holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Import of shoregen 0.1.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3999 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
paulgear 2006-06-07 03:02:49 +00:00
parent d7ba73e4c1
commit b7d2e8c684
32 changed files with 1950 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
contrib/shoregen/AUTHORS Normal file
View File

@ -0,0 +1 @@
Paul Gear <paul@gear.dyndns.org>

6
contrib/shoregen/BUGS Normal file
View File

@ -0,0 +1,6 @@
Sat Apr 24 23:10:10 EST 2004:
- The "minimal" in "Only the minimal information necessary for operation is
stored on each firewall" is a bit of an overstatement. This could
probably use some work.

340
contrib/shoregen/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

125
contrib/shoregen/README Normal file
View File

@ -0,0 +1,125 @@
shoregen 0.1
Shoreline Firewall configuration generator
(c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
SHOREWALL
The quick plug:
- I love shorewall. Shorewall is the only firewall i trust.
The IT Manager plug:
- Shorewall is a policy-driven firewall which lets you think about your
firewall at a higher level than iptables commands.
The hard sell to you crazy people still maintaining manual firewall scripts:
- Shorewall is a wrapper around the kernel iptables, so your existing
Linux firewall skills transfer. I converted from a 900-plus-line
ipchains shell script to around 50 lines of shorewall configuration in
less than 4 hours, with no prior experience.
ISSUES
- I'm paranoid - i want more than one firewall between me and the world.
- Configuring multiple firewalls separately is a recipe for getting your
rules out of sync, and allowing security problems to creep in.
- IT Manager types (like me) like to know their policy is consistently
implemented.
SOLUTION
Shoregen is a script that generates shorewall configurations for multiple
firewalls from a common set of rules and policies. Only the minimal
information necessary for operation is stored on each firewall, so, for
example, your DMZ server doesn't need to know about the rules on your
internal network, but at the same time, it gets consistent rules to your
outer guard.
PHILOSOPHY
Shoregen assumes the X-Files approach to firewall design: trust no one.
That is, paranoia is a virtue. All access should be as limited as possible
for things to work. If you don't already agree with this philosophy, you
may find some of the things shoregen does frustrating, but then again,
you're probably not reading this document. :-)
DESIGN
Shoregen distinguishes between two different types of shorewall
configurations. Most shorewall configuration files are simply concatenated
together from parts constructed from common and host-specific parts. These
are called simple configs, and shoregen doesn't substantially alter them,
and uses little information from them.
Configs with which shoregen is more concerned are treated separately, and
additional features beyond the scope of shorewall itself are implemented.
Most importantly, two new policy/rule keywords are introduced: WARN and
BAN. These keywords are not included in shoregen's output, but when a
subsequent rule or policy is encountered which matches a rule or policy
marked WARN or BAN, an error message is issued. In the case of BAN, the
offending line is also dropped from the output, and a non-zero return code
issued.
PREREQUISITES
The tools you will need to use shoregen are:
perl The main shoregen script is written in Perl
rsync Used to keep /etc/shorewall directories on your firewalls
in sync with the central repository
ssh Encrypted transport for rsync
make Optional, but saves a few keystrokes.
USAGE
Put shoregen and install_shoregen in a directory on your PATH.
Make a central directory for your configs. I recommend somewhere in a
trusted user's home directory or central system admin repository. This
directory should be on a trusted machine in the most secure part of your
network. Put all of your policies, rules, and zones together in the
correct order in files in the top level of this directory.
For each of the simple configs you want to generate centrally, create a
directory, with a file called COMMON (if necessary) containing the content
you want to see in that file on all hosts, and a file named for each host
for host-specific content. I recommend that the default shorewall
configuration file be placed in the COMMON file of the corresponding
directory, with directives that are not appropriate commented out.
When shoregen is run, it places the generated files in the directory
SPOOL/<host>, where <host> is the hostname of the target firewall. The
files in this directory are synchronised and the firewall checked and/or
restarted by a simple wrapper script called install_shoregen.
See the samples directory for a starting point configuration. It provides
some suggested policies & rules for the network shown in example1.png. The
sample configuration has not been tested in any way.
I hope you find shoregen useful. I welcome your comments, contributions,
criticisms, and questions.

19
contrib/shoregen/TODO Normal file
View File

@ -0,0 +1,19 @@
As at Wed Apr 21 22:30:12 EST 2004:
- Need to make it possible for a host to have the same $FW name as the zone
in which it belongs, and have shoregen automatically create appropriate
rules.
- At the moment, if a fully-expanded policy file (such as is shown
- Better documentation & samples. I'm sure there is room for improvement.
- Better rule & policy sanitisation. Again, there is room for improvement.
- The Makefile could be improved to detect changes in the lower level
config files and call shoregen automatically when they are out-of-date.
At the moment, shoregen is so simple (and thus fast) that the amount of
time that would be saved by a clever Makefile (in comparison to the
rsync, ssh, and shorewall steps) is probably not worth the trouble to
code.

103
contrib/shoregen/install_shoregen Normal file
View File

@ -0,0 +1,103 @@
#!/bin/sh
#
# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
#
# Wrapper script to install shoregen-generated shorewall configuration files.
#
#
# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to
# <http://www.gnu.org/copyleft/gpl.html> on the World Wide Web.
VERBOSE=0
RESTART=0
CHECK=1
usage()
{
echo "Usage: $0 [--verbose] [--restart] host ...
Generates and installs shorewall configuration on the given hosts" >&2
exit 1
}
error()
{
echo "$0: ERROR -" "$@" >&2
}
while :; do
case "$1" in
-v|--verbose)
VERBOSE=1
shift
;;
-r|--restart)
RESTART=1
shift
;;
-c|--nocheck)
CHECK=0
shift
;;
--)
shift
break 2
;;
--*)
error "Unrecognised option $1"
usage
;;
*)
break 2
;;
esac
done
set -e
set -u
if [ "$#" -lt 1 ]; then
usage
fi
USER=root
RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
#--progress
if [ "$VERBOSE" -gt 0 ]; then
RSYNC_ARGS="$RSYNC_ARGS --verbose"
fi
DIR=/etc/shorewall
SW_PATH=/sbin/shorewall
PATH=$PATH:
for HOST; do
shoregen $HOST
rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
if [ "$CHECK" -gt 0 ]; then
ssh -l $USER -t $HOST $SW_PATH check
fi
if [ "$RESTART" -gt 0 ]; then
ssh -l $USER -t $HOST $SW_PATH restart
fi
done

10
contrib/shoregen/samples/Makefile Normal file
View File

@ -0,0 +1,10 @@
FLAGS=-c -r
HOSTS=ig proxy mail og
default: $(HOSTS)
$(HOSTS):
shoregen $@
install:
install_shoregen -c -r $(HOSTS)

BIN
contrib/shoregen/samples/example1.dia Normal file
View File

Binary file not shown.

BIN
contrib/shoregen/samples/example1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

13
contrib/shoregen/samples/hosts/ig Normal file
View File

@ -0,0 +1,13 @@
# ZONE HOST(S) OPTIONS
# I used the vi command
# !Gsort -k2 -k1
# to sort this file, starting at the next line.
mail eth0:$MAIL
og eth0:$OG
proxy eth0:$PROXY
net eth0:0.0.0.0/0
lan eth1:$LAN
other eth1:0.0.0.0/0
guest eth2:$GUEST
other eth2:0.0.0.0/0

7
contrib/shoregen/samples/hosts/mail Normal file
View File

@ -0,0 +1,7 @@
# ZONE HOST(S) OPTIONS
guest eth0:$GUEST
ig eth0:$IG
lan eth0:$LAN
og eth0:$OG
proxy eth0:$PROXY
net eth0:0.0.0.0/0

7
contrib/shoregen/samples/hosts/og Normal file
View File

@ -0,0 +1,7 @@
# ZONE HOST(S) OPTIONS
guest eth0:$GUEST
ig eth0:$IG
lan eth0:$LAN
mail eth0:$MAIL
proxy eth0:$PROXY
other eth0:0.0.0.0/0

7
contrib/shoregen/samples/hosts/proxy Normal file
View File

@ -0,0 +1,7 @@
# ZONE HOST(S) OPTIONS
guest eth0:$GUEST
ig eth0:$IG
lan eth0:$LAN
mail eth0:$MAIL
og eth0:$OG
net eth0:0.0.0.0/0

5
contrib/shoregen/samples/interfaces/ig Normal file
View File

@ -0,0 +1,5 @@
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect -
- eth1 detect dhcp
- eth2 detect dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

3
contrib/shoregen/samples/interfaces/mail Normal file
View File

@ -0,0 +1,3 @@
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
contrib/shoregen/samples/interfaces/og Normal file
View File

@ -0,0 +1,5 @@
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect -
net eth1 detect norfc1918,blacklist,dhcp
net ppp+ detect norfc1918,blacklist
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

3
contrib/shoregen/samples/interfaces/proxy Normal file
View File

@ -0,0 +1,3 @@
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
contrib/shoregen/samples/params/COMMON Normal file
View File

@ -0,0 +1,9 @@
# These are parameterised firstly so they only live in one place, and
# secondly because they can appear on different interfaces, but with a
# constant address.
OG=10.1.1.1
MAIL=10.1.1.2
PROXY=10.1.1.3
IG=10.1.1.4
LAN=10.1.2.0/24
GUEST=10.1.3.0/24

112
contrib/shoregen/samples/policy Normal file
View File

@ -0,0 +1,112 @@
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST EXT
#
# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
# the policy or rules file. These are not part of shorewall and do not
# actually block any traffic. They are about stopping the firewall
# administrator from activating silly rules. Note that these rules should
# always be accompanied by a corresponding REJECT/BAN policy as they don't
# actually set the shorewall policy (see below for these).
#
# These policies are samples only and are not suggested for your
# environment. You must decide on the policies that are right for you.
#
guest lan BAN
proxy lan BAN
mail lan BAN
og lan BAN
net lan BAN
proxy guest BAN
mail guest BAN
og guest BAN
net guest BAN
proxy ig BAN
mail ig BAN
og ig BAN
net ig BAN
net proxy BAN
proxy og BAN
mail og BAN
net og BAN
ig net BAN
#
# Now the normal policies. We define each set of zone pairs individually
# so that Shorewall produces more meaningful error messages.
#
lan guest ACCEPT info
lan ig REJECT info
lan proxy REJECT info
lan mail REJECT info
lan og REJECT info
lan net REJECT info
lan other REJECT info
lan all REJECT info
guest lan REJECT info
guest ig REJECT info
guest proxy REJECT info
guest mail REJECT info
guest og REJECT info
guest net ACCEPT info
guest other REJECT info
guest all REJECT info
ig lan REJECT info
ig guest REJECT info
ig proxy REJECT info
ig mail REJECT info
ig og REJECT info
ig net REJECT info
ig other REJECT info
ig all REJECT info
proxy lan REJECT info
proxy guest REJECT info
proxy ig REJECT info
proxy mail REJECT info
proxy og REJECT info
proxy net ACCEPT
proxy other REJECT info
proxy all REJECT info
mail lan REJECT info
mail guest REJECT info
mail ig REJECT info
mail proxy REJECT info
mail og REJECT info
mail net REJECT info
mail other REJECT info
mail all REJECT info
og lan REJECT info
og guest REJECT info
og ig REJECT info
og proxy REJECT info
og mail REJECT info
og net REJECT info
og other REJECT info
og all REJECT info
net lan DROP info
net guest DROP info
net ig DROP info
net proxy DROP info
net mail DROP info
net og DROP info
net other DROP info
net all DROP info
# Catch-all policies
other all DROP info
all all DROP info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

187
contrib/shoregen/samples/rules Normal file
View File

@ -0,0 +1,187 @@
#
# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
#
# Master Rules File
#
# This file is organised into 4 main sections:
# 1. Rules that need to transcend the more general WARN/BAN rules. The
# reason for this is typically system administration and
# troubleshooting. This section should be kept as small as possible.
# 2. WARN/BAN rules to put restrictions on which rules contravening
# policies may be created. This section should be as large as
# possible, if you take a traditional (i.e. paranoid) approach to
# firewall design.
# 3. Noise-reducing rules for illegitimate traffic. This is typically
# small, but may grow as time goes on.
# 4. Normal rules which define the holes in your firewall. Again, this
# should include only the rules you need and no more. However, even
# on a simple home network like mine, this section tends to get
# large!
#
#
# Order by port, protocol, dest zone (in->out order), src zone (in->out
# order).
#
#ACTION CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
#
# Nearly all of these rules should be limited to system administration
# terminals. These would be better put in a separate zone.
#
# ping (more below)
ACCEPT lan og icmp 8
# ssh (more below)
ACCEPT lan og tcp 22
ACCEPT ig og tcp 22
# SNMP (more below) - for MRTG stats run from LAN
ACCEPT lan og udp 161
# syslog (more below)
ACCEPT ig lan udp 514
# Squid - this wouldn't be necessary except that a lot of OS updates are
# rather large...
ACCEPT mail proxy tcp 3128
#
# Section 2: WARN/BAN rule directives
#
BAN ig lan
BAN mail proxy
BAN lan og
BAN ig og
#
# Section 3: Drop noisy junk
#
# auth - reverse of the SMTP rules below
REJECT mail lan tcp 113
REJECT mail guest tcp 113
REJECT mail ig tcp 113
REJECT mail proxy tcp 113
REJECT mail og tcp 113
REJECT net og tcp 113
REJECT mail net tcp 113
# KaZaA file sharing
DROP net og tcp 1214
# Gnutella server
REJECT net og tcp 6346,6347
# Half-Life
REJECT net og udp 27015,27016
#
# Section 4: Normal traffic
#
# ping (more above)
ACCEPT lan ig icmp 8
ACCEPT lan proxy icmp 8
ACCEPT lan mail icmp 8
ACCEPT ig proxy icmp 8
ACCEPT ig mail icmp 8
ACCEPT og proxy icmp 8
ACCEPT og mail icmp 8
ACCEPT og net icmp 8
# FTP
ACCEPT proxy net tcp 21
# ssh (more above)
ACCEPT lan ig tcp 22
ACCEPT lan proxy tcp 22
ACCEPT lan mail tcp 22
ACCEPT lan net tcp 22
ACCEPT ig proxy tcp 22
ACCEPT ig mail tcp 22
ACCEPT proxy mail tcp 22
ACCEPT proxy net tcp 22
# SMTP
ACCEPT lan mail tcp 25
ACCEPT guest mail tcp 25
ACCEPT ig mail tcp 25
ACCEPT proxy mail tcp 25
ACCEPT og mail tcp 25
DNAT net mail:$MAIL tcp 25
ACCEPT mail net tcp 25
# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
# proxy, and mail independent of the rest (proxy & mail should run their
# own caches).
ACCEPT lan proxy tcp 53
ACCEPT lan proxy udp 53
ACCEPT guest proxy tcp 53
ACCEPT guest proxy udp 53
ACCEPT ig proxy tcp 53
ACCEPT ig proxy udp 53
ACCEPT og proxy tcp 53
ACCEPT og proxy udp 53
ACCEPT proxy net tcp 53
ACCEPT proxy net udp 53
ACCEPT mail net tcp 53
ACCEPT mail net udp 53
# HTTP
ACCEPT proxy net tcp 80
# POP3 - must be proxied through mail
ACCEPT mail net tcp 110
ACCEPT lan mail tcp 110
# NNTP - application layer proxy (e.g. leafnode) on proxy
ACCEPT lan proxy tcp 119
ACCEPT proxy net tcp 119
# NTP - we really need more than 2 servers, but this is only an example. :-)
ACCEPT lan proxy udp 123
ACCEPT lan mail udp 123
ACCEPT ig proxy udp 123
ACCEPT ig mail udp 123
ACCEPT proxy net udp 123
ACCEPT mail net udp 123
ACCEPT og proxy udp 123
ACCEPT og mail udp 123
# IMAP
ACCEPT lan mail tcp 143
ACCEPT guest mail tcp 143
# SNMP (more above) - for MRTG stats
ACCEPT lan ig udp 161
ACCEPT lan proxy udp 161
ACCEPT lan mail udp 161
# HTTPS
ACCEPT proxy net tcp 443
# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
ACCEPT og mail udp 514
ACCEPT proxy mail udp 514
# Squid
ACCEPT lan proxy tcp 3128
ACCEPT guest proxy tcp 3128
ACCEPT ig proxy tcp 3128
ACCEPT og proxy tcp 3128
# Webmin
ACCEPT lan proxy tcp 10000
ACCEPT guest proxy tcp 10000
ACCEPT ig proxy tcp 10000
ACCEPT og proxy tcp 10000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

569
contrib/shoregen/samples/shorewall.conf/COMMON Normal file
View File

@ -0,0 +1,569 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages
#
# LOG FORMAT
#
# Shell 'printf' Formatting template for the --log-prefix value in log messages
# generated by Shorewall to identify Shorewall log messages. The supplied
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
# LOGFORMAT="fp=%s:%d a=%s "
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
LOGFORMAT="Shorewall:%s:%s:"
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATE=10/minute
LOGBURST=5
#
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
LOGUNCLEAN=info
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beware of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this section for a description of log levels
#
BLACKLIST_LOGLEVEL=
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=info
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
PATH=/sbin:/bin:/usr/sbin:/usr/bin
#
# SHELL
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
# use lock files, set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
#FW=fw
#
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
#IP_FORWARDING=On
#
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above.
#
TC_ENABLED=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS=No
#
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
ROUTE_FILTER=yes
#
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is assumed.
NAT_BEFORE_RULES=Yes
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
DETECT_DNAT_IPADDRS=No
#
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# TCP connections are established using the familiar three-way "handshake":
#
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NETNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection, it will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule/policy processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
# results in retries being dropped (Netfilter has removed the
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
NEWNOTSYN=Yes
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
#
# BLACKLIST Behavior
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
# packet or for each new connection.
#
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
# requests
#
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
#
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
# MODULE NAME SUFFIX
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
# naming convention then you can specify the suffix (extension) for module
# names in this variable.
#
# To see what suffix is used by your distribution:
#
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# All of the file names listed should have the same suffix (extension). Set
# MODULE_SUFFIX to that suffix.
#
# Examples:
#
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
#
MODULE_SUFFIX=
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the 'maclist' option and that are from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

2
contrib/shoregen/samples/shorewall.conf/ig Normal file
View File

@ -0,0 +1,2 @@
FW=ig
IP_FORWARDING=On

2
contrib/shoregen/samples/shorewall.conf/mail Normal file
View File

@ -0,0 +1,2 @@
FW=enoch
IP_FORWARDING=Off

2
contrib/shoregen/samples/shorewall.conf/og Normal file
View File

@ -0,0 +1,2 @@
FW=og
IP_FORWARDING=On

2
contrib/shoregen/samples/shorewall.conf/proxy Normal file
View File

@ -0,0 +1,2 @@
FW=dmz
IP_FORWARDING=Off

10
contrib/shoregen/samples/zones Normal file
View File

@ -0,0 +1,10 @@
#ZONE DISPLAY COMMENTS
lan LAN Local network
guest Guest Untrusted LAN hosts
ig IG Inner Guard
og OG Outer Guard
mail Mail Mail server
proxy Proxy Proxy server
net Net Internet
other Other Basket for things that don't fit elsewhere
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

373
contrib/shoregen/shoregen Normal file
View File

@ -0,0 +1,373 @@
#!/usr/bin/perl -w
#
# $Id: shoregen,v 1.27 2004/04/24 12:31:18 paulgear Exp $
#
# Generate shorewall configuration for a host from central configuration
# files.
#
#
# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to
# <http://www.gnu.org/copyleft/gpl.html> on the World Wide Web.
#
use strict;
my $VERBOSE = 1;
my $DEBUG = 1;
my $DATE = scalar localtime;
my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n";
if ($#ARGV != 0) {
print STDERR "Usage: $0 <hostname>\n";
exit 1;
}
my $base = ".";
my $host = $ARGV[ 0 ];
my $spool = "$base/SPOOL";
my $dir = "$spool/$host";
#
# Messaging routines for use by the program itself - any errors that are
# generated externally (e.g. file opening problems) are reported using the
# usual perl 'die' or 'warn' functions.
#
sub warning
{
print STDERR "$0: WARNING - @_\n";
}
sub fatal
{
my $RET = shift;
print STDERR "$0: FATAL - @_\n";
exit $RET;
}
sub message
{
print "$0: @_\n";
}
#
# These bits make the files that actually get copied to the target host
#
sub stripfile
{
open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!";
my @file;
for (<$file>) {
s/\s*#.*$//g; # remove all comments
next if m/^\s*$/; # skip blank lines
push @file, $_;
}
close $file or warn "Can't close $_[ 0 ] after reading: $!";
return @file;
}
sub constructfile
{
my $confname = shift;
my $dst = shift;
my $foundone = 0;
message "Constructing $confname" if $VERBOSE > 1;
open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
printf $DST $HEADER, $confname;
for my $file (@_) {
if (-r $file) {
$foundone = 1;
print $DST "##$file\n" if $DEBUG > 1;
print $DST stripfile $file;
}
}
close $DST or warn "Can't close $dst: $!";
if (!$foundone) {
warning "\"$confname\" not present. " .
"Existing file on $host will be preserved." if $VERBOSE > 2;
unlink $dst;
}
}
#
# main
#
my $fw; # Firewall zone for this host
my @globalzones; # All known zones
my %globalzones;
my %hostzones; # zones applicable to this host
my $outfile; # filename holders
my $conf; # config file we're processing at present
my %warnban; # meta-rules/policies
# Change to the base configuration directory
die "Configuration directory $base doesn't exist!" if ! -d $base;
chdir $base or die "Can't change directory to $base: $!";
# Create spool directories if necessary
if (! -d "$spool") {
mkdir "$spool" or die "Can't create spool directory $spool: $!";
}
if (! -d $dir) {
mkdir $dir or die "Can't create host spool directory $dir: $!";
}
#
# Construct all the simple config files.
#
# Config files for which the host-specific file is included *first*
my @hostfirstconfigs = qw( blacklist ecn hosts interfaces maclist masq nat
proxyarp rfc1918 routestopped start stop stopped tcrules tos tunnels );
# Config files for which the host-specific file is included *last*
my @hostlastconfigs = qw( common init modules params shorewall.conf );
for my $conf (@hostfirstconfigs) {
constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON";
}
for my $conf (@hostlastconfigs) {
constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host";
}
#
# The remaining config files (policy, rules, zones) are processed uniquely.
#
# Find the firewall name of this host
open( my $infile, "$dir/shorewall.conf" ) or
die "Can't open $dir/shorewall.conf: $!";
for (<$infile>) {
next unless m/^\s*FW=(\S+)/;
$fw = $1;
last;
}
close $infile;
# The firewall name must be defined
unless (defined $fw) {
fatal 1, "Can't find firewall name for $host in $dir/shorewall.conf";
}
# Find all valid zones
unless (-r "zones") {
fatal 2, "You must provide a global zone file";
}
for (stripfile "zones") {
chomp;
my ($zone, $details) = split /\s+/, $_, 2;
push @globalzones, $zone;
$globalzones{ $zone } = $details;
}
#
# Work out which zones apply to this host from the combination of hosts &
# interfaces. The first field in both files is the zone name, and the
# second (minus any trailing ips) is the interface, which we save as well
# for later reference.
#
for my $infile ("$dir/hosts", "$dir/interfaces") {
if (-r $infile) {
for (stripfile $infile) {
chomp;
my @F = split;
next if $#F < 0;
next if $F[ 0 ] eq "-";
my @IF = split /:/, $F[ 1 ];
$hostzones{ $F[ 0 ] } = $IF[ 0 ];
}
}
}
$conf = "zones";
#
# Create the zones file from the intersection of the above - note the order
# from the original zone file must be preserved, hence the need for the
# array as well as the hash.
#
open( $outfile, ">$dir/$conf" ) or
die "Can't open $dir/$conf for writing: $!";
printf $outfile $HEADER, "$conf";
my %tmpzones = %hostzones; # Take a copy of all the zones,
for my $zone (@globalzones) {
if (exists $tmpzones{ $zone }) {
print $outfile "$zone $globalzones{ $zone }\n";
delete $tmpzones{ $zone }; # deleting those found as we go along.
}
}
close $outfile or warn "Can't close $dir/$conf after writing: $!";
for my $zone (sort keys %tmpzones) { # Warn if we've got any zones left now.
#next if $zone eq "-";
warning "No entry for $zone in global zones file - ignored";
}
undef %tmpzones;
my @tmp = sort keys %hostzones;
message "FW zone for $host: $fw" if $VERBOSE > 0;
message "Other zones for $host: @tmp" if $VERBOSE > 0;
#
# Add 'all' as a valid source or destination. Added here so it doesn't get
# checked in %tmpzones check above. Also add firewall itself. (The
# numbers are not important as long as they are different.)
#
$hostzones{"all"} = 1;
$hostzones{$fw} = 2;
#
# Create the policy file, including only the applicable zones.
#
$conf = "policy";
if (! -r $conf) {
fatal 3, "You must provide a global \"$conf\" file";
}
open( $outfile, ">$dir/$conf" ) or
die "Can't open $dir/$conf for writing: $!";
printf $outfile $HEADER, "$conf";
for (stripfile $conf) {
chomp;
my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4;
print "$src, $dst, $pol, $rest\n" if $DEBUG > 3;
# Both source and destination zones must be valid on this host for this
# policy to apply.
next unless defined $hostzones{$src} and defined $hostzones{$dst};
# Source and destination zones must be on different interfaces as well,
# except for the case of all2all.
#next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
# Save WARN & BAN details for later rules processing
if ($pol eq "WARN" or $pol eq "BAN") {
if (exists $warnban{$src}{$dst}) {
warning "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?";
}
$warnban{$src}{$dst} = $pol;
next;
}
printf $outfile "%s\n", $_;
}
close $outfile or warn "Can't close $dir/$conf for writing: $!";
#
# Create the rules file, only including the applicable zones and taking
# into account any WARN or BAN policies.
#
$conf = "rules";
if (! -r $conf) {
fatal 4, "You must provide a global \"$conf\" file";
}
open( $outfile, ">$dir/$conf" ) or
die "Can't open $dir/$conf for writing: $!";
printf $outfile $HEADER, "$conf";
my $ret = 0;
for (stripfile $conf) {
chomp;
my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
# strip down to only the main tag
$act =~ s/:.*//;
$src =~ s/:.*//;
$dst =~ s/:.*//;
print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
# Both source and destination zones must be valid on this host for this
# rule to apply.
next unless defined $hostzones{$src} and defined $hostzones{$dst};
# Source and destination zones must be on different interfaces as well,
# except for the case of all2all.
next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
# Save additional WARN/BAN rules
if ($act eq "WARN" or $act eq "BAN") {
if (exists $warnban{$src}{$dst}) {
warning "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
}
$warnban{$src}{$dst} = $act;
next;
}
# Check against WARN/BAN rules
if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|DNAT)\b/) {
if ($warnban{$src}{$dst} eq "WARN") {
warning "Rule contravenes WARN policy:\n\t$_";
}
else { # $warnban{$src}{$dst} eq "BAN"
warning "Rule contravenes BAN policy (omitted):\n\t$_";
++$ret;
next;
}
}
# Mangle DNAT rules if the destination is the local machine
if ($act =~ /^DNAT/ && $dst eq $fw) {
$_ =~ s/\bDNAT(-)?/ACCEPT/; # change rule type
$_ =~ s/\b$fw:\S+/$dst/; # strip trailing server address/port
}
printf $outfile "%s\n", $_;
}
close $outfile or warn "Can't close $dir/$conf for writing: $!";
# If we get here, everything's OK - return whatever we produced above...
exit $ret;

3
contrib/shoregen/spec/description Normal file
View File

@ -0,0 +1,3 @@
Shoregen is a script that generates Shoreline Firewall configurations for
multiple firewalls from a common set of rules and policies. Only the
minimal information necessary for operation is stored on each firewall.

4
contrib/shoregen/spec/files Normal file
View File

@ -0,0 +1,4 @@
# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $
/usr/bin/%{name}
/usr/bin/install_%{name}
%doc /usr/share/doc/%{name}-%{version}/

10
contrib/shoregen/spec/header Normal file
View File

@ -0,0 +1,10 @@
# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $
Summary: Shoreline Firewall configuration generator
License: GPL
Group: Applications/System
BuildArch: noarch
URL: http://paulgear.webhop.net/linux/#shoregen
Packager: Paul Gear <paul@gear.dyndns.org>
Requires: openssh
Requires: perl
Requires: rsync

9
contrib/shoregen/spec/install Normal file
View File

@ -0,0 +1,9 @@
# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $
install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/
install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/
install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/

2
contrib/shoregen/spec/type Normal file
View File

@ -0,0 +1,2 @@
install
# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $