Shorewall/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.4.0
VERSION=2.5.0
usage() # $1 = exit status
{
@ -264,8 +264,9 @@ if [ -f ${PREFIX}/etc/shorewall/ipsec ]; then
else
run_install $OWNERSHIP -m 0600 ipsec ${PREFIX}/etc/shorewall/ipsec
echo
echo "Ipsec file installed as ${PREFIX}/etc/shorewall/ipsec"
echo "Dummy IPSEC file installed as ${PREFIX}/etc/shorewall/ipsec"
fi
#
# Install the hosts file
#
@ -408,15 +409,9 @@ else
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi
#
# Install the Routes file
# Delete the Routes file
#
if [ -f ${PREFIX}/etc/shorewall/routes ]; then
backup_file /etc/shorewall/routes
else
run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes
echo
echo "Routes file installed as ${PREFIX}/etc/shorewall/routes"
fi
delete_file /etc/shorewall/routes
#
# Install the Providers file
@ -443,12 +438,6 @@ install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
echo
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the bogons file
#
install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600
echo
echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
#
# Install the default config path file
#
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
@ -570,6 +559,14 @@ for f in action.* ; do
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Install the Macro files
#
for f in macro.* ; do
install_file_with_backup $f ${PREFIX}/usr/share/shorewall/$f 0600
echo
echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done
#
# Backup the version file
#
if [ -z "$PREFIX" ]; then

35
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 -- Interfaces File
# Shorewall 2.6 -- Interfaces File
#
# /etc/shorewall/interfaces
#
@ -155,6 +155,37 @@
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
# - If specified, this interface will
# respond to arp requests based on the
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
@ -164,7 +195,7 @@
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically tailors the zone named
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#

60
Shorewall/ipsec
View File

@ -1,59 +1,7 @@
#
# Shorewall 2.4 - /etc/shorewall/ipsec
# The /etc/shorewall/ipsec file is obsolete -- the information
# previously contained in this file is now placed in the
# /etc/shorewall/zones file.
#
# This file defines the attributes of zones with respect to
# IPSEC. To use this file for any purpose except for setting mss,
# you must be running a 2.6 kernel and both your kernel and iptables
# must include Policy Match Support.
#
# The columns are:
#
# ZONE The name of a zone defined in /etc/shorewall/zones. The
# $FW zone may not be listed.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY No -- Communication with some zone hosts is encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
###################################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# See the IPSECFILE option in shorewall.conf for further information.

2
Shorewall/maclist
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 - MAC list file
# Shorewall 2.6 - MAC list file
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.

2
Shorewall/action.AllowICMPs → Shorewall/macro.AllowICMPs
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs
# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs
#
# ACCEPT needed ICMP types
#

6
Shorewall/action.AllowBitTorrent → Shorewall/macro.Amanda
View File

@ -1,10 +1,10 @@
#
# Shorewall action.AllowBitTorrent
# Shorewall macro.Amanda
#
# This action accepts BitTorrent traffic.
# This macro handles connections to the AMANDA backup system.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 6881:6889
PARAM - - udp 10080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall/action.AllowGnutella → Shorewall/macro.Auth
View File

@ -1,11 +1,10 @@
#
# Shorewall action.AllowGnutella
# Shorewall 2.6 /usr/share/shorewall/macro.Auth
#
# This action accepts gnutella traffic.
# This macro handles Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 6346
ACCEPT - - udp 6346
PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.BitTorrent Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall macro.BitTorrent
#
# This macro handles BitTorrent traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 6881:6889
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.DropSMTP → Shorewall/macro.CVS
View File

@ -1,10 +1,10 @@
#
# Shorewall action.DropSMTP
# Shorewall macro.CVS
#
# This action silently drops SMTP traffic.
# This macro handles connections to the CVS pserver.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
DROP - - tcp 25
PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/action.AllowPCA → Shorewall/macro.DNS
View File

@ -1,11 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA
# Shorewall 2.6 /usr/share/shorewall/macro.DNS
#
# This action accepts PCAnywere (tm)
# This macro handles DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5632
ACCEPT - - tcp 5631
PARAM - - udp 53
PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall/action.DropDNSrep → Shorewall/macro.DropDNSrep
View File

@ -1,7 +1,7 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep
# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep
#
# This action silently drops DNS UDP replies
# This macro silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/

4
Shorewall/action.DropUPnP → Shorewall/macro.DropUPnP
View File

@ -1,7 +1,7 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP
# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
# This macro silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/

8
Shorewall/action.AllowEdonkey → Shorewall/macro.Edonkey
View File

@ -1,13 +1,13 @@
#
# Shorewall action.AllowEdonkey
# Shorewall macro.Edonkey
#
# This action accepts Edonkey traffic.
# This macro handles Edonkey traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 4662
ACCEPT - - udp 4665
PARAM - - tcp 4662
PARAM - - udp 4665
#
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665

6
Shorewall/action.AllowSPAMD → Shorewall/macro.FTP
View File

@ -1,10 +1,10 @@
#
# Shorewall action.AllowSPAMD
# Shorewall 2.6 /usr/share/shorewall/macro.FTP
#
# This action accepts Spam Assassin SPAMD traffic.
# This macro handles FTP traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 783
PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall/action.AllowSSH → Shorewall/macro.Gnutella
View File

@ -1,10 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH
# Shorewall macro.Gnutella
#
# This action accepts secure shell (SSH) traffic.
# This macro handles gnutella traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 22
PARAM - - tcp 6346
PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.AllowICQ → Shorewall/macro.ICQ
View File

@ -1,10 +1,10 @@
#
# Shorewall action.AllowICQ
# Shorewall macro.ICQ
#
# This action accepts ICQ traffic.
# This macro handles ICQ traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 5190
PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/macro.IMAP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.IMAP
#
# This macro handles IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 143 #Unsecure IMAP
PARAM - - tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/action.AllowDistcc → Shorewall/macro.LDAP
View File

@ -1,11 +1,11 @@
#
# Shorewall action.AllowDistcc
# Shorewall macro.LDAP
#
# This action accepts connections to the Distributed Compiler
# service.
# This macro handles LDAP traffic (secure and insecure)
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 3632
PARAM - - tcp 389
PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/macro.NNTP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NNTP
#
# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 119
PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/action.AllowNTP → Shorewall/macro.NTP
View File

@ -1,11 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP
# Shorewall 2.6 /usr/share/shorewall/macro.NTP
#
# This action accepts NTP traffic (ntpd).
# This macro handles NTP traffic (ntpd).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - udp 123
ACCEPT - - udp 1024: 123
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall/action.AllowPing → Shorewall/macro.PCA
View File

@ -1,10 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowPing
# Shorewall 2.6 /usr/share/shorewall/macro.PCA
#
# This action accepts 'ping' requests.
# This macro handles PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - icmp 8
PARAM - - udp 5632
PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/action.AllowPOP3 → Shorewall/macro.POP3
View File

@ -1,11 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3
# Shorewall 2.6 /usr/share/shorewall/macro.POP3
#
# This action accepts POP3 traffic (secure and insecure):
# This macro handles POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - tcp 110 #Unsecure POP3
ACCEPT - - tcp 995 #Secure POP3
PARAM - - tcp 110 #Unsecure POP3
PARAM - - tcp 995 #Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Ping Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Ping
#
# This macro handles 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.AllowMySQL → Shorewall/macro.PostgreSQL
View File

@ -1,10 +1,10 @@
#
# Shorewall action.AllowMySQL
# Shorewall macro.PostgreSQL
#
# This action accepts connections to the MySQL server.
# This macro handles connections to the PostgreSQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 3306
PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Rdate Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Rdate
#
# This macro handles remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.AllowSyslog → Shorewall/macro.Rsync
View File

@ -1,10 +1,10 @@
#
# Shorewall action.AllowSyslog
# Shorewall macro.Rsync
#
# This action accepts syslog UDP traffic.
# This macro handles connections to the rsync server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - udp 514
PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SMB Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMB
#
# Handle Microsoft SMB traffic. You need to invoke this macro in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.AllowSMBswat → Shorewall/macro.SMBswat
View File

@ -1,11 +1,11 @@
#
# Shorewall action.AllowSMBswat
# Shorewall macro.SMBswat
#
# This action accepts connections to the Samba Web Administration
# This macro handles connections to the Samba Web Administration
# Tool (SWAT).
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
ACCEPT - - tcp 901
PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/action.AllowSMTP → Shorewall/macro.SMTP
View File

@ -1,15 +1,15 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP
# Shorewall 2.6 /usr/share/shorewall/macro.SMTP
#
# This action accepts SMTP (email) traffic.
# This macro handles SMTP (email) traffic.
#
# Note: This action allows traffic between an MUA (Email client)
# Note: This macro handles traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the AllowPOP3 or AllowIMAP actions.
# the POP3 or IMAP macros.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 25
PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/macro.SNMP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SNMP
#
# This macro accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SPAMD Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall macro.SPAMD
#
# This macro handles Spam Assassin SPAMD traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SSH Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SSH
#
# This macro handles secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SVN Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall macro.SVN
#
# This macro handles connections to the Subversion server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall/action.DropEdonkey → Shorewall/macro.Syslog
View File

@ -1,11 +1,10 @@
#
# Shorewall action.DropEdonkey
# Shorewall macro.Syslog
#
# This action silently drops Edonkey Traffic.
# This macro handles syslog UDP traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
DROP - - tcp 4662
DROP - - udp 4665
PARAM - - udp 514
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

6
Shorewall/action.AllowTelnet → Shorewall/macro.Telnet
View File

@ -1,11 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet
# Shorewall 2.6 /usr/share/shorewall/macro.Telnet
#
# This action accepts Telnet traffic. For traffic over the
# This macro handles Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 23
PARAM - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/action.AllowFTP → Shorewall/macro.Trcrt
View File

@ -1,11 +1,11 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP
# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.
# This macro handles Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 21
PARAM - - udp 33434:33524 #UDP Traceroute
PARAM - - icmp 8 #ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall/action.AllowDNS → Shorewall/macro.VNC
View File

@ -1,11 +1,10 @@
#
# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS
# Shorewall 2.6 /usr/share/shorewall/macro.VNC
#
# This action accepts DNS traffic.
# This macro handles VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 53
ACCEPT - - tcp 53
PARAM - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.VNCL Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNCL
#
# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/macro.Web Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Web
#
# This macro handles WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 80
PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

69
Shorewall/macro.template Normal file
View File

@ -0,0 +1,69 @@
#
# Shorewall version 2.6 - Macro Template File
#
# /usr/share/shorewall/macro.template
#
# Macro files are similar to template files with the following exceptions:
#
# - A macro file is not processed unless the marcro that it defines is referenced in the
# /etc/shorewall/rules file or in an action definition file.
#
# - Macros are translated directly into one or more rules whereas actions become their own
# chain.
#
# - All entries in a macro undergo substitution when the macro is invoked in the rules file.
#
# - Macros may not invoke other macros.
#
# The columns in a macro definition are the same as those in the action.template file.
# A few examples should help show how Macros work.
#
# /etc/shorewall/macro.FwdFTP:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# # PORT PORT(S) LIMIT GROUP
# DNAT - - tcp 21
#
# /etc/shorewall/rules:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# FwdFTP net loc:192.168.1.5
#
# The result is equivalent to:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.5 tcp 21
#
# The substitution rules are as follows:
#
# ACTION column If in the invocation of the macro, the macro name is followed by
# slash ("/") and a second name, the second name is substituted for
# each entry in the macro whose ACTION is PARAM
#
# For example, if macro FOO is invoked as FOO/ACCEPT then when
# expanding macro.FOO, Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column contains PARAM. PARAM may
# be optionally followed by a colon and a log level.
#
# Any logging specified when the macro is invoked is applied to each
# entry in the macros.
#
# SOURCE and DEST If the column in the macro is empty then the value in the rules
# columns file is used. If the column in the macro is non-empty then any
# value in the rules file is appended with a ":" separator.
#
# Example: Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
#
# Remaining Any value in the rules file REPLACES the value given in the macro
# columns file.
#
#
#
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 - Masquerade file
# Shorewall 2.6 - Masquerade file
#
# /etc/shorewall/masq
#

2
Shorewall/modules
View File

@ -1,5 +1,5 @@
##############################################################################
# Shorewall 2.4 /etc/shorewall/modules
# Shorewall 2.6 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#

2
Shorewall/nat
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.4 -- Network Address Translation Table
# Shorewall 2.6 -- Network Address Translation Table
#
# /etc/shorewall/nat
#

2
Shorewall/netmap
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.4 -- Network Mapping Table
# Shorewall 2.6 -- Network Mapping Table
#
# /etc/shorewall/netmap
#

2
Shorewall/params
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 /etc/shorewall/params
# Shorewall 2.6 /etc/shorewall/params
#
# Assign any variables that you need here.
#

9
Shorewall/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 -- Policy File
# Shorewall 2.6 -- Policy File
#
# /etc/shorewall/policy
#
@ -50,6 +50,13 @@
# then that action will be invoked before the policy named in
# this column is inforced.
#
# The policy determined the default treatment of new
# connection requests and may optionally be followed by ":"
# and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an established
# connection. The choices are ACCEPT (the default) and QUEUE
# (to queue the packet to a user-space filter like Snort Inline).
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a

2
Shorewall/providers
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.4 -- Internet Service Providers
# Shorewall 2.6 -- Internet Service Providers
#
# /etc/shorewall/providers
#

2
Shorewall/proxyarp
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.4 -- Proxy ARP
# Shorewall 2.6 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#

548
Shorewall/releasenotes.txt
View File

@ -1,367 +1,275 @@
Shorewall 2.4.0
Shorewall 2.5.0
-----------------------------------------------------------------------
Problems Corrected since 2.4.0-RC2
Problems Corrected:
1) Previously, "shorewall status" could list the same routing table's
contents more than once.
1) The behavior of CONTINUE policies has been improved. Shorewall no
longer generates a useless policy chain corresponding to these
policies.
-----------------------------------------------------------------------
Upgrade Issues when moving to 2.4.0
2) The combining of the zones and ipsec files has now been made upward
compatible provided that the user doesn't do something idiotic such
as install the new shorewall.conf file then manually update it
with exactly the changes that had been applied to the old file.
1) Shorewall now enforces the restriction that mark values used in
/etc/shorewall/tcrules are less than 256. If you are using mark
values >= 256, you must change your configuration before you
upgrade.
Migration Considerations:
2) The value "ipp2p" is no longer accepted in the PROTO column of the
rules file. This support has never worked as intended and filtering
P2P applications this way is a bad idea to begin with (you should be
using a proxy).
1) The "monitor" command has been eliminated.
3) LEAF/Bering packages for version 2.4.0 and later will not be
available from shorewall.net. See http://leaf.sf.net for the lastest
version of Shorewall for LEAF variants.
-----------------------------------------------------------------------
New Features in version 2.4.0
2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones
file have been removed and have been replaced by the former
columns of the /etc/shorewall/ipsec file. The latter file has been
removed. As a result, the columns in the /etc/shorewall/zones file
are now as follows:
1) Shorewall 2.4.0 includes support for multiple internet interfaces to
different ISPs.
ZONE Short name of the zone (5 Characters or less in
length).
The file /etc/shorewall/providers may be used to define the
different providers. It can actually be used to define alternate
routing tables so uses like transparent proxy can use the file as
well.
The names "all" and "none" are reserved and may
not beused as zone names.
Columns are:
IPSEC Yes -- Communication with all zone hosts is
ONLY encrypted. Your kernel and iptables
must include policy match support.
No -- Communication with some zone hosts may
be encrypted. Encrypted hosts are
designated using the 'ipsec' option in
/etc/shorewall/hosts.
NAME The provider name.
OPTIONS, A comma-separated list of options as
IN OPTIONS, follows:
OUT OPTIONS
reqid=<number> where <number> is
specified using setkey(8) using the
'unique:<number> option for the SPD
level.
spi=<number> where <number> is the SPI
of the SA used to encrypt/decrypt
packets.
proto=ah|esp|ipcomp
mss=<number> (sets the MSS field in TCP
packets)
mode=transport|tunnel
tunnel-src=<address>[/<mask>] (only
available with mode=tunnel)
tunnel-dst=<address>[/<mask>] (only
available with mode=tunnel)
strict Means that packets must match
all rules.
next Separates rules; can only be
used with strict..
Example:
mode=transport,reqid=44
The options in the OPTIONS column are applied to both
incoming and outgoing traffic. The IN OPTIONS are
applied to incoming traffic (in addition to OPTIONS)
and the OUT OPTIONS are applied to outgoing traffic.
NUMBER The provider number -- a number between 1 and 15
If you wish to leave a column empty but need to make an
entry in a following column, use "-".
THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE
NESTED OR OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
To attempt to adhere to the principle of least astonishment, the
old /etc/shorewall/ipsec file will continue to be supported. A new
IPSECFILE variable in /etc/shorewall/shorewall.conf determines the
name of the file that Shorewall looks in for IPSEC information. If
that variable is not set or is set to the empty value then
IPSECFILE=ipsec is assumed. So if you simply upgrade and don't do
something idiotic like replace your current shorewall.conf file with
the new one, your old configuration will continue to work. A dummy
'ipsec' file is included in the release so that your package manager
(e.g., rpm) won't remove your existing file.
MARK A FWMARK value used in your
/etc/shorewall/tcrules file to direct packets to
this provider.
The shorewall.conf file included in this release sets
IPSECFILE=zones so that new users are expected to use the new zone
file format.
DUPLICATE The name of an existing table to duplicate. May
be 'main' or the name of a previous provider.
INTERFACE The name of the network interface to the
provider. Must be listed in
/etc/shorewall/interfaces.
GATEWAY The IP address of the provider's gateway router.
If you enter "detect" here then Shorewall will
attempt to determine the gateway IP address
automatically.
OPTIONS A comma-separated list selected from the
following:
track If specified, connections FROM this interface are
to be tracked so that responses may be routed
back out this same interface.
3) The DROPINVALID option has been removed from shorewall.conf. The
behavior will be as if DROPINVALID=No had been specified. If you
wish to drop invalid state packets, use the dropInvalid built-in
action.
4) The 'nobogons' interface and hosts option as well as the
BOGON_LOG_LEVEL option have been eliminated.
5) Most of the standard actions have been replaced by parameterized
macros (see below). So for example, the action.AllowSMTP and
action.DropSMTP have been removed an a parameterized macro
macro.SMTP has been added to replace them.
In order that current users don't have to immediately update their
rules and user-defined actions, Shorewall can substitute an
invocation of the a new macro for an existing invocation of one of
the old actions. So if your rules file calls AllowSMTP, Shorewall
will replace that call with SMTP/ACCEPT. Because this substitution
is expensive, it is conditional based on the setting of
MAPOLDACTIONS in shorewall.conf. If this option is set to YES or if
it is not set (such as if you are using your old shorewall.conf
file) then Shorewall will perform the substitution. Once you have
converted to use the new macros, you can set MAPOLDACTIONS=No and
invocations of those actions will go much quicker during 'shorewall
[re]start'.
6) The STATEDIR variable in /etc/shorewall/shorewall.conf has been
removed. STATEDIR is now fixed at /var/lib/shorewall. If you have
previously set STATEDIR to another directory, please copy the files
from that directory to /var/lib/shorewall/ before [re]starting
Shorewall after the upgrade to this version.
New Features in Shorewall 2.5.0
You want specify 'track' if internet hosts will be
connecting to local servers through this
provider.
1) Error and warning messages are made easier to spot by using
capitalization (e.g., ERROR: and WARNING:).
Because of limitations in the 'ip' utility and
policy routing, you may not use the SAVE or
RESTORE tcrules options or use connection
marking on any traffic to or from this
interface. For traffic control purposes, you
must mark packets in the FORWARD chain (or
better yet, use the CLASSIFY target).
2) Beginning with this version, the POLICY column in
/etc/shorewall/policy to potentially contain two policies separated
by ":". The first policy is the policy for new connections (the only
policy that you can currently configure). The second policy is for
ESTABLISHED packets (those that are part of an established
connection) and must be either ACCEPT (the default) or QUEUE. So if
the policy column contains DROP:QUEUE then new connection requests
are dropped by default but packets that are part of an established
connection are sent to the QUEUE target. RELATED state packets are
always ACCEPTED so that ICMPs (which are almost always RELATED)
won't go through QUEUE.
balance The providers that have 'balance' specified will
get outbound traffic load-balanced among them. By
default, all interfaces with 'balance' specified
will have the same weight (1). You can change the
weight of the route out of the interface by
specifiying balance=<weight> where <weight> is
the desired route weight.
Example: You run squid in your DMZ on IP address
192.168.2.99. Your DMZ interface is eth2
3) A new option 'critical' has been added to
/etc/shorewall/routestopped. This option can be used to enable
communication with a host or set of hosts during the entire
"shorewall [re]start/stop" process. Listing a host with this option
differs from listing it without the option in several ways:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 192.168.2.99 -
a) The option only affect traffic between the listed host(s) and the
firewall itself.
Use of this feature requires that your kernel and iptables
support CONNMARK target and conntrack match support. It does NOT
require the ROUTE target extension.
WARNING: The current version of iptables (1.3.1) is broken with
respect to CONNMARK and iptables-save/iptables-restore. This means
that if you configure multiple ISPs, "shorewall restore" will
fail. You must patch your iptables using the patch at
http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
facility in Netfilter. Like all owner match options, 'cmd-owner' may
only be applied to traffic that originates on the firewall.
b) If there are any entries with 'critical', the firewall
will be completely opened briefly during start, restart and stop but
there will be no chance of any packets to/from the listed host(s)
being dropped or rejected.
The syntax of the USER/GROUP column in the following files has been
extended:
Possible uses for this option are:
a) Root fileset is NFS mounted. You will want to list the NFS server
in the 'critical' option.
b) You are running Shorewall in a Crossbeam environment
(www.crossbeam.com). You will want to list the Crossbeam interface
in this option
4) A new 'macro' feature has been added.
Macros are very similar to actions and can be used in similar
ways. The differences between actions and macros are as follows:
/etc/shorewall/accounting
/etc/shorewall/rules
/etc/shorewall/tcrules
/usr/share/shorewall/action.template
To specify a command, prefix the command name with "+".
a) An action creates a separate chain with the same name as the
action (when logging is specified on the invocation of an action,
a chain beginning with "%" followed by the name of the action and
possibly followed by a number is created). When a macro is
invoked, it is expanded in-line and no new chain is created.
b) An action may be specified as the default action for a policy;
macros cannot be specified this way.
c) Actions must be listed in either /usr/share/shorewall/actions.std
or in /etc/shorewall/actions. Macros are defined simply by
placing their definition file in the CONFIG_PATH.
Examples:
d) Actions are defined in a file with a name beginning with
"action." and followed by the name of the action. Macro files are
defined in a file with a name beginning with "macro.".
+mozilla-bin #The program is named "mozilla-bin"
joe+mozilla-bin #The program is named "mozilla-bin" and
#is being run by user "joe"
joe:users+mozilla-bin #The program is named "mozilla-bin" and
#is being run by user "joe" with
#effective group "users".
e) Actions may invoke other actions. Macros may not directly invoke
other macros although they may invoke other macros indirectly
through an action.
Note that this is not a particularly robust feature and I would
never advertise it as a "Personal Firewall" equivalent. Using
symbolic links, it's easy to alias command names to be anything you
want.
f) DNAT[-] and REDIRECT[-] rules may not appear in an action. They
are allowed in a macro with the restriction that the a macro
containing one of these rules may not be invoked from an action.
3) Support has been added for ipsets
(see http://people.netfilter.org/kadlec/ipset/).
g) The values specified in the various columns when you invoke a
macro are substituted in the corresponding column in each rule in
the macro. The first three columns get special treatment:
In most places where a host or network address may be used, you may
also use the name of an ipset prefaced by "+".
TARGET If you code PARAM as the target in a macro then
when you invoke the macro, you can include the
name of the macro followed by a slash ("/") and
an ACTION (either builtin or user-defined. All
instances of PARAM in the body of the macro will be
replaced with the ACTION.
Example: "+Mirrors"
Any logging applied when the action is invoked is
applied following the same rules as for actions.
The name of the set may be optionally followed by:
a) a number from 1 to 6 enclosed in square brackets ([]) -- this
number indicates the maximum number of ipset binding levels that
are to be matched. Depending on the context where the ipset name
is used, either all "src" or all "dst" matches will be used.
Example: "+Mirrors[4]"
SOURCE and
DEST If the rule in the macro file specifies a value and
the invocation of the rule also specifies a value then
the value in the invocation is appended to the value
in the rule using ":" as a separator.
b) a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly
to iptables in the generated --set clause. See the ipset
documentation for details.
Example:
Example: "+Mirrors[src,dst,src]"
Note that "+Mirrors[4]" used in the SOURCE column of the rules
file is equivalent to "+Mirrors[src,src,src,src]".
/etc/shorewall/macro.SMTP
To generate a negative match, prefix the "+" with "!" as in
"!+Mirrors".
PARAM - loc tcp 25
Example 1: Blacklist all hosts in an ipset named "blacklist"
/etc/shorewall/rules:
/etc/shorewall/blacklist
SMTP/DNAT:info net 192.168.1.5
#ADDRESS/SUBNET PROTOCOL PORT
+blacklist
Would be equivalent to the following in the rules file:
Example 2: Allow SSH from all hosts in an ipset named "sshok:
DNAT:info net loc:192.168.1.5 tcp 25
/etc/shorewall/rules
Rest Any value in the invocation replaces the value in the
rule in the macro.
#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok fw tcp 22
One additional restriction applies to the mixing of macros and
actions. Macros that are invoked from actions cannot themselves
invoke other actions.
Shorewall can automatically capture the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
then "shorewall save" will save the contents of your ipsets. The file
where the sets are saved is formed by taking the name where the
Shorewall configuration is stored and appending "-ipsets". So if you
enter the command "shorewall save standard" then your Shorewall
configuration will be saved in /var/lib/shorewall/standard and your
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
Assuming the default RESTOREFILE setting, if you just enter
"shorewall save" then your Shorewall configuration will be saved in
/var/lib/shorewall/restore and your ipset contents will be saved in
/var/lib/shorewall/restore-ipsets.
5) If you have 'make' installed on your firewall, then when you use
the '-f' option to 'shorewall start' (as happens when you reboot),
if your /etc/shorewall/ directory contains files that were modified
after Shorewall was last restarted then Shorewall is started using
the config files rather than using the saved configuration.
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start"
and "shorewall restore" commands will restore the ipset contents
corresponding to the Shorewall configuration restored provided that
the saved Shorewall configuration specified exists.
6) The 'arp_ignore' option has been added to /etc/shorewall/interfaces
entries. This option sets
/proc/sys/net/ipv4/conf/<interface>/arp_ignore. By default, the
option sets the value to 1. You can also write arp_ignore=<value>
where value is one of the following:
For example, "shorewall restore standard" would restore the ipset
contents from /var/lib/shorewall/standard-ipsets provided that
/var/lib/shorewall/standard exists and is executable and that
/var/lib/shorewall/standard-ipsets exists and is executable.
1 - reply only if the target IP address is local address
configured on the incoming interface
Also regardless of the setting of SAVE_IPSETS, the "shorewall forget"
command will purge the saved ipset information (if any) associated
with the saved shorewall configuration being removed.
You can also associate ipset contents with Shorewall configuration
directories using the following command:
ipset -S > <config directory>/ipsets
Example:
ipset -S > /etc/shorewall/ipsets
When you start or restart Shorewall (including using the 'try'
command) from the configuration directory, your ipsets will be
configured from the saved ipsets file. Once again, this behavior is
independent of the setting of SAVE_IPSETS.
Ipsets are well suited for large blacklists. You can maintain your
blacklist using the 'ipset' utility without ever having to restart
or refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be
sure to "shorewall save" after altering the blacklist ipset(s).
Example /etc/shorewall/blacklist:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklist[src,dst]
+Blacklistnets[src,dst]
Create the blacklist ipsets using:
ipset -N Blacklist iphash
ipset -N Blacklistnets nethash
Add entries
ipset -A Blacklist 206.124.146.177
ipset -A Blacklistnets 206.124.146.0/24
To allow entries for individual ports
ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
Now only port 25 will be blocked from 206.124.146.177.
4) Shorewall 2.4.0 can now configure routing if your kernel and
iptables support the ROUTE target extension. This extension is
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since
the Netfilter team have no intention of ever releasing the ROUTE
target extension to kernel.org.
Routing is configured using the /etc/shorewall/routes file. Columns
in the file are as follows:
SOURCE Source of the packet. May be any of the
following:
- A host or network address
- A network interface name.
- The name of an ipset prefaced with "+"
- $FW (for packets originating on the firewall)
- A MAC address in Shorewall format
- A range of IP addresses (assuming that your
kernel and iptables support range match)
- A network interface name followed by ":"
and an address or address range.
DEST Destination of the packet. May be any of the
following:
- A host or network address
- A network interface name (determined from
routing table(s))
- The name of an ipset prefaced with "+"
- A network interface name followed by ":"
and an address or address range.
PROTO Protocol - Must be "tcp", "udp", "icmp",
"ipp2p", a number, or "all". "ipp2p" requires
ipp2p match support in your kernel and
iptables.
PORT(S) Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers
or port ranges; if the protocol is "icmp", this
column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is
interpreted as an ipp2p option without the
leading "--" (example "bit" for bit-torrent).
If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but
must be entered if any of the following field
is supplied. In that case, it is suggested that
this field contain "-"
SOURCE PORT(S) (Optional) Source port(s). If omitted,
any source port is acceptable. Specified as a
comma-separated list of port names, port
numbers or port ranges.
TEST Defines a test on the existing packet or
connection mark.
The rule will match only if the test returns
true. Tests have the format
[!]<value>[/<mask>][:C]
Where:
! Inverts the test (not equal)
<value> Value of the packet or
connection mark.
<mask> A mask to be applied to the
mark before testing
:C Designates a connection
mark. If omitted, the packet
mark's value is tested.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an
IP address in the GATEWAY column.
GATEWAY The gateway that the packet is to be forewarded
through.
5) Normally when Shorewall is stopped, starting or restarting then
connections are allowed from hosts listed in
/etc/shorewall/routestopped to the firewall and to other hosts
listed in /etc/shorewall/routestopped.
A new 'source' option is added for entries in that file which will
cause Shorewall to allow traffic from the host listed in the entry
to ANY other host. When 'source' is specified in an entry, it is
unnecessary to also specify 'routeback'.
Similarly, a new 'dest' option is added which will cause Shorewall
to allow traffic to the host listed in the entry from ANY other
host. When 'source' is specified in an entry, it is unnecessary to
also specify 'routeback'.
6) This change was implemented by Lorenzo Martignoni. It provides two
new commands: "safe-start" and "safe-restart".
safe-start starts Shorewall then prompts you to ask you if
everything looks ok. If you answer "no" or if you don't answer
within 60 seconds, a "shorewall clear" is executed.
safe-restart saves your current configuration to
/var/lib/shorewall/safe-restart then issues a "shorewall restart";
It then prompts you to ask if you if you want to accept the new
configuration. If you answer "no" or if you don't answer within 60
seconds, the configuration is restored to its prior state.
These new commands require either that your /bin/sh supports the
"-t" option to the 'read' command or that you have /bin/bash
installed.
2 - reply only if the target IP address is local address
configured on the incoming interface and both with the sender's
IP address are part from same subnet on this interface
3 - do not reply for local addresses configured with scope
host, only resolutions for global and link addresses are
replied
4-7 - reserved
8 - do not reply for all local addresses
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
PROXY ARP.

2
Shorewall/rfc1918
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.4 -- RFC1918 File
# Shorewall 2.6 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#

94
Shorewall/routes
View File

@ -1,94 +0,0 @@
#
# Shorewall version 2.4 - Routing Rules
#
# /etc/shorewall/routes
#
# Entries in this file cause packets to be routed in non-standard
# ways.
#
# I M P O R T A N T ! ! ! !
#
# In order to use entries in this file, your kernel and iptables must
# have ROUTE target support (see the output of "shorewall show
# capabilities").
#
# This facility is *EXPERIMENTAL* -- the Netfilter team have no intention
# of ever submitting the ROUTE target patch to kernel.org.
#
# To omit any column, enter "-" in that column.
#
# Columns are:
#
#
# SOURCE Source of the packet. May be any of the following:
#
# - A host or network address
# - A network interface name.
# - The name of an ipset prefaced with "+"
# - $FW (for packets originating on the firewall)
# - A MAC address in Shorewall format
# - A range of IP addresses (assuming that your
# kernel and iptables support range match)
# - A network interface name followed by ":"
# and an address or address range.
#
# DEST Destination of the packet. May be any of the
# following:
#
# - A host or network address
# - A network interface name (determined from
# routing table(s))
# - The name of an ipset prefaced with "+"
# - A network interface name followed by ":"
# and an address or address range.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# Port ranges are allowed in a list only if your
# kernel and iptables support Extended Multi-port
# match (see the output of "shorewall show capabilities").
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable.
# Specified as a comma-separated list of port names, port
# numbers or port ranges.
#
# Port ranges are allowed in a list only if your
# kernel and iptables support Extended Multi-port
# match (see the output of "shorewall show capabilities").
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# INTERFACE The interface that the packet is to be routed out of.
# If you specify "-" here, then you must enter the IP address
# of a gateway in the GATEWAY column.
#
# GATEWAY The gateway that the packet is to be forewarded through.
#
# See http://shorewall.net/Shorewall_and_Routing.html for additional information.
#######################################################################################
#SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped
# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
@ -37,6 +37,13 @@
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
# 'clear'. Specifying 'critical' on one or more
# entries will cause your firewall to be "totally
# open" for a brief window during each of those
# operations.
#
# Example:
#
# INTERFACE HOST(S) OPTIONS

2
Shorewall/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.4 - Rules File
# Shorewall version 2.6 - Rules File
#
# /etc/shorewall/rules
#

293
Shorewall/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh
#
# Shorewall Packet Filtering Firewall Control Program - V2.4
# Shorewall Packet Filtering Firewall Control Program - V2.6
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -158,7 +158,7 @@ iptablesbug()
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
{print ; sline="" }'
else
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
cat
fi
}
@ -234,6 +234,7 @@ get_config() {
echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf" >&2
;;
esac
}
#
@ -243,112 +244,6 @@ clear_term() {
[ -t 1 ] && clear
}
#
# Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules
#
display_chains()
{
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then
#
# Send the output to a temporary file since ash craps if we try to store
# the output in a variable.
#
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear_term
echo "$banner $(date)"
echo
echo "Standard Chains"
echo
firstchain="Yes"
showchain INPUT
showchain OUTPUT
showchain FORWARD
timed_read
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
echo "Input Chains"
echo
chains=$(grep '^Chain.*_[in|fwd]' $TMPFILE | cut -d' ' -f 2)
for chain in $chains; do
showchain $chain
done
timed_read
for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
eval display=\$${zone}_display
echo "$display Chains"
echo
for zone1 in $FW $zones; do
showchain ${zone}2$zone1
showchain @${zone}2$zone1
[ "$zone" != "$zone1" ] && \
showchain ${zone1}2${zone} && \
showchain @${zone1}2${zone}
done
timed_read
fi
done
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
echo "Policy Chains"
echo
showchain common
showchain badpkt
showchain icmpdef
showchain rfc1918
showchain blacklst
showchain reject
showchain newnotsyn
for zone in $zones all; do
showchain ${zone}2all
showchain @${zone}2all
[ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; }
done
timed_read
clear_term
echo "$banner $(date)"
echo
firstchain=Yes
echo "Dynamic Chain"
echo
showchain dynamic
timed_read
qt rm -f $TMPFILE
else
$IPTABLES -L -n -v
timed_read
fi
trap - 1 2 3 4 5 6 9
}
#
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay
@ -441,114 +336,6 @@ show_classifiers() {
done
}
#
# Monitor the Firewall
#
monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes
{
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
pause="Yes"
else
pause="No"
timeout=$1
fi
if qt which awk; then
TMP_DIR=$(mktempdir)
[ -n "$TMP_DIR" ] || { echo " ERROR:Cannot create temporary directory" >&2; exit 1; }
haveawk=Yes
determine_zones
rm -rf $TMP_DIR
else
haveawk=
fi
while true; do
display_chains
clear_term
echo "$banner $(date)"
echo
echo "Dropped/Rejected Packet Log"
echo
show_reset
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
$RING_BELL
packet_log 20
if [ "$pause" = "Yes" ]; then
echo
echo $ECHO_N 'Enter any character to continue: '
read foo
else
timed_read
fi
else
echo
packet_log 20
timed_read
fi
clear_term
echo "$banner $(date)"
echo
echo "NAT Status"
echo
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear_term
echo "$banner $(date)"
echo
echo
echo "TOS/MARK Status"
echo
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear_term
echo "$banner $(date)"
echo
echo
echo "Tracked Connections"
echo
cat /proc/net/ip_conntrack
timed_read
clear_term
echo "$banner $(date)"
echo
echo
echo "Traffic Shaping/Control"
echo
show_tc
timed_read
clear_term
echo "$banner $(date)"
echo
echo
echo "Packet Classifiers"
echo
show_classifiers
timed_read
done
}
#
# Watch the Firewall Log
@ -714,7 +501,6 @@ usage() # $1 = exit status
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
echo " logwatch [<refresh interval>]"
echo " monitor [<refresh interval>]"
echo " refresh"
echo " reject <address> ..."
echo " reset"
@ -737,8 +523,8 @@ usage() # $1 = exit status
# Display the time that the counters were last reset
#
show_reset() {
[ -f $STATEDIR/restarted ] && \
echo "Counters reset $(cat $STATEDIR/restarted)" && \
[ -f /var/lib/shorewall/restarted ] && \
echo "Counters reset $(cat /var/lib/shorewall/restarted)" && \
echo
}
@ -896,8 +682,6 @@ export CONFIG_PATH
get_config
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then
@ -953,7 +737,7 @@ case "$1" in
echo "Directory $2 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$2
export SHOREWALL_DIR
;;
@ -963,29 +747,37 @@ case "$1" in
esac
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if qt which make; then
make -qf /etc/shorewall/Makefile || FAST=
fi
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ]; then
echo Restoring Ipsets...
#
# We must purge iptables to be sure that there are no
# references to ipsets
#
iptables -F
iptables -X
${RESTOREPATH}-ipsets
fi
echo Restoring Shorewall...
$RESTOREPATH
date > /var/lib/shorewall/restarted
echo Shorewall restored from $RESTOREPATH
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
echo Restoring Shorewall...
$RESTOREPATH
date > $STATEDIR/restarted
echo Shorewall restored from $RESTOREPATH
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
else
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
;;
@ -1066,8 +858,7 @@ case "$1" in
;;
zones)
[ $# -gt 2 ] && usage 1
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ -f $STATEDIR/zones ]; then
if [ -f /var/lib/shorewall/zones ]; then
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo
while read zone hosts; do
@ -1075,10 +866,10 @@ case "$1" in
for host in $hosts; do
echo " $host"
done
done < $STATEDIR/zones
done < /var/lib/shorewall/zones
echo
else
echo " ERROR: $STATEDIR/zones does not exist" >&2
echo " ERROR: /var/lib/shorewall/zones does not exist" >&2
exit 1
fi
;;
@ -1113,16 +904,6 @@ case "$1" in
;;
esac
;;
monitor)
[ -n "$debugging" ] && set -x
if [ $# -eq 2 ]; then
monitor_firewall $2
elif [ $# -eq 1 ]; then
monitor_firewall 30
else
usage 1
fi
;;
status)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1
@ -1168,7 +949,7 @@ case "$1" in
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter log_martians; do
for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do
show_proc $directory/$file
done
done
@ -1252,7 +1033,7 @@ case "$1" in
echo $version
;;
try)
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 $debugging -c $2 restart; then
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then

84
Shorewall/shorewall.conf
View File

@ -1,5 +1,5 @@
##############################################################################
# /etc/shorewall/shorewall.conf V2.4 - Change the following variables to
# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -227,20 +227,6 @@ RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
#
# BOGON Log Level
#
# Specifies the logging level for bogon packets dropped by the
#'nobogons' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
# in /usr/share/shorewall/bogons are logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
BOGON_LOG_LEVEL=info
#
# MARTIAN LOGGING
#
@ -289,15 +275,6 @@ SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# KERNEL MODULE DIRECTORY
#
@ -340,6 +317,17 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
#
# OLD ZONE FILE FORMAT
#
# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
# Beginning with 2.5.0, those files were combined. For users who haven't
# converted, we offer this variable that sets the name of the file for ipsec
# information. This option must take the value "zones" or "ipsec". If the option
# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed.
IPSECFILE=zones
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
@ -375,7 +363,7 @@ IP_FORWARDING=On
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=No
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
@ -716,41 +704,6 @@ DYNAMIC_ZONES=No
PKTTYPE=Yes
#
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No
#
# RFC 1918 BEHAVIOR
#
@ -816,6 +769,17 @@ MACLIST_TTL=
SAVE_IPSETS=No
#
# Map Old Actions
#
# Previously, Shorewall included a large number of standard actions (AllowPing,
# AllowFTP, ...). These have been replaced with parameterized macros. For
# compatibility, Shorewall can map the old names into invocations of the new
# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
MAPOLDACTIONS=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

76
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.4.0
%define version 2.5.0
%define release 1
%define prefix /usr
@ -95,52 +95,70 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
%attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
%attr(0600,root,root) %config(noreplace) /etc/shorewall/started
%attr(0600,root,root) %config(noreplace) /etc/shorewall/routes
%attr(0600,root,root) %config(noreplace) /etc/shorewall/providers
%attr(0544,root,root) /sbin/shorewall
%attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /usr/share/shorewall/actions.std
%attr(0600,root,root) /usr/share/shorewall/action.AllowAuth
%attr(0600,root,root) /usr/share/shorewall/action.AllowDNS
%attr(0600,root,root) /usr/share/shorewall/action.AllowFTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowICMPs
%attr(0600,root,root) /usr/share/shorewall/action.AllowIMAP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowNTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowPCA
%attr(0600,root,root) /usr/share/shorewall/action.AllowPing
%attr(0600,root,root) /usr/share/shorewall/action.AllowPOP3
%attr(0600,root,root) /usr/share/shorewall/action.AllowRdate
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMB
%attr(0600,root,root) /usr/share/shorewall/action.AllowSMTP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSNMP
%attr(0600,root,root) /usr/share/shorewall/action.AllowSSH
%attr(0600,root,root) /usr/share/shorewall/action.AllowTelnet
%attr(0600,root,root) /usr/share/shorewall/action.AllowTrcrt
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNC
%attr(0600,root,root) /usr/share/shorewall/action.AllowVNCL
%attr(0600,root,root) /usr/share/shorewall/action.AllowWeb
%attr(0600,root,root) /usr/share/shorewall/action.Drop
%attr(0600,root,root) /usr/share/shorewall/action.DropDNSrep
%attr(0600,root,root) /usr/share/shorewall/action.DropPing
%attr(0600,root,root) /usr/share/shorewall/action.DropSMB
%attr(0600,root,root) /usr/share/shorewall/action.DropUPnP
%attr(0600,root,root) /usr/share/shorewall/action.Reject
%attr(0600,root,root) /usr/share/shorewall/action.RejectAuth
%attr(0600,root,root) /usr/share/shorewall/action.RejectSMB
%attr(0600,root,root) /usr/share/shorewall/action.template
%attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help
%attr(0600,root,root) /usr/share/shorewall/macro.AllowAuth
%attr(0600,root,root) /usr/share/shorewall/macro.AllowDNS
%attr(0600,root,root) /usr/share/shorewall/macro.AllowFTP
%attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs
%attr(0600,root,root) /usr/share/shorewall/macro.AllowIMAP
%attr(0600,root,root) /usr/share/shorewall/macro.AllowNNTP
%attr(0600,root,root) /usr/share/shorewall/macro.AllowNTP
%attr(0600,root,root) /usr/share/shorewall/macro.AllowPCA
%attr(0600,root,root) /usr/share/shorewall/macro.AllowPing
%attr(0600,root,root) /usr/share/shorewall/macro.AllowPOP3
%attr(0600,root,root) /usr/share/shorewall/macro.AllowRdate
%attr(0600,root,root) /usr/share/shorewall/macro.AllowSMTP
%attr(0600,root,root) /usr/share/shorewall/macro.AllowSNMP
%attr(0600,root,root) /usr/share/shorewall/macro.AllowSMB
%attr(0600,root,root) /usr/share/shorewall/macro.AllowSSH
%attr(0600,root,root) /usr/share/shorewall/macro.AllowTelnet
%attr(0600,root,root) /usr/share/shorewall/macro.AllowTrcrt
%attr(0600,root,root) /usr/share/shorewall/macro.AllowVNC
%attr(0600,root,root) /usr/share/shorewall/macro.AllowVNCL
%attr(0600,root,root) /usr/share/shorewall/macro.AllowWeb
%attr(0600,root,root) /usr/share/shorewall/macro.DropDNSrep
%attr(0600,root,root) /usr/share/shorewall/macro.DropPing
%attr(0600,root,root) /usr/share/shorewall/macro.DropSMB
%attr(0600,root,root) /usr/share/shorewall/macro.RejectSMB
%attr(0600,root,root) /usr/share/shorewall/macro.DropUPnP
%attr(0600,root,root) /usr/share/shorewall/macro.FwdAuth
%attr(0600,root,root) /usr/share/shorewall/macro.FwdDNS
%attr(0600,root,root) /usr/share/shorewall/macro.FwdFTP
%attr(0600,root,root) /usr/share/shorewall/macro.FwdIMAP
%attr(0600,root,root) /usr/share/shorewall/macro.FwdNNTP
%attr(0600,root,root) /usr/share/shorewall/macro.FwdPCA
%attr(0600,root,root) /usr/share/shorewall/macro.FwdPing
%attr(0600,root,root) /usr/share/shorewall/macro.FwdPOP3
%attr(0600,root,root) /usr/share/shorewall/macro.FwdRdate
%attr(0600,root,root) /usr/share/shorewall/macro.FwdSMTP
%attr(0600,root,root) /usr/share/shorewall/macro.FwdSNMP
%attr(0600,root,root) /usr/share/shorewall/macro.FwdSSH
%attr(0600,root,root) /usr/share/shorewall/macro.FwdTelnet
%attr(0600,root,root) /usr/share/shorewall/macro.FwdVNC
%attr(0600,root,root) /usr/share/shorewall/macro.FwdVNCL
%attr(0600,root,root) /usr/share/shorewall/macro.FwdWeb
%attr(0600,root,root) /usr/share/shorewall/macro.RejectAuth
%attr(0600,root,root) /usr/share/shorewall/macro.template
%attr(0600,root,root) /usr/share/shorewall/rfc1918
%attr(0600,root,root) /usr/share/shorewall/bogons
%attr(0600,root,root) /usr/share/shorewall/configpath
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
%changelog
* Mon Jul 25 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.0-1
- Add macros and convert most actions to macros
* Thu Jun 02 2005 Tom Eastep tom@shorewall.net
- Updated to 2.4.0-1
* Sun May 30 2005 Tom Eastep tom@shorewall.net

2
Shorewall/start
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/start
# Shorewall 2.6 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.

2
Shorewall/started
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/started
# Shorewall 2.6 -- /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this

2
Shorewall/stop
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/stop
# Shorewall 2.6 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.

2
Shorewall/stopped
View File

@ -1,5 +1,5 @@
############################################################################
# Shorewall 2.4 -- /etc/shorewall/stopped
# Shorewall 2.6 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.

Some files were not shown because too many files have changed in this diff Show More