diff --git a/contrib/shoregen/AUTHORS b/contrib/shoregen/AUTHORS new file mode 100644 index 000000000..3cedc2493 --- /dev/null +++ b/contrib/shoregen/AUTHORS @@ -0,0 +1 @@ +Paul Gear diff --git a/contrib/shoregen/BUGS b/contrib/shoregen/BUGS new file mode 100644 index 000000000..a7664840c --- /dev/null +++ b/contrib/shoregen/BUGS @@ -0,0 +1,6 @@ +Sat Apr 24 23:10:10 EST 2004: + +- The "minimal" in "Only the minimal information necessary for operation is + stored on each firewall" is a bit of an overstatement. This could + probably use some work. + diff --git a/contrib/shoregen/COPYING b/contrib/shoregen/COPYING new file mode 100644 index 000000000..5b6e7c66c --- /dev/null +++ b/contrib/shoregen/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/contrib/shoregen/README b/contrib/shoregen/README new file mode 100644 index 000000000..97c2cbcd7 --- /dev/null +++ b/contrib/shoregen/README @@ -0,0 +1,125 @@ +shoregen 0.1 +Shoreline Firewall configuration generator +(c) Copyright 2004 Paul D. Gear + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +SHOREWALL + +The quick plug: + + - I love shorewall. Shorewall is the only firewall i trust. + +The IT Manager plug: + + - Shorewall is a policy-driven firewall which lets you think about your + firewall at a higher level than iptables commands. + +The hard sell to you crazy people still maintaining manual firewall scripts: + + - Shorewall is a wrapper around the kernel iptables, so your existing + Linux firewall skills transfer. I converted from a 900-plus-line + ipchains shell script to around 50 lines of shorewall configuration in + less than 4 hours, with no prior experience. + + +ISSUES + + - I'm paranoid - i want more than one firewall between me and the world. + + - Configuring multiple firewalls separately is a recipe for getting your + rules out of sync, and allowing security problems to creep in. + + - IT Manager types (like me) like to know their policy is consistently + implemented. + + +SOLUTION + +Shoregen is a script that generates shorewall configurations for multiple +firewalls from a common set of rules and policies. Only the minimal +information necessary for operation is stored on each firewall, so, for +example, your DMZ server doesn't need to know about the rules on your +internal network, but at the same time, it gets consistent rules to your +outer guard. + + +PHILOSOPHY + +Shoregen assumes the X-Files approach to firewall design: trust no one. +That is, paranoia is a virtue. All access should be as limited as possible +for things to work. If you don't already agree with this philosophy, you +may find some of the things shoregen does frustrating, but then again, +you're probably not reading this document. :-) + + +DESIGN + +Shoregen distinguishes between two different types of shorewall +configurations. Most shorewall configuration files are simply concatenated +together from parts constructed from common and host-specific parts. These +are called simple configs, and shoregen doesn't substantially alter them, +and uses little information from them. + +Configs with which shoregen is more concerned are treated separately, and +additional features beyond the scope of shorewall itself are implemented. +Most importantly, two new policy/rule keywords are introduced: WARN and +BAN. These keywords are not included in shoregen's output, but when a +subsequent rule or policy is encountered which matches a rule or policy +marked WARN or BAN, an error message is issued. In the case of BAN, the +offending line is also dropped from the output, and a non-zero return code +issued. + + +PREREQUISITES + +The tools you will need to use shoregen are: + perl The main shoregen script is written in Perl + rsync Used to keep /etc/shorewall directories on your firewalls + in sync with the central repository + ssh Encrypted transport for rsync + make Optional, but saves a few keystrokes. + + +USAGE + +Put shoregen and install_shoregen in a directory on your PATH. + +Make a central directory for your configs. I recommend somewhere in a +trusted user's home directory or central system admin repository. This +directory should be on a trusted machine in the most secure part of your +network. Put all of your policies, rules, and zones together in the +correct order in files in the top level of this directory. + +For each of the simple configs you want to generate centrally, create a +directory, with a file called COMMON (if necessary) containing the content +you want to see in that file on all hosts, and a file named for each host +for host-specific content. I recommend that the default shorewall +configuration file be placed in the COMMON file of the corresponding +directory, with directives that are not appropriate commented out. + +When shoregen is run, it places the generated files in the directory +SPOOL/, where is the hostname of the target firewall. The +files in this directory are synchronised and the firewall checked and/or +restarted by a simple wrapper script called install_shoregen. + +See the samples directory for a starting point configuration. It provides +some suggested policies & rules for the network shown in example1.png. The +sample configuration has not been tested in any way. + +I hope you find shoregen useful. I welcome your comments, contributions, +criticisms, and questions. + diff --git a/contrib/shoregen/TODO b/contrib/shoregen/TODO new file mode 100644 index 000000000..7741da178 --- /dev/null +++ b/contrib/shoregen/TODO @@ -0,0 +1,19 @@ +As at Wed Apr 21 22:30:12 EST 2004: + +- Need to make it possible for a host to have the same $FW name as the zone + in which it belongs, and have shoregen automatically create appropriate + rules. + +- At the moment, if a fully-expanded policy file (such as is shown + +- Better documentation & samples. I'm sure there is room for improvement. + +- Better rule & policy sanitisation. Again, there is room for improvement. + +- The Makefile could be improved to detect changes in the lower level + config files and call shoregen automatically when they are out-of-date. + At the moment, shoregen is so simple (and thus fast) that the amount of + time that would be saved by a clever Makefile (in comparison to the + rsync, ssh, and shorewall steps) is probably not worth the trouble to + code. + diff --git a/contrib/shoregen/install_shoregen b/contrib/shoregen/install_shoregen new file mode 100644 index 000000000..13665bf08 --- /dev/null +++ b/contrib/shoregen/install_shoregen @@ -0,0 +1,103 @@ +#!/bin/sh +# +# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $ +# +# Wrapper script to install shoregen-generated shorewall configuration files. +# + +# +# (c) Copyright 2004 Paul D. Gear +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to +# on the World Wide Web. + +VERBOSE=0 +RESTART=0 +CHECK=1 + +usage() +{ + echo "Usage: $0 [--verbose] [--restart] host ... + Generates and installs shorewall configuration on the given hosts" >&2 + exit 1 +} + +error() +{ + echo "$0: ERROR -" "$@" >&2 +} + +while :; do + case "$1" in + + -v|--verbose) + VERBOSE=1 + shift + ;; + + -r|--restart) + RESTART=1 + shift + ;; + + -c|--nocheck) + CHECK=0 + shift + ;; + + --) + shift + break 2 + ;; + + --*) + error "Unrecognised option $1" + usage + ;; + + *) + break 2 + ;; + + esac +done + +set -e +set -u + +if [ "$#" -lt 1 ]; then + usage +fi + +USER=root +RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh" +#--progress +if [ "$VERBOSE" -gt 0 ]; then + RSYNC_ARGS="$RSYNC_ARGS --verbose" +fi +DIR=/etc/shorewall +SW_PATH=/sbin/shorewall + +PATH=$PATH: +for HOST; do + shoregen $HOST + rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/ + if [ "$CHECK" -gt 0 ]; then + ssh -l $USER -t $HOST $SW_PATH check + fi + if [ "$RESTART" -gt 0 ]; then + ssh -l $USER -t $HOST $SW_PATH restart + fi +done diff --git a/contrib/shoregen/samples/Makefile b/contrib/shoregen/samples/Makefile new file mode 100644 index 000000000..2e74e1c28 --- /dev/null +++ b/contrib/shoregen/samples/Makefile @@ -0,0 +1,10 @@ +FLAGS=-c -r +HOSTS=ig proxy mail og + +default: $(HOSTS) + +$(HOSTS): + shoregen $@ + +install: + install_shoregen -c -r $(HOSTS) diff --git a/contrib/shoregen/samples/example1.dia b/contrib/shoregen/samples/example1.dia new file mode 100644 index 000000000..92f261084 Binary files /dev/null and b/contrib/shoregen/samples/example1.dia differ diff --git a/contrib/shoregen/samples/example1.png b/contrib/shoregen/samples/example1.png new file mode 100644 index 000000000..71739088d Binary files /dev/null and b/contrib/shoregen/samples/example1.png differ diff --git a/contrib/shoregen/samples/hosts/ig b/contrib/shoregen/samples/hosts/ig new file mode 100644 index 000000000..a9b9f738c --- /dev/null +++ b/contrib/shoregen/samples/hosts/ig @@ -0,0 +1,13 @@ +# ZONE HOST(S) OPTIONS + +# I used the vi command +# !Gsort -k2 -k1 +# to sort this file, starting at the next line. +mail eth0:$MAIL +og eth0:$OG +proxy eth0:$PROXY +net eth0:0.0.0.0/0 +lan eth1:$LAN +other eth1:0.0.0.0/0 +guest eth2:$GUEST +other eth2:0.0.0.0/0 diff --git a/contrib/shoregen/samples/hosts/mail b/contrib/shoregen/samples/hosts/mail new file mode 100644 index 000000000..362369f0f --- /dev/null +++ b/contrib/shoregen/samples/hosts/mail @@ -0,0 +1,7 @@ +# ZONE HOST(S) OPTIONS +guest eth0:$GUEST +ig eth0:$IG +lan eth0:$LAN +og eth0:$OG +proxy eth0:$PROXY +net eth0:0.0.0.0/0 diff --git a/contrib/shoregen/samples/hosts/og b/contrib/shoregen/samples/hosts/og new file mode 100644 index 000000000..66a912c84 --- /dev/null +++ b/contrib/shoregen/samples/hosts/og @@ -0,0 +1,7 @@ +# ZONE HOST(S) OPTIONS +guest eth0:$GUEST +ig eth0:$IG +lan eth0:$LAN +mail eth0:$MAIL +proxy eth0:$PROXY +other eth0:0.0.0.0/0 diff --git a/contrib/shoregen/samples/hosts/proxy b/contrib/shoregen/samples/hosts/proxy new file mode 100644 index 000000000..a0ca224c0 --- /dev/null +++ b/contrib/shoregen/samples/hosts/proxy @@ -0,0 +1,7 @@ +# ZONE HOST(S) OPTIONS +guest eth0:$GUEST +ig eth0:$IG +lan eth0:$LAN +mail eth0:$MAIL +og eth0:$OG +net eth0:0.0.0.0/0 diff --git a/contrib/shoregen/samples/interfaces/ig b/contrib/shoregen/samples/interfaces/ig new file mode 100644 index 000000000..523891686 --- /dev/null +++ b/contrib/shoregen/samples/interfaces/ig @@ -0,0 +1,5 @@ +#ZONE INTERFACE BROADCAST OPTIONS +- eth0 detect - +- eth1 detect dhcp +- eth2 detect dhcp +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/interfaces/mail b/contrib/shoregen/samples/interfaces/mail new file mode 100644 index 000000000..8c485e0ec --- /dev/null +++ b/contrib/shoregen/samples/interfaces/mail @@ -0,0 +1,3 @@ +#ZONE INTERFACE BROADCAST OPTIONS +- eth0 detect - +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/interfaces/og b/contrib/shoregen/samples/interfaces/og new file mode 100644 index 000000000..b627368ec --- /dev/null +++ b/contrib/shoregen/samples/interfaces/og @@ -0,0 +1,5 @@ +#ZONE INTERFACE BROADCAST OPTIONS +- eth0 detect - +net eth1 detect norfc1918,blacklist,dhcp +net ppp+ detect norfc1918,blacklist +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/interfaces/proxy b/contrib/shoregen/samples/interfaces/proxy new file mode 100644 index 000000000..8c485e0ec --- /dev/null +++ b/contrib/shoregen/samples/interfaces/proxy @@ -0,0 +1,3 @@ +#ZONE INTERFACE BROADCAST OPTIONS +- eth0 detect - +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/params/COMMON b/contrib/shoregen/samples/params/COMMON new file mode 100644 index 000000000..2f7bed38b --- /dev/null +++ b/contrib/shoregen/samples/params/COMMON @@ -0,0 +1,9 @@ +# These are parameterised firstly so they only live in one place, and +# secondly because they can appear on different interfaces, but with a +# constant address. +OG=10.1.1.1 +MAIL=10.1.1.2 +PROXY=10.1.1.3 +IG=10.1.1.4 +LAN=10.1.2.0/24 +GUEST=10.1.3.0/24 diff --git a/contrib/shoregen/samples/policy b/contrib/shoregen/samples/policy new file mode 100644 index 000000000..7106fd0d4 --- /dev/null +++ b/contrib/shoregen/samples/policy @@ -0,0 +1,112 @@ +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST EXT + +# +# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in +# the policy or rules file. These are not part of shorewall and do not +# actually block any traffic. They are about stopping the firewall +# administrator from activating silly rules. Note that these rules should +# always be accompanied by a corresponding REJECT/BAN policy as they don't +# actually set the shorewall policy (see below for these). +# +# These policies are samples only and are not suggested for your +# environment. You must decide on the policies