holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 1.4.5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@614 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-06-25 18:35:38 +00:00
parent 08c45deb2e
commit d541d73549
5 changed files with 153 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Lrp/etc/shorewall/rules
View File

@ -162,14 +162,24 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT) If included and different from the IP # REDIRECT[-]) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
# specified in the DEST column. # specified in the DEST column.
# #
# The address may optionally be followed by # A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address (list) may optionally be followed by
# a colon (":") and a second IP address. This causes # a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source # Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall # address in forwarded packets. See the Shorewall

15
Lrp/sbin/shorewall
View File

@ -348,7 +348,16 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timeout=$1 timeout=$1
fi fi
qt which awk && { haveawk=Yes; determine_zones; } || haveawk=
if qt which awk; then
TMP_DIR=/tmp/shorewall-$$
mkdir $TMP_DIR
haveawk=Yes
determine_zones
rm -rf $TMP_DIR
else
haveawk=
fi
while true; do while true; do
display_chains display_chains
@ -756,7 +765,7 @@ case "$1" in
echo " HITS PORT SERVICE(S)" echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------" echo " ---- ----- ----------"
grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do while read count port ; do
# List all services defined for the given port # List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u` srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
@ -776,7 +785,7 @@ case "$1" in
try) try)
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1 [ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 -c $2 restart; then if ! $0 $debugging -c $2 restart; then
if ! iptables -L shorewall > /dev/null 2> /dev/null; then if ! iptables -L shorewall > /dev/null 2> /dev/null; then
$0 start $0 start
fi fi

151
Lrp/usr/share/shorewall/firewall
View File

@ -354,11 +354,11 @@ setpolicy() # $1 = name of chain, $2 = policy
} }
# #
# Set a standard chain to enable established connections # Set a standard chain to enable established and related connections
# #
setcontinue() # $1 = name of chain setcontinue() # $1 = name of chain
{ {
run_iptables -A $1 -m state --state ESTABLISHED -j ACCEPT run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
} }
# #
@ -1000,7 +1000,7 @@ stop_firewall() {
while read interface host; do while read interface host; do
expandv interface host expandv interface host
[ "x$host" = "x-" ] && host=0.0.0.0/0 [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in `separate_list $host`; do for h in `separate_list $host`; do
hosts="$hosts $interface:$h" hosts="$hosts $interface:$h"
done done
@ -1793,19 +1793,13 @@ refresh_tc() {
# #
add_nat_rule() { add_nat_rule() {
local chain local chain
local excludedests=
# Be sure we should and can NAT # Be sure we can NAT
case $logtarget in
DNAT|REDIRECT)
if [ -z "$NAT_ENABLED" ]; then if [ -z "$NAT_ENABLED" ]; then
fatal_error "Rule \"$rule\" requires NAT which is disabled" fatal_error "Rule \"$rule\" requires NAT which is disabled"
fi fi
;;
*)
fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\""
;;
esac
# Parse SNAT address if any # Parse SNAT address if any
@ -1827,10 +1821,16 @@ add_nat_rule() {
if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
eval interfaces=\$${source}_interfaces eval interfaces=\$${source}_interfaces
for interface in $interfaces; do for interface in $interfaces; do
addr="`find_interface_address $interface` $addr" addr=${addr:+$addr,}`find_interface_address $interface`
done done
fi fi
;; ;;
!*)
if [ `list_count $addr` -gt 1 ]; then
excludedests="`separate_list ${addr#\!}`"
addr=
fi
;;
esac esac
addr=${addr:-0.0.0.0/0} addr=${addr:-0.0.0.0/0}
@ -1844,37 +1844,69 @@ add_nat_rule() {
target1="REDIRECT --to-port $servport" target1="REDIRECT --to-port $servport"
fi fi
if [ $source = $FW ]; then
[ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\""
fi
# Generate nat table rules # Generate nat table rules
if [ $command != check ]; then if [ $command != check ]; then
if [ "$source" = "$FW" ]; then if [ "$source" = "$FW" ]; then
run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \ if [ -n "$excludedests" ]; then
$multiport $dports -j $target1
else
chain=`dnat_chain $source`
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
createnatchain $chain createnatchain $chain
addnatrule `dnat_chain $source` -j $chain run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN
done
if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat
fi
addnatrule $chain -j $target1
else
for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
$multiport $dports -j $target1
done
fi
else
chain=`dnat_chain $source`
if [ -n "${excludezones}${excludedests}" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
for z in $excludezones; do for z in $excludezones; do
eval hosts=\$${z}_hosts eval hosts=\$${z}_hosts
for host in $hosts; do for host in $hosts; do
for adr in $addr; do for adr in `separate_list $addr`; do
addnatrule $chain $proto -s ${host#*:} \ addnatrule $chain -s ${host#*:} -d $adr -j RETURN
$multiport $sports -d $adr $dports -j RETURN
done done
done done
done done
for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN
done
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
fi fi
for adr in $addr; do addnatrule $chain -d $adr -j $target1
done
else
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain ensurenatchain $chain
log_rule $loglevel $chain $logtarget -t nat \ log_rule $loglevel $chain $logtarget -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports` `fix_bang $proto $cli $sports -d $adr $multiport $dports`
loglevel=
fi fi
addnatrule $chain $proto $cli $sports \ addnatrule $chain $proto $cli $sports \
@ -1882,6 +1914,7 @@ add_nat_rule() {
done done
fi fi
fi fi
fi
# Replace destination port by the new destination port # Replace destination port by the new destination port
@ -1930,11 +1963,13 @@ add_nat_rule() {
# #
add_a_rule() add_a_rule()
{ {
# Set source variables local natrule=
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
[ -n "$client" ] && case "$client" in case "$client" in
-) -)
;; ;;
*:*) *:*)
@ -1947,16 +1982,16 @@ add_a_rule()
cli=`mac_match $client` cli=`mac_match $client`
;; ;;
*) *)
cli="-i $client" [ -n "$client" ] && cli="-i $client"
;; ;;
esac esac
# Set destination variables # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
dest_interface= dest_interface=
serv= serv=
[ -n "$server" ] && case "$server" in case "$server" in
-) -)
;; ;;
*.*.*) *.*.*)
@ -1966,7 +2001,7 @@ add_a_rule()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;; ;;
*) *)
dest_interface="-o $server" [ -n "$server" ] && dest_interface="-o $server"
;; ;;
esac esac
@ -2032,10 +2067,12 @@ add_a_rule()
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\"" " specify a server IP; rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
natrule=Yes
;; ;;
DNAT) DNAT)
[ -n "$serv" ] || fatal_error "DNAT rules require a" \ [ -n "$serv" ] || fatal_error "DNAT rules require a" \
" server address; rule: \"$rule\"" " server address; rule: \"$rule\""
natrule=Yes
;; ;;
LOG) LOG)
[ -z "$loglevel" ] && fatal_error "LOG requires log level" [ -z "$loglevel" ] && fatal_error "LOG requires log level"
@ -2044,7 +2081,7 @@ add_a_rule()
# Complain if the rule is really a policy # Complain if the rule is really a policy
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a "$logtarget" != LOG ]; then
error_message "Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
fi fi
@ -2054,15 +2091,16 @@ add_a_rule()
# A specific server or server port given # A specific server or server port given
if [ -n "$addr" -a "$addr" != "$serv" ]; then if [ -n "$natrule" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
fi fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \ log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli $serv $dports` `fix_bang $proto $sports $multiport $state $cli $serv $dports`
fi fi
@ -2126,7 +2164,12 @@ process_rule() # $1 = target
logtarget="$target" logtarget="$target"
dnat_only= dnat_only=
# Convert 1.3 Rule formats to 1.2 format # Tranform the rule:
#
# - set 'target' to the filter table target.
# - make $FW the destination for REDIRECT
# - remove '-' suffix from logtargets while setting 'dnat_only'
# - clear 'address' if it has been set to '-'
[ "x$address" = "x-" ] && address= [ "x$address" = "x-" ] && address=
@ -2185,9 +2228,7 @@ process_rule() # $1 = target
fatal_error "Exclude list only allowed with DNAT or REDIRECT" fatal_error "Exclude list only allowed with DNAT or REDIRECT"
fi fi
if ! validate_zone $clientzone; then validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
fatal_error "Undefined Client Zone in rule \"$rule\""
fi
# Parse and validate destination # Parse and validate destination
@ -2220,7 +2261,7 @@ process_rule() # $1 = target
dest=$serverzone dest=$serverzone
# Create canonical chain if necessary # Ensure that this rule doesn't apply to a NONE policy pair of zones
chain=${source}2${dest} chain=${source}2${dest}
@ -2229,11 +2270,14 @@ process_rule() # $1 = target
[ $policy = NONE ] && \ [ $policy = NONE ] && \
fatal_error "Rules may not override a NONE policy: rule \"$rule\"" fatal_error "Rules may not override a NONE policy: rule \"$rule\""
[ $command = check ] || ensurechain $chain # Be sure that this isn't a fw->fw rule.
if [ "x$chain" = x${FW}2${FW} ]; then if [ "x$chain" = x${FW}2${FW} ]; then
case $logtarget in case $logtarget in
REDIRECT) REDIRECT|DNAT)
#
# Redirect rules that have the firewall as the source are fw->fw rules
#
;; ;;
*) *)
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
@ -2241,6 +2285,9 @@ process_rule() # $1 = target
;; ;;
esac esac
else else
# Create the canonical chain if it doesn't already exist
[ $command = check ] || ensurechain $chain [ $command = check ] || ensurechain $chain
fi fi
@ -2252,15 +2299,25 @@ process_rule() # $1 = target
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ] `list_count $cports` -le 15 ]
then then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport" multioption="-m multiport"
for client in `separate_list ${clients:=-}`; do for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do for server in `separate_list ${servers:=-}`; do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-} port=${ports:=-}
cport=${cports:=-} cport=${cports:=-}
add_a_rule add_a_rule
done done
done done
else else
#
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption= multioption=
for client in `separate_list ${clients:=-}`; do for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do for server in `separate_list ${servers:=-}`; do
@ -2272,7 +2329,9 @@ process_rule() # $1 = target
done done
done done
fi fi
#
# Report Result
#
if [ $command = check ]; then if [ $command = check ]; then
echo " Rule \"$rule\" checked." echo " Rule \"$rule\" checked."
else else
@ -3774,9 +3833,11 @@ activate_rules()
complete_standard_chain INPUT all $FW complete_standard_chain INPUT all $FW
complete_standard_chain OUTPUT $FW all complete_standard_chain OUTPUT $FW all
complete_standard_chain FORWARD all all complete_standard_chain FORWARD all all
#
# Remove rules added to keep the firewall alive during [re]start"
#
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -D $chain -m state --state ESTABLISHED -j ACCEPT run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
} }

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.4b 1.4.5

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.4a 1.4.5