Merge branch '4.5.21'

Conflicts:
	Shorewall/manpages/shorewall.conf.xml
	Shorewall6/manpages/shorewall6.conf.xml

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-03-05 09:00:34 -08:00
commit c9d7370fb4
9 changed files with 195 additions and 95 deletions

View File

@ -690,7 +690,13 @@ sub process_stoppedrules() {
my $result; my $result;
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) { if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
first_entry "$doing $fn..."; first_entry sub() {
progress_message2("$doing $fn...");
unless ( $config{ADMINISABSENTMINDED} ) {
warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
$config{ADMINISABSENTMINDED} = 'Yes';
}
};
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
@ -2526,9 +2532,9 @@ EOF
"restore_default_route $config{USE_DEFAULT_RT}" "restore_default_route $config{USE_DEFAULT_RT}"
); );
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; if ( $config{ADMINISABSENTMINDED} ) {
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains; }
if ( $family == F_IPV6 ) { if ( $family == F_IPV6 ) {
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL; add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;

View File

@ -9,9 +9,9 @@
###################################################################################################################################################################################################### ######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#?SECTION ALL #SECTION ALL
#?SECTION ESTABLISHED #SECTION ESTABLISHED
#?SECTION RELATED #SECTION RELATED
#?SECTION INVALID #SECTION INVALID
#?SECTION UNTRACKED #SECTION UNTRACKED
?SECTION NEW SECTION NEW

View File

@ -120,7 +120,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>notrack</term> <term><emphasis role="bold">notrack</emphasis></term>
<listitem> <listitem>
<para>The traffic will be exempted from connection <para>The traffic will be exempted from connection
@ -128,6 +128,13 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<note>
<para>The <emphasis role="bold">source</emphasis> and <emphasis
role="bold">dest</emphasis> options work best when used in
conjunction with ADMINISABSENTMINDED=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -283,15 +283,48 @@
<listitem> <listitem>
<para>The value of this variable affects Shorewall's stopped state. <para>The value of this variable affects Shorewall's stopped state.
When ADMINISABSENTMINDED=No, only traffic to/from those addresses The behavior differs depending on whether <ulink
listed in <ulink url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5) or <ulink
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes, url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
in addition to traffic to/from addresses in <ulink is used:</para>
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
connections that were active when Shorewall stopped continue to work <variablelist>
and all new connections from the firewall system itself are allowed. <varlistentry>
If this variable is not set or is given the empty value then <term>routestopped</term>
<listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in <filename>routestopped</filename>, connections
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stoppedrules</term>
<listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued
and the setting is ignored.</para>
<para>In addition to connections matching entries in
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall/stopped</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
<para> If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para> ADMINISABSENTMINDED=No is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -116,30 +116,11 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">critical</emphasis></term> <term><emphasis role="bold">notrack</emphasis></term>
<listitem> <listitem>
<para>Allow traffic between the firewall and these hosts <para>The traffic will be exempted from connection
throughout '[re]start', 'stop' and 'clear'. Specifying tracking.</para>
<emphasis role="bold">critical</emphasis> on one or more
entries will cause your firewall to be "totally open" for a
brief window during each of those operations. Examples of
where you might want to use this are:</para>
<itemizedlist>
<listitem>
<para>'Ping' nodes with heartbeat.</para>
</listitem>
<listitem>
<para>LDAP server(s) if you use LDAP Authentication</para>
</listitem>
<listitem>
<para>NFS Server if you have an NFS-mounted root
filesystem.</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

View File

@ -218,18 +218,50 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>The value of this variable affects Shorewall6's stopped state. <para>The value of this variable affects Shorewall's stopped state.
When ADMINISABSENTMINDED=No, only traffic to/from those addresses The behavior differs depending on whether <ulink
listed in <ulink url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5) or <ulink
is accepted when Shorewall6 is stopped. When url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in is used:</para>
<ulink
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5), <variablelist>
connections that were active when Shorewall6 stopped continue to <varlistentry>
work and all new connections from the firewall system itself are <term>routestopped</term>
allowed. If this variable is not set or is given the empty value
then ADMINISABSENTMINDED=No is assumed.</para> <listitem>
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
addresses listed in <filename>routestopped</filename> is
accepted when Shorewall is stopped. When
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
addresses in <filename>routestopped</filename>, connections
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stoppedrules</term>
<listitem>
<para>If ADMINISABSENTMINDED=No, a warning message is issued
and the setting is ignored.</para>
<para>In addition to connections matching entries in
<filename>stoppedrules</filename>, existing connections
continue to work and all new connections from the firewall
system itself are allowed. To sever all existing connections
when the firewall is stopped, install the conntrack utility
and place the command <command>conntrack -F</command> in the
stopped user exit
(<filename>/etc/shorewall6/stopped</filename>).</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this variable is not set or is given the empty value then
ADMINISABSENTMINDED=No is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -515,15 +515,16 @@ root@lists:~# </programlisting>
<para>If you wish to enable connections from the Internet to your firewall <para>If you wish to enable connections from the Internet to your firewall
and you find an appropriate macro in and you find an appropriate macro in
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule <filename>/usr/share/shorewall/macro.*</filename>, the general format of a
in <filename>/etc/shorewall/rules</filename> is:</para> rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting> &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important> <important>
<para>Be sure to add your rules after the line that reads <emphasis <para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTION NEW.</emphasis></para> role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
later).</para>
</important> </important>
<example id="Example1"> <example id="Example1">
@ -605,19 +606,34 @@ SSH(ACCEPT) net $FW </programlisting>
<quote><command>shorewall stop</command></quote>. When the firewall is <quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in stopped, routing is enabled on those hosts that have an entry in
<filename><ulink <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>. url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
A running firewall may be restarted using the <quote><command>shorewall (<filename><ulink
restart</command></quote> command. If you want to totally remove any trace url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
of Shorewall from your Netfilter configuration, use in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
<quote><command>shorewall clear</command></quote>.</para> the <quote><command>shorewall restart</command></quote> command. If you
want to totally remove any trace of Shorewall from your Netfilter
configuration, use <quote><command>shorewall
clear</command></quote>.</para>
<warning> <warning>
<para>If you are connected to your firewall from the Internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command unless issue a <quote><command>shorewall stop</command></quote> command unless
you have added an entry for the IP address that you are connected from you have either:</para>
to <ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>. <orderedlist>
Also, I don't recommend using <quote><command>shorewall <listitem>
<para>Used ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename> or</para>
</listitem>
<listitem>
<para>added an entry for the IP address that you are connected from
to <ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.</para>
</listitem>
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an <emphasis><ulink restart</command></quote>; it is better to create an <emphasis><ulink
url="configuration_file_basics.htm#Configs">alternate url="configuration_file_basics.htm#Configs">alternate
configuration</ulink></emphasis> and test it using the <ulink configuration</ulink></emphasis> and test it using the <ulink

View File

@ -193,7 +193,6 @@
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq /usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
~#</programlisting> ~#</programlisting>
@ -954,8 +953,8 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
a <emphasis>defined macro</emphasis>. Shorewall includes a number of a <emphasis>defined macro</emphasis>. Shorewall includes a number of
defined macros and <ulink url="Macros.html">you can add your own</ulink>. defined macros and <ulink url="Macros.html">you can add your own</ulink>.
To see the list of macros included with your version of Shorewall, run the To see the list of macros included with your version of Shorewall, run the
command <command>ls command <command>shorewall show
<filename>/usr/share/shorewall/macro.*</filename></command>.</para> <filename>macros</filename></command>.</para>
<para>You don't have to use defined macros when coding a rule in <para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>. The first example above (name <filename>/etc/shorewall/rules</filename>. The first example above (name
@ -1128,12 +1127,14 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>The firewall is started using the <command>shorewall start</command> <para>The firewall is started using the <command>shorewall start</command>
command and stopped using <command>shorewall stop</command>. When the command and stopped using <command>shorewall stop</command>. When the
firewall is stopped, routing is enabled on those hosts that have an entry firewall is stopped, routing is enabled on those hosts that have an entry
in <ulink in <filename><ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>. url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
A running firewall may be restarted using the <command>shorewall (<ulink
restart</command> command. If you want to totally remove any trace of url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
Shorewall from your Netfilter configuration, use <command>shorewall on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
clear</command>.</para> the <command>shorewall restart</command> command. If you want to totally
remove any trace of Shorewall from your Netfilter configuration, use
<command>shorewall clear</command>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -1144,16 +1145,26 @@ ACCEPT net $FW tcp 80 </programlisting><it
DMZ or if you want to enable a different set of hosts, modify DMZ or if you want to enable a different set of hosts, modify
<filename>/etc/shorewall/routestopped</filename> accordingly. <warning> <filename>/etc/shorewall/routestopped</filename> accordingly. <warning>
<para>If you are connected to your firewall from the Internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <command>shorewall stop</command> command unless you have issue a <quote><command>shorewall stop</command></quote> command
added an entry for the IP address that you are connected from to unless you have either:</para>
<ulink
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>. <orderedlist>
Also, I don't recommend using <command>shorewall restart</command>; it <listitem>
is better to create an <ulink <para>Used ADMINISABSENTMINDED=Yes in
url="configuration_file_basics.htm#Levels">alternate <filename>/etc/shorewall/shorewall.conf</filename>; or</para>
configuration</ulink> and test it using the <ulink </listitem>
url="starting_and_stopping_shorewall.htm"><command>shorewall
try</command> command</ulink>.</para> <listitem>
<para>added an entry for the <acronym>IP</acronym> address that
you are connected from to <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
</listitem>
</orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para>
</warning></para> </warning></para>
<para>The firewall will start after your network interfaces have been <para>The firewall will start after your network interfaces have been

View File

@ -171,7 +171,6 @@
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
~#</programlisting> ~#</programlisting>
@ -203,8 +202,9 @@
<para>If you install using the .deb, you will find that your <para>If you install using the .deb, you will find that your
<filename class="directory">/etc/shorewall</filename> directory <filename class="directory">/etc/shorewall</filename> directory
is empty. This is intentional. The released configuration file is practially empty. This is intentional. The released
skeletons may be found on your system in the directory <filename configuration file skeletons may be found on your system in the
directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the class="directory">/etc/shorewall</filename> and modify the
@ -910,8 +910,8 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
<para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of <para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink macros (command <emphasis role="bold">shorewall show macros</emphasis>)
url="Macros.html">you can add your own</ulink>.</para> and <ulink url="Macros.html">you can add your own</ulink>.</para>
<para>You don't have to use defined macros when coding a rule in <para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
@ -1046,7 +1046,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<quote><command>shorewall stop</command></quote>. When the firewall is <quote><command>shorewall stop</command></quote>. When the firewall is
stopped, routing is enabled on those hosts that have an entry in <filename stopped, routing is enabled on those hosts that have an entry in <filename
class="directory">/etc/shorewall/</filename><filename><ulink class="directory">/etc/shorewall/</filename><filename><ulink
url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>. url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>
(Shorewall 4.5.7 and earlier) or in<filename> <ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace restart</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use of Shorewall from your Netfilter configuration, use
@ -1063,10 +1065,22 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
accordingly. <warning> accordingly. <warning>
<para>If you are connected to your firewall from the Internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command issue a <quote><command>shorewall stop</command></quote> command
unless you have added an entry for the <acronym>IP</acronym> address unless you have either:</para>
that you are connected from to <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>. <orderedlist>
Also, I don't recommend using <quote><command>shorewall <listitem>
<para>Used ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename>; or</para>
</listitem>
<listitem>
<para>added an entry for the <acronym>IP</acronym> address that
you are connected from to <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
</listitem>
</orderedlist>
<para> Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate restart</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para> try</command></quote> command.</para>