that are right for you. +# + +guest lan BAN +proxy lan BAN +mail lan BAN +og lan BAN +net lan BAN + +proxy guest BAN +mail guest BAN +og guest BAN +net guest BAN + +proxy ig BAN +mail ig BAN +og ig BAN +net ig BAN + +net proxy BAN + +proxy og BAN +mail og BAN +net og BAN + +ig net BAN + + +# +# Now the normal policies. We define each set of zone pairs individually +# so that Shorewall produces more meaningful error messages. +# + +lan guest ACCEPT info +lan ig REJECT info +lan proxy REJECT info +lan mail REJECT info +lan og REJECT info +lan net REJECT info +lan other REJECT info +lan all REJECT info + +guest lan REJECT info +guest ig REJECT info +guest proxy REJECT info +guest mail REJECT info +guest og REJECT info +guest net ACCEPT info +guest other REJECT info +guest all REJECT info + +ig lan REJECT info +ig guest REJECT info +ig proxy REJECT info +ig mail REJECT info +ig og REJECT info +ig net REJECT info +ig other REJECT info +ig all REJECT info + +proxy lan REJECT info +proxy guest REJECT info +proxy ig REJECT info +proxy mail REJECT info +proxy og REJECT info +proxy net ACCEPT +proxy other REJECT info +proxy all REJECT info + +mail lan REJECT info +mail guest REJECT info +mail ig REJECT info +mail proxy REJECT info +mail og REJECT info +mail net REJECT info +mail other REJECT info +mail all REJECT info + +og lan REJECT info +og guest REJECT info +og ig REJECT info +og proxy REJECT info +og mail REJECT info +og net REJECT info +og other REJECT info +og all REJECT info + +net lan DROP info +net guest DROP info +net ig DROP info +net proxy DROP info +net mail DROP info +net og DROP info +net other DROP info +net all DROP info + +# Catch-all policies +other all DROP info +all all DROP info + +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/rules b/contrib/shoregen/samples/rules new file mode 100644 index 000000000..1723a706e --- /dev/null +++ b/contrib/shoregen/samples/rules @@ -0,0 +1,187 @@ +# +# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $ +# +# Master Rules File +# +# This file is organised into 4 main sections: +# 1. Rules that need to transcend the more general WARN/BAN rules. The +# reason for this is typically system administration and +# troubleshooting. This section should be kept as small as possible. +# 2. WARN/BAN rules to put restrictions on which rules contravening +# policies may be created. This section should be as large as +# possible, if you take a traditional (i.e. paranoid) approach to +# firewall design. +# 3. Noise-reducing rules for illegitimate traffic. This is typically +# small, but may grow as time goes on. +# 4. Normal rules which define the holes in your firewall. Again, this +# should include only the rules you need and no more. However, even +# on a simple home network like mine, this section tends to get +# large! +# + +# +# Order by port, protocol, dest zone (in->out order), src zone (in->out +# order). +# + +#ACTION CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS + +# +# Section 1: Rules that need to transcend WARN/BAN rules in section 2. +# +# Nearly all of these rules should be limited to system administration +# terminals. These would be better put in a separate zone. +# + +# ping (more below) +ACCEPT lan og icmp 8 + +# ssh (more below) +ACCEPT lan og tcp 22 +ACCEPT ig og tcp 22 + +# SNMP (more below) - for MRTG stats run from LAN +ACCEPT lan og udp 161 + +# syslog (more below) +ACCEPT ig lan udp 514 + +# Squid - this wouldn't be necessary except that a lot of OS updates are +# rather large... +ACCEPT mail proxy tcp 3128 + +# +# Section 2: WARN/BAN rule directives +# + +BAN ig lan +BAN mail proxy +BAN lan og +BAN ig og + +# +# Section 3: Drop noisy junk +# + +# auth - reverse of the SMTP rules below +REJECT mail lan tcp 113 +REJECT mail guest tcp 113 +REJECT mail ig tcp 113 +REJECT mail proxy tcp 113 +REJECT mail og tcp 113 +REJECT net og tcp 113 +REJECT mail net tcp 113 + +# KaZaA file sharing +DROP net og tcp 1214 + +# Gnutella server +REJECT net og tcp 6346,6347 + +# Half-Life +REJECT net og udp 27015,27016 + + +# +# Section 4: Normal traffic +# + +# ping (more above) +ACCEPT lan ig icmp 8 +ACCEPT lan proxy icmp 8 +ACCEPT lan mail icmp 8 +ACCEPT ig proxy icmp 8 +ACCEPT ig mail icmp 8 +ACCEPT og proxy icmp 8 +ACCEPT og mail icmp 8 +ACCEPT og net icmp 8 + +# FTP +ACCEPT proxy net tcp 21 + +# ssh (more above) +ACCEPT lan ig tcp 22 +ACCEPT lan proxy tcp 22 +ACCEPT lan mail tcp 22 +ACCEPT lan net tcp 22 +ACCEPT ig proxy tcp 22 +ACCEPT ig mail tcp 22 +ACCEPT proxy mail tcp 22 +ACCEPT proxy net tcp 22 + +# SMTP +ACCEPT lan mail tcp 25 +ACCEPT guest mail tcp 25 +ACCEPT ig mail tcp 25 +ACCEPT proxy mail tcp 25 +ACCEPT og mail tcp 25 +DNAT net mail:$MAIL tcp 25 +ACCEPT mail net tcp 25 + +# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on +# proxy, and mail independent of the rest (proxy & mail should run their +# own caches). +ACCEPT lan proxy tcp 53 +ACCEPT lan proxy udp 53 +ACCEPT guest proxy tcp 53 +ACCEPT guest proxy udp 53 +ACCEPT ig proxy tcp 53 +ACCEPT ig proxy udp 53 +ACCEPT og proxy tcp 53 +ACCEPT og proxy udp 53 +ACCEPT proxy net tcp 53 +ACCEPT proxy net udp 53 +ACCEPT mail net tcp 53 +ACCEPT mail net udp 53 + +# HTTP +ACCEPT proxy net tcp 80 + +# POP3 - must be proxied through mail +ACCEPT mail net tcp 110 +ACCEPT lan mail tcp 110 + +# NNTP - application layer proxy (e.g. leafnode) on proxy +ACCEPT lan proxy tcp 119 +ACCEPT proxy net tcp 119 + +# NTP - we really need more than 2 servers, but this is only an example. :-) +ACCEPT lan proxy udp 123 +ACCEPT lan mail udp 123 +ACCEPT ig proxy udp 123 +ACCEPT ig mail udp 123 +ACCEPT proxy net udp 123 +ACCEPT mail net udp 123 +ACCEPT og proxy udp 123 +ACCEPT og mail udp 123 + +# IMAP +ACCEPT lan mail tcp 143 +ACCEPT guest mail tcp 143 + +# SNMP (more above) - for MRTG stats +ACCEPT lan ig udp 161 +ACCEPT lan proxy udp 161 +ACCEPT lan mail udp 161 + +# HTTPS +ACCEPT proxy net tcp 443 + +# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN +ACCEPT og mail udp 514 +ACCEPT proxy mail udp 514 + +# Squid +ACCEPT lan proxy tcp 3128 +ACCEPT guest proxy tcp 3128 +ACCEPT ig proxy tcp 3128 +ACCEPT og proxy tcp 3128 + +# Webmin +ACCEPT lan proxy tcp 10000 +ACCEPT guest proxy tcp 10000 +ACCEPT ig proxy tcp 10000 +ACCEPT og proxy tcp 10000 + + +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/shorewall.conf/COMMON b/contrib/shoregen/samples/shorewall.conf/COMMON new file mode 100644 index 000000000..e3633936b --- /dev/null +++ b/contrib/shoregen/samples/shorewall.conf/COMMON @@ -0,0 +1,569 @@ +############################################################################## +# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to +# match your setup +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) +############################################################################## +# L O G G I N G +############################################################################## +# +# General note about log levels. Log levels are a method of describing +# to syslog (8) the importance of a message and a number of parameters +# in this file have log levels as their value. +# +# Valid levels are: +# +# 7 debug +# 6 info +# 5 notice +# 4 warning +# 3 err +# 2 crit +# 1 alert +# 0 emerg +# +# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall +# log messages are generated by NetFilter and are logged using facility +# 'kern' and the level that you specifify. If you are unsure of the level +# to choose, 6 (info) is a safe bet. You may specify levels by name or by +# number. +# +# If you have build your kernel with ULOG target support, you may also +# specify a log level of ULOG (must be all caps). Rather than log its +# messages to syslogd, Shorewall will direct netfilter to log the messages +# via the ULOG target which will send them to a process called 'ulogd'. +# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be +# configured to log all Shorewall message to their own log file +################################################################################ +# +# LOG FILE LOCATION +# +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/shorewall_logging.html + +LOGFILE=/var/log/messages + +# +# LOG FORMAT +# +# Shell 'printf' Formatting template for the --log-prefix value in log messages +# generated by Shorewall to identify Shorewall log messages. The supplied +# template is expected to accept either two or three arguments; the first is +# the chain name, the second (optional) is the logging rule number within that +# chain and the third is the ACTION specifying the disposition of the packet +# being logged. You must use the %d formatting type for the rule number; if your +# template does not contain %d then the rule number will not be included. +# +# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: +# +# LOGFORMAT="fp=%s:%d a=%s " +# +# If not specified or specified as empty (LOGFORMAT="") then the value +# "Shorewall:%s:%s:" is assumed. +# +# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up +# to but not including the first '%') to find log messages in the 'show log', +# 'status' and 'hits' commands. This part should not be omitted (the +# LOGFORMAT should not begin with "%") and the leading part should be +# sufficiently unique for /sbin/shorewall to identify Shorewall messages. + +LOGFORMAT="Shorewall:%s:%s:" + +# +# LOG RATE LIMITING +# +# The next two variables can be used to control the amount of log output +# generated. LOGRATE is expressed as a number followed by an optional +# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum +# rate at which a particular message will occur. LOGBURST determines the +# maximum initial burst size that will be logged. If set empty, the default +# value of 5 will be used. +# +# Example: +# +# LOGRATE=10/minute +# LOGBURST=5 +# +# If BOTH variables are set empty then logging will not be rate-limited. +# + +LOGRATE=10/minute +LOGBURST=5 + +# +# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS +# +# This variable determines the level at which Mangled/Invalid packets are logged +# under the 'dropunclean' interface option. If you set this variable to an +# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped +# silently. +# +# The value of this variable also determines the level at which Mangled/Invalid +# packets are logged under the 'logunclean' interface option. If the variable +# is empty, these packets will still be logged at the 'info' level. +# +# See the comment at the top of this section for a description of log levels +# + +LOGUNCLEAN=info + +# +# BLACKLIST LOG LEVEL +# +# Set this variable to the syslogd level that you want blacklist packets logged +# (beware of DOS attacks resulting from such logging). If not set, no logging +# of blacklist packets occurs. +# +# See the comment at the top of this section for a description of log levels +# +BLACKLIST_LOGLEVEL= + +# +# LOGGING 'New not SYN' rejects +# +# This variable only has an effect when NEWNOTSYN=No (see below). +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# See the comment at the top of this section for a description of log levels +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN=info + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +MACLIST_LOG_LEVEL=info + +# +# TCP FLAGS Log Level +# +# Specifies the logging level for packets that fail TCP Flags +# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then +# such packets will not be logged. +# +# See the comment at the top of this section for a description of log levels +# + +TCP_FLAGS_LOG_LEVEL=info + +# +# RFC1918 Log Level +# +# Specifies the logging level for packets that fail RFC 1918 +# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then +# RFC1918_LOG_LEVEL=info is assumed. +# +# See the comment at the top of this section for a description of log levels +# + +RFC1918_LOG_LEVEL=info + +################################################################################ +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +################################################################################ +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# +#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# +# SHELL +# +# The firewall script is normally interpreted by /bin/sh. If you wish to change +# the shell used to interpret that script, specify the shell here. + +SHOREWALL_SHELL=/bin/sh + +# SUBSYSTEM LOCK FILE +# +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't +# use lock files, set this to "". +# + +SUBSYSLOCK=/var/lock/subsys/shorewall + +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# +# This is the directory where the firewall maintains state information while +# it is running +# + +STATEDIR=/var/lib/shorewall + +# +# KERNEL MODULE DIRECTORY +# +# If your netfilter kernel modules are in a directory other than +# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that +# directory in this variable. Example: MODULESDIR=/etc/modules. + +MODULESDIR= + +################################################################################ +# F I R E W A L L O P T I O N S +################################################################################ + +# NAME OF THE FIREWALL ZONE +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +#FW=fw + +# +# ENABLE IP FORWARDING +# +# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you +# say "Off" or "off", packet forwarding will be disabled. You would only want +# to disable packet forwarding if you are installing Shorewall on a +# standalone system or if you want all traffic through the Shorewall system +# to be handled by proxies. +# +# If you set this variable to "Keep" or "keep", Shorewall will neither +# enable nor disable packet forwarding. +# +#IP_FORWARDING=On + +# +# AUTOMATICALLY ADD NAT IP ADDRESSES +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses +# for each NAT external address that you give in /etc/shorewall/nat. If you say +# "No" or "no", you must add these aliases youself. +# +ADD_IP_ALIASES=Yes + +# +# AUTOMATICALLY ADD SNAT IP ADDRESSES +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses +# for each SNAT external address that you give in /etc/shorewall/masq. If you say +# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless +# you are sure that you need it -- most people don't!!! +# +ADD_SNAT_ALIASES=No + +# +# ENABLE TRAFFIC SHAPING +# +# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If +# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic +# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and +# you must enable packet mangling above. +# +TC_ENABLED=No + +# +# Clear Traffic Shapping/Control +# +# If this option is set to 'No' then Shorewall won't clear the current +# traffic control rules during [re]start. This setting is intended +# for use by people that prefer to configure traffic shaping when +# the network interfaces come up rather than when the firewall +# is started. If that is what you want to do, set TC_ENABLED=Yes and +# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That +# way, your traffic shaping rules can still use the 'fwmark' +# classifier based on packet marking defined in /etc/shorewall/tcrules. +# +# If omitted, CLEAR_TC=Yes is assumed. + +CLEAR_TC=Yes + +# +# Mark Packets in the forward chain +# +# When processing the tcrules file, Shorewall normally marks packets in the +# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set +# this to "Yes". If not specified or if set to the empty value (e.g., +# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. +# +# Marking packets in the FORWARD chain has the advantage that inbound +# packets destined for Masqueraded/SNATed local hosts have had their destination +# address rewritten so they can be marked based on their destination. When +# packets are marked in the PREROUTING chain, packets destined for +# Masqueraded/SNATed local hosts still have a destination address corresponding +# to the firewall's external interface. +# +# Note: Older kernels do not support marking packets in the FORWARD chain and +# setting this variable to Yes may cause startup problems. + +MARK_IN_FORWARD_CHAIN=No + +# +# MSS CLAMPING +# +# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" +# option. This option is most commonly required when your internet +# interface is some variant of PPP (PPTP or PPPoE). Your kernel must +# have CONFIG_IP_NF_TARGET_TCPMSS set. +# +# [From the kernel help: +# +# This option adds a `TCPMSS' target, which allows you to alter the +# MSS value of TCP SYN packets, to control the maximum size for that +# connection (usually limiting it to your outgoing interface's MTU +# minus 40). +# +# This is used to overcome criminally braindead ISPs or servers which +# block ICMP Fragmentation Needed packets. The symptoms of this +# problem are that everything works fine from your Linux +# firewall/router, but machines behind it can never exchange large +# packets: +# 1) Web browsers connect, then hang with no data received. +# 2) Small mail works fine, but large emails hang. +# 3) ssh works fine, but scp hangs after initial handshaking. +# ] +# +# If left blank, or set to "No" or "no", the option is not enabled. +# +CLAMPMSS=No + +# +# ROUTE FILTERING +# +# Set this variable to "Yes" or "yes" if you want kernel route filtering on all +# interfaces started while Shorewall is started (anti-spoofing measure). +# +# If this variable is not set or is set to the empty value, "No" is assumed. +# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering +# on individual interfaces using the 'routefilter' option in the +# /etc/shorewall/interfaces file. + +ROUTE_FILTER=yes + +# +# NAT BEFORE RULES +# +# Shorewall has traditionally processed static NAT rules before port forwarding +# rules. If you would like to reverse the order, set this variable to "No". +# +# If this variable is not set or is set to the empty value, "Yes" is assumed. + +NAT_BEFORE_RULES=Yes + +# DNAT IP ADDRESS DETECTION +# +# Normally when Shorewall encounters the following rule: +# +# DNAT net loc:192.168.1.3 tcp 80 +# +# it will forward TCP port 80 connections from the net to 192.168.1.3 +# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is +# convenient for two reasons: +# +# a) If the the network interface has a dynamic IP address, the +# firewall configuration will work even when the address +# changes. +# +# b) It saves having to configure the IP address in the rule +# while still allowing the firewall to be started before the +# internet interface is brought up. +# +# This default behavior can also have a negative effect. If the +# internet interface has more than one IP address then the above +# rule will forward connection requests on all of these addresses; +# that may not be what is desired. +# +# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply +# only if the original destination address is the primary IP address of +# one of the interfaces associated with the source zone. Note that this +# requires all interfaces to the source zone to be up when the firewall +# is [re]started. + +DETECT_DNAT_IPADDRS=No + +# +# MUTEX TIMEOUT +# +# The value of this variable determines the number of seconds that programs +# will wait for exclusive access to the Shorewall lock file. After the number +# of seconds corresponding to the value of this variable, programs will assume +# that the last program to hold the lock died without releasing the lock. +# +# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. +# +# An appropriate value for this parameter would be twice the length of time +# that it takes your firewall system to process a "shorewall restart" command. + +MUTEX_TIMEOUT=60 + +# +# NEWNOTSYN +# +# TCP connections are established using the familiar three-way "handshake": +# +# CLIENT SERVER +# +# SYN--------------------> +# <------------------SYN,ACK +# ACK--------------------> +# +# The first packet in that exchange (packet with the SYN flag on and the ACK +# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. +# A packet is said to be NEW if it is not part of or related to an already +# established connection. +# +# The NETNOTSYN option determines the handling of non-SYN packets (those with +# SYN off or with ACK or RST on) that are not associated with an already +# established connection. +# +# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not +# part of an already established connection, it will be dropped by the +# firewall. The setting of LOGNEWNOTSYN above determines if these packets are +# logged before they are dropped. +# +# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule/policy processing. +# +# Users with a High-availability setup with two firewall's and one acting +# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may +# also need to select NEWNOTSYN=Yes. +# +# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis +# using the 'newnotsyn' option in /etc/shorewall/interfaces. +# +# I find that NEWNOTSYN=No tends to result in lots of "stuck" +# connections because any network timeout during TCP session tear down +# results in retries being dropped (Netfilter has removed the +# connection from the conntrack table but the end-points haven't +# completed shutting down the connection). I therefore have chosen +# NEWNOTSYN=Yes as the default value. + +NEWNOTSYN=Yes + +# +# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT +# +# Normally, when a "shorewall stop" command is issued or an error occurs during +# the execution of another shorewall command, Shorewall puts the firewall into +# a state where only traffic to/from the hosts listed in +# /etc/shorewall/routestopped is accepted. +# +# When performing remote administration on a Shorewall firewall, it is +# therefore recommended that the IP address of the computer being used for +# administration be added to the firewall's /etc/shorewall/routestopped file. +# +# Some administrators have a hard time remembering to do this with the result +# that they get to drive across town in the middle of the night to restart +# a remote firewall (or worse, they have to get someone out of bed to drive +# across town to restart a very remote firewall). +# +# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, +# when the firewall enters the 'stopped' state: +# +# All traffic that is part of or related to established connections is still +# allowed and all OUTPUT traffic is allowed. This is in addition to traffic +# to and from hosts listed in /etc/shorewall/routestopped. +# +# If this variable is not set or it is set to the null value then +# ADMINISABSENTMINDED=No is assumed. +# +ADMINISABSENTMINDED=Yes + +# +# BLACKLIST Behavior +# +# Shorewall offers two types of blacklisting: +# +# - static blacklisting through the /etc/shorewall/blacklist file together +# with the 'blacklist' interface option. +# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. +# +# The following variable determines whether the blacklist is checked for each +# packet or for each new connection. +# +# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection +# requests +# +# BLACKLISTNEWONLY=No Consult blacklists for all packets. +# +# If the BLACKLISTNEWONLY option is not set or is set to the empty value then +# BLACKLISTNEWONLY=No is assumed. +# +BLACKLISTNEWONLY=Yes + +# MODULE NAME SUFFIX +# +# When loading a module named in /etc/shorewall/modules, Shorewall normally +# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names +# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different +# naming convention then you can specify the suffix (extension) for module +# names in this variable. +# +# To see what suffix is used by your distribution: +# +# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter +# +# All of the file names listed should have the same suffix (extension). Set +# MODULE_SUFFIX to that suffix. +# +# Examples: +# +# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" +# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" +# + +MODULE_SUFFIX= + +################################################################################ +# P A C K E T D I S P O S I T I O N +################################################################################ +# +# BLACKLIST DISPOSITION +# +# Set this variable to the action that you want to perform on packets from +# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, +# DROP is assumed. +# +BLACKLIST_DISPOSITION=DROP + +# +# MAC List Disposition +# +# This variable determines the disposition of connection requests arriving +# on interfaces that have the 'maclist' option and that are from a device +# that is not listed for that interface in /etc/shorewall/maclist. Valid +# values are ACCEPT, DROP and REJECT. If not specified or specified as +# empty (MACLIST_DISPOSITION="") then REJECT is assumed + +MACLIST_DISPOSITION=REJECT + +# +# TCP FLAGS Disposition +# +# This variable determins the disposition of packets having an invalid +# combination of TCP flags that are received on interfaces having the +# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified +# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. + +TCP_FLAGS_DISPOSITION=DROP + +#LAST LINE -- DO NOT REMOVE diff --git a/contrib/shoregen/samples/shorewall.conf/ig b/contrib/shoregen/samples/shorewall.conf/ig new file mode 100644 index 000000000..ffc52bd43 --- /dev/null +++ b/contrib/shoregen/samples/shorewall.conf/ig @@ -0,0 +1,2 @@ +FW=ig +IP_FORWARDING=On diff --git a/contrib/shoregen/samples/shorewall.conf/mail b/contrib/shoregen/samples/shorewall.conf/mail new file mode 100644 index 000000000..a6051a9af --- /dev/null +++ b/contrib/shoregen/samples/shorewall.conf/mail @@ -0,0 +1,2 @@ +FW=enoch +IP_FORWARDING=Off diff --git a/contrib/shoregen/samples/shorewall.conf/og b/contrib/shoregen/samples/shorewall.conf/og new file mode 100644 index 000000000..220ec2e8a --- /dev/null +++ b/contrib/shoregen/samples/shorewall.conf/og @@ -0,0 +1,2 @@ +FW=og +IP_FORWARDING=On diff --git a/contrib/shoregen/samples/shorewall.conf/proxy b/contrib/shoregen/samples/shorewall.conf/proxy new file mode 100644 index 000000000..b324a4fc7 --- /dev/null +++ b/contrib/shoregen/samples/shorewall.conf/proxy @@ -0,0 +1,2 @@ +FW=dmz +IP_FORWARDING=Off diff --git a/contrib/shoregen/samples/zones b/contrib/shoregen/samples/zones new file mode 100644 index 000000000..d84061bd5 --- /dev/null +++ b/contrib/shoregen/samples/zones @@ -0,0 +1,10 @@ +#ZONE DISPLAY COMMENTS +lan LAN Local network +guest Guest Untrusted LAN hosts +ig IG Inner Guard +og OG Outer Guard +mail Mail Mail server +proxy Proxy Proxy server +net Net Internet +other Other Basket for things that don't fit elsewhere +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/contrib/shoregen/shoregen b/contrib/shoregen/shoregen new file mode 100644 index 000000000..bc4eed6f1 --- /dev/null +++ b/contrib/shoregen/shoregen @@ -0,0 +1,373 @@ +#!/usr/bin/perl -w +# +# $Id: shoregen,v 1.27 2004/04/24 12:31:18 paulgear Exp $ +# +# Generate shorewall configuration for a host from central configuration +# files. +# + +# +# (c) Copyright 2004 Paul D. Gear +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA, or go to +# on the World Wide Web. +# + +use strict; + +my $VERBOSE = 1; +my $DEBUG = 1; +my $DATE = scalar localtime; +my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n"; + +if ($#ARGV != 0) { + print STDERR "Usage: $0 \n"; + exit 1; +} + +my $base = "."; +my $host = $ARGV[ 0 ]; +my $spool = "$base/SPOOL"; +my $dir = "$spool/$host"; + + +# +# Messaging routines for use by the program itself - any errors that are +# generated externally (e.g. file opening problems) are reported using the +# usual perl 'die' or 'warn' functions. +# + +sub warning +{ + print STDERR "$0: WARNING - @_\n"; +} + +sub fatal +{ + my $RET = shift; + print STDERR "$0: FATAL - @_\n"; + exit $RET; +} + +sub message +{ + print "$0: @_\n"; +} + + +# +# These bits make the files that actually get copied to the target host +# + +sub stripfile +{ + open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!"; + my @file; + + for (<$file>) { + s/\s*#.*$//g; # remove all comments + next if m/^\s*$/; # skip blank lines + push @file, $_; + } + + close $file or warn "Can't close $_[ 0 ] after reading: $!"; + + return @file; +} + + +sub constructfile +{ + my $confname = shift; + my $dst = shift; + my $foundone = 0; + + message "Constructing $confname" if $VERBOSE > 1; + + open( my $DST, ">$dst" ) or die "Can't create $dst: $!"; + printf $DST $HEADER, $confname; + + for my $file (@_) { + if (-r $file) { + $foundone = 1; + print $DST "##$file\n" if $DEBUG > 1; + print $DST stripfile $file; + } + } + + close $DST or warn "Can't close $dst: $!"; + + if (!$foundone) { + warning "\"$confname\" not present. " . + "Existing file on $host will be preserved." if $VERBOSE > 2; + unlink $dst; + } +} + +# +# main +# + +my $fw; # Firewall zone for this host +my @globalzones; # All known zones +my %globalzones; +my %hostzones; # zones applicable to this host +my $outfile; # filename holders +my $conf; # config file we're processing at present +my %warnban; # meta-rules/policies + + +# Change to the base configuration directory +die "Configuration directory $base doesn't exist!" if ! -d $base; +chdir $base or die "Can't change directory to $base: $!"; + +# Create spool directories if necessary +if (! -d "$spool") { + mkdir "$spool" or die "Can't create spool directory $spool: $!"; +} +if (! -d $dir) { + mkdir $dir or die "Can't create host spool directory $dir: $!"; +} + + +# +# Construct all the simple config files. +# + +# Config files for which the host-specific file is included *first* +my @hostfirstconfigs = qw( blacklist ecn hosts interfaces maclist masq nat + proxyarp rfc1918 routestopped start stop stopped tcrules tos tunnels ); + +# Config files for which the host-specific file is included *last* +my @hostlastconfigs = qw( common init modules params shorewall.conf ); + +for my $conf (@hostfirstconfigs) { + constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON"; +} + +for my $conf (@hostlastconfigs) { + constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host"; +} + +# +# The remaining config files (policy, rules, zones) are processed uniquely. +# + +# Find the firewall name of this host +open( my $infile, "$dir/shorewall.conf" ) or + die "Can't open $dir/shorewall.conf: $!"; + +for (<$infile>) { + next unless m/^\s*FW=(\S+)/; + $fw = $1; + last; +} + +close $infile; + + +# The firewall name must be defined +unless (defined $fw) { + fatal 1, "Can't find firewall name for $host in $dir/shorewall.conf"; +} + + +# Find all valid zones +unless (-r "zones") { + fatal 2, "You must provide a global zone file"; +} + + +for (stripfile "zones") { + chomp; + my ($zone, $details) = split /\s+/, $_, 2; + push @globalzones, $zone; + $globalzones{ $zone } = $details; +} + +# +# Work out which zones apply to this host from the combination of hosts & +# interfaces. The first field in both files is the zone name, and the +# second (minus any trailing ips) is the interface, which we save as well +# for later reference. +# + +for my $infile ("$dir/hosts", "$dir/interfaces") { + if (-r $infile) { + for (stripfile $infile) { + chomp; + my @F = split; + next if $#F < 0; + next if $F[ 0 ] eq "-"; + my @IF = split /:/, $F[ 1 ]; + $hostzones{ $F[ 0 ] } = $IF[ 0 ]; + } + } +} + +$conf = "zones"; + +# +# Create the zones file from the intersection of the above - note the order +# from the original zone file must be preserved, hence the need for the +# array as well as the hash. +# + +open( $outfile, ">$dir/$conf" ) or + die "Can't open $dir/$conf for writing: $!"; + +printf $outfile $HEADER, "$conf"; +my %tmpzones = %hostzones; # Take a copy of all the zones, + +for my $zone (@globalzones) { + if (exists $tmpzones{ $zone }) { + print $outfile "$zone $globalzones{ $zone }\n"; + delete $tmpzones{ $zone }; # deleting those found as we go along. + } +} + +close $outfile or warn "Can't close $dir/$conf after writing: $!"; + +for my $zone (sort keys %tmpzones) { # Warn if we've got any zones left now. + #next if $zone eq "-"; + warning "No entry for $zone in global zones file - ignored"; +} +undef %tmpzones; + + +my @tmp = sort keys %hostzones; +message "FW zone for $host: $fw" if $VERBOSE > 0; +message "Other zones for $host: @tmp" if $VERBOSE > 0; + +# +# Add 'all' as a valid source or destination. Added here so it doesn't get +# checked in %tmpzones check above. Also add firewall itself. (The +# numbers are not important as long as they are different.) +# + +$hostzones{"all"} = 1; +$hostzones{$fw} = 2; + +# +# Create the policy file, including only the applicable zones. +# + +$conf = "policy"; +if (! -r $conf) { + fatal 3, "You must provide a global \"$conf\" file"; +} + +open( $outfile, ">$dir/$conf" ) or + die "Can't open $dir/$conf for writing: $!"; +printf $outfile $HEADER, "$conf"; + +for (stripfile $conf) { + chomp; + + my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4; + + print "$src, $dst, $pol, $rest\n" if $DEBUG > 3; + + # Both source and destination zones must be valid on this host for this + # policy to apply. + next unless defined $hostzones{$src} and defined $hostzones{$dst}; + + # Source and destination zones must be on different interfaces as well, + # except for the case of all2all. + #next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all"); + + # Save WARN & BAN details for later rules processing + if ($pol eq "WARN" or $pol eq "BAN") { + if (exists $warnban{$src}{$dst}) { + warning "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?"; + } + $warnban{$src}{$dst} = $pol; + next; + } + + printf $outfile "%s\n", $_; +} +close $outfile or warn "Can't close $dir/$conf for writing: $!"; + + +# +# Create the rules file, only including the applicable zones and taking +# into account any WARN or BAN policies. +# + +$conf = "rules"; +if (! -r $conf) { + fatal 4, "You must provide a global \"$conf\" file"; +} + +open( $outfile, ">$dir/$conf" ) or + die "Can't open $dir/$conf for writing: $!"; +printf $outfile $HEADER, "$conf"; + +my $ret = 0; + +for (stripfile $conf) { + chomp; + + my ($act, $src, $dst, $rest) = split /\s+/, $_, 4; + + # strip down to only the main tag + $act =~ s/:.*//; + $src =~ s/:.*//; + $dst =~ s/:.*//; + print "$act, $src, $dst, $rest\n" if $DEBUG > 3; + + # Both source and destination zones must be valid on this host for this + # rule to apply. + next unless defined $hostzones{$src} and defined $hostzones{$dst}; + + # Source and destination zones must be on different interfaces as well, + # except for the case of all2all. + next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all"); + + # Save additional WARN/BAN rules + if ($act eq "WARN" or $act eq "BAN") { + if (exists $warnban{$src}{$dst}) { + warning "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?"; + } + $warnban{$src}{$dst} = $act; + next; + } + + # Check against WARN/BAN rules + if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|DNAT)\b/) { + if ($warnban{$src}{$dst} eq "WARN") { + warning "Rule contravenes WARN policy:\n\t$_"; + } + else { # $warnban{$src}{$dst} eq "BAN" + warning "Rule contravenes BAN policy (omitted):\n\t$_"; + ++$ret; + next; + } + } + + # Mangle DNAT rules if the destination is the local machine + if ($act =~ /^DNAT/ && $dst eq $fw) { + $_ =~ s/\bDNAT(-)?/ACCEPT/; # change rule type + $_ =~ s/\b$fw:\S+/$dst/; # strip trailing server address/port + } + + printf $outfile "%s\n", $_; +} +close $outfile or warn "Can't close $dir/$conf for writing: $!"; + + +# If we get here, everything's OK - return whatever we produced above... +exit $ret; diff --git a/contrib/shoregen/spec/description b/contrib/shoregen/spec/description new file mode 100644 index 000000000..e4f33e240 --- /dev/null +++ b/contrib/shoregen/spec/description @@ -0,0 +1,3 @@ +Shoregen is a script that generates Shoreline Firewall configurations for +multiple firewalls from a common set of rules and policies. Only the +minimal information necessary for operation is stored on each firewall. diff --git a/contrib/shoregen/spec/files b/contrib/shoregen/spec/files new file mode 100644 index 000000000..10685dd98 --- /dev/null +++ b/contrib/shoregen/spec/files @@ -0,0 +1,4 @@ +# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $ +/usr/bin/%{name} +/usr/bin/install_%{name} +%doc /usr/share/doc/%{name}-%{version}/ diff --git a/contrib/shoregen/spec/header b/contrib/shoregen/spec/header new file mode 100644 index 000000000..c0c422fd7 --- /dev/null +++ b/contrib/shoregen/spec/header @@ -0,0 +1,10 @@ +# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $ +Summary: Shoreline Firewall configuration generator +License: GPL +Group: Applications/System +BuildArch: noarch +URL: http://paulgear.webhop.net/linux/#shoregen +Packager: Paul Gear +Requires: openssh +Requires: perl +Requires: rsync diff --git a/contrib/shoregen/spec/install b/contrib/shoregen/spec/install new file mode 100644 index 000000000..12c63ae99 --- /dev/null +++ b/contrib/shoregen/spec/install @@ -0,0 +1,9 @@ +# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $ + +install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/ +install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/ + +install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ +install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ +cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ +chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/ diff --git a/contrib/shoregen/spec/type b/contrib/shoregen/spec/type new file mode 100644 index 000000000..1c561e982 --- /dev/null +++ b/contrib/shoregen/spec/type @@ -0,0 +1,2 @@ +install +# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $