holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 2.0.3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1404 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-23 22:10:23 +00:00
parent dbd062e23e
commit d5a38ba02b
20 changed files with 529 additions and 415 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE2/action.Drop
View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast
DropSMB
DropUPnP
dropNonSyn
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
STABLE2/action.Reject
View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast
RejectSMB
DropUPnP
dropNonSyn
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
STABLE2/actions.std
View File

@ -6,6 +6,13 @@
#
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION

83
STABLE2/changelog.txt
View File

@ -1,79 +1,36 @@
Changes since 2.0.1
Changes since 2.0.2
1) Reformat the code in define_firewall().
1) Remove restore files; don't generate them for non-statechanging
commands.
2) Reimplement dynamic zones.
2) Restore file now loads kernel modules.
3) Tweak new dynamic zone implementation.
3) Minor tweaks to the restore mechanism.
4) Implement CONFIG_PATH.
4) Allow "!" in accounting rules.
5) Apply Stijn Jonker's fix for CONFIG_PATH.
5) Backport bug fixes from stable (/var/lib/shorewall existence and
null common action).
6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately.
6) Add lots of overhead to [re]start in order to catch typing errors.
7) Allow CONFIG_PATH to be inherited.
7) Correct reporting of installation directory in install.sh.
8) Fix ensure_config_path call.
8) Load kernel modules before detecting capabilities.
9) Make LOCAL and ALL INTERFACES independent in the nat file.
9) Added the 'rejectNonSyn' standard built-in action.
10) Add "ko.gz" to the vast list of module suffixes that distributions
have invented.
10) Merged Tuomo Soini's patch to the install script.
11) Update the bogons file
11) Correct brain-cramp in module loading fix (8 above).
12) Added example for log rate limiting knobs in shorewall.conf.
12) Add 'key' to sample tunnel file.
13) Fix init.debian.sh.
13) Allow multiple saved configurations.
14) Implement the -q option.
14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
15) Add saved configuration support (iptables-save/iptables-restore
integration).
15) Fix rules that have bridge ports in both SOURCE and DEST. Update
comments in the rules file WRT "all" in SOURCE or DEST.
16) Use modprobe if it is available.
17) Lots of fixes to 'save'
18) 'shorewall forget'
19) SNAT/MASQUERADE by proto/port(s)
20) Shorewall 2.0.2 Beta 1 changes.
21) Fix ALL INTERFACES column parsing.
22) Correct "shorewall delete" processing.
23) Apply Alex Wilms's patch for install.sh
24) Add ACCEPT+ and NONAT targets.
25) Added 'initialized' extension script.
26) Renamed 'initialized' to 'initdone'
27) Applied Stijn Jonker's fix for "shorewall add"
28) Correct typo that broke "shorewall delete"
29) Apply Stijn Jonker's -q fix.
30) Remove restore-$$ files.
31) Save 'loadmodule' commands in /var/lib/shorewall/restore-base.
32) Correct null common action handling.
33) Create /var/lib/shorewall if it doesn't exist.
34) Fix dynamic in chains in the nat table.
35) Load modules before detecting capabilities.
36) Fix 'newnotsyn' in the hosts file.
37) Fix double LOG rules in actions.
38) Another kernel module disaster fixed.
16) Pass INVALID icmp packets through the blacklisting chains.

2
STABLE2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.2f
VERSION=2.0.3
usage() # $1 = exit status
{

280
STABLE2/firewall
View File

@ -51,11 +51,6 @@ my_mutex_off() {
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
}
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Message to stderr
#
@ -108,6 +103,17 @@ save_command()
echo "$@" >> /var/lib/shorewall/restore-$$
}
#
# Write a progress_message command to /var/lib/shorewall/restore-$$
#
save_progress_message()
{
echo >> /var/lib/shorewall/restore-$$
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
echo >> /var/lib/shorewall/restore-$$
}
#
# Save the passed command in the restore script then run it -- returns the status of the command
# If the command involves file redirection then it must be enclosed in quotes as in:
@ -133,12 +139,13 @@ ensure_and_save_command()
}
#
# Append a file to /var/lib/shorewall/restore-$$
# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
#
append_file() {
save_command "cat > $STATEDIR/$1 << EOF"
append_file() # $1 = File Name
{
save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
save_command EOF
save_command __EOF__
}
#
@ -576,7 +583,7 @@ known_interface() # $1 = interface name
match_source_dev()
{
if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1"
list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
else
echo -i $1
fi
@ -585,12 +592,17 @@ match_source_dev()
match_dest_dev()
{
if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1"
list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
else
echo -o $1
fi
}
verify_interface()
{
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
#
#
# Find hosts in a given zone
@ -765,7 +777,7 @@ validate_interfaces_file() {
if [ -z "$found_obsolete_option" ]; then
found_obsolete_option=yes
error_message \
"Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
"WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
error_message \
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
sleep 5
@ -798,6 +810,13 @@ validate_interfaces_file() {
validate_hosts_file() {
local z hosts options r interface host option port ports
check_bridge_port()
{
list_search $1 $ports || ports="$ports $1"
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $all_ports || all_ports="$all_ports $1"
}
while read z hosts options; do
expandv z hosts options
r="$z $hosts $options"
@ -820,17 +839,14 @@ validate_hosts_file() {
*:*)
known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
port=${host%%:*}
list_search $port $ports || ports="$ports $port"
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
check_bridge_port ${host%%:*}
;;
*.*.*.*)
;;
*)
known_interface $host && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
list_search $host $ports || ports="$ports $host"
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
check_bridge_port $host
;;
esac
@ -855,6 +871,8 @@ validate_hosts_file() {
fi
done < $TMP_DIR/hosts
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
}
#
@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
#
setup_forwarding() {
save_progress_message "Restoring IP Forwarding..."
case "$IP_FORWARDING" in
[Oo][Nn])
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1198,6 +1219,7 @@ disable_ipv6() {
if [ -n "$foo" ]; then
if qt which ip6tables; then
save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
@ -1226,10 +1248,15 @@ stop_firewall() {
;;
*)
set +x
if [ -f /var/lib/shorewall/restore ]; then
[ -z "$RESTOREFILE" ] && RESTOREFILE=restore
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
$RESTOREPATH
echo "Shorewall restored from $RESTOREPATH"
my_mutex_off
kill $$
exit 2
@ -1640,6 +1667,8 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp
save_progress_message "Restoring Proxy ARP..."
while read address interface external haveroute persistent; do
expandv address interface external haveroute persistent
setup_one_proxy_arp
@ -1840,6 +1869,8 @@ setup_nat() {
#
> ${STATEDIR}/nat
save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do
expandv external interface internal allints localnat
@ -1995,10 +2026,8 @@ process_tc_rule()
chain=tcout
;;
*)
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\""
fi
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
esac
@ -2023,7 +2052,11 @@ process_tc_rule()
esac
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
if [ "x$dest" != "x-" ]; then
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
fi
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -2095,6 +2128,8 @@ setup_tc1() {
run_iptables -t mangle -A OUTPUT -j tcout
run_user_exit tcstart
save_progress_message "Restoring Traffic Control..."
save_command . $(find_file tcstart)
}
@ -2118,6 +2153,8 @@ delete_tc()
}
save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear
run_ip link list | \
@ -2144,6 +2181,14 @@ process_accounting_rule() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
}
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() {
if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then
@ -2157,6 +2202,7 @@ process_accounting_rule() {
case $source in
*:*)
accounting_interface_verify ${source%:*}
rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;;
*.*.*.*)
@ -2165,12 +2211,16 @@ process_accounting_rule() {
-|all|any)
;;
*)
[ -n "$source" ] && rule="$(match_source_dev $source)"
if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;;
esac
[ -n "$dest" ] && case $dest in
*:*)
accounting_interface_verify ${dest%:*}
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;;
*.*.*.*)
@ -2179,6 +2229,7 @@ process_accounting_rule() {
-|all|any)
;;
*)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)"
;;
esac
@ -2233,8 +2284,8 @@ process_accounting_rule() {
ensurechain1 $chain
if iptables -A $chain $rule ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
if iptables -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else
accounting_error
@ -2409,6 +2460,16 @@ add_an_action()
fi
}
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
@ -2417,6 +2478,7 @@ add_an_action()
-)
;;
*:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;;
*.*.*)
@ -2426,7 +2488,10 @@ add_an_action()
cli=$(mac_match $client)
;;
*)
[ -n "$client" ] && cli="$(match_source_dev $client)"
if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;;
esac
@ -2445,7 +2510,10 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;;
esac
@ -2496,20 +2564,18 @@ add_an_action()
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi
[ "$logtarget" = LOG ] || \
run_iptables2 -A $action $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
run_iptables2 -A $action $proto $multiport $cli $sports \
-d $srv $dports $ratelimit $userandgroup -j $target
done
done
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports)
$(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
fi
[ "$logtarget" = LOG ] || \
run_iptables2 -A $action $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target
run_iptables2 -A $action $proto $multiport $cli $dest_interface $sports \
$dports $ratelimit $userandgroup -j $target
fi
fi
}
@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
#
process_actions1() {
#
# Add the builtin actions
#
add_builtin_actions() {
if [ "$COMMAND" != check ]; then
createchain dropBcast no
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
createchain dropNonSyn no
run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
fi
ACTIONS="dropBcast dropNonSyn"
USEDACTIONS="dropBcast dropNonSyn"
}
add_builtin_actions
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
USEDACTIONS=
strip_file actions
@ -2821,6 +2863,10 @@ process_actions2() {
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
}
log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
}
#
# Generate the transitive closure of $USEDACTIONS
#
@ -2844,7 +2890,38 @@ process_actions2() {
#
for xaction in $USEDACTIONS; do
case $xaction in
dropNonSyn|dropBcast)
dropBcast)
if [ "$COMMAND" != check ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
fi
;;
dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
;;
dropNotSyn)
[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
;;
rejNotSyn)
[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
;;
logNotSyn)
log_action logNotSyn LOG
;;
rLogNotSyn)
log_action rLogNotSyn REJECT
;;
dLogNotSyn)
log_action dLogNotSyn DROP
;;
*)
f=action.$xaction
@ -3091,6 +3168,16 @@ add_a_rule()
fi
}
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli=
@ -3099,6 +3186,7 @@ add_a_rule()
-)
;;
*:*)
rule_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;;
*.*.*)
@ -3108,7 +3196,10 @@ add_a_rule()
cli=$(mac_match $client)
;;
*)
[ -n "$client" ] && cli="$(match_source_dev $client)"
if [ -n "$client" ]; then
rule_interface_verify $client
cli="$(match_source_dev $client)"
fi
;;
esac
@ -3128,7 +3219,8 @@ add_a_rule()
;;
*)
if [ -n "$server" ]; then
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget"
[ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
rule_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;;
@ -3265,7 +3357,7 @@ add_a_rule()
if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi
if [ "$logtarget" != LOG ]; then
@ -3274,8 +3366,8 @@ add_a_rule()
$cli $sports $dports $ratelimit $userandgroup -j RETURN
[ "$logtarget" != NONAT ] && \
run_iptables2 -A $chain $proto $multiport $dest_interface \
$cli $sports $dports $ratelimit $userandgroup -j $target
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $userandgroup -j $target
fi
fi
fi
@ -3708,6 +3800,11 @@ process_tos_rule() {
#
# Assume that this is a device name
#
if ! verify_interface $src ; then
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
return
fi
src="$(match_source_dev $src)"
;;
esac
@ -4285,7 +4382,7 @@ setup_masq()
strip_file masq $1
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:"
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do
expandv fullinterface networks addresses proto ports
@ -4399,7 +4496,7 @@ setup_blacklist() {
createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
for host in $hosts; do
interface=${host%%:*}
@ -4507,6 +4604,8 @@ add_ip_aliases()
set -- $aliases_to_add
save_progress_message "Restoring IP Addresses..."
while [ $# -gt 0 ]; do
external=$1
interface=$2
@ -4529,7 +4628,7 @@ add_ip_aliases()
#
load_kernel_modules()
{
local save_modules_dir=$MODULESDIR
save_modules_dir=$MODULESDIR
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
@ -4537,7 +4636,7 @@ load_kernel_modules()
modules=$(find_file modules)
if [ -f $modules -a -d $MODULESDIR ]; then
echo "Loading Modules..."
progress_message "Loading Modules..."
. $modules
fi
@ -4547,12 +4646,10 @@ load_kernel_modules()
save_load_kernel_modules()
{
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
modules=$(find_file modules)
save_command "reload_kernel_modules <<EOF"
save_progress_message "Loading kernel modules..."
save_command "reload_kernel_modules <<__EOF__"
while read command; do
case "$command" in
@ -4562,7 +4659,7 @@ save_load_kernel_modules()
esac
done < $modules
save_command EOF
save_command __EOF__
}
@ -4721,7 +4818,7 @@ initialize_netfilter () {
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN
run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
done
run_user_exit newnotsyn
@ -4754,7 +4851,7 @@ initialize_netfilter () {
fi
fi
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
echo "Creating Interface Chains..."
@ -5028,6 +5125,8 @@ add_common_rules() {
#
# ARP Filtering
#
save_progress_message "Restoring ARP filtering..."
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
run_and_save_command "echo 0 > $f"
done
@ -5055,6 +5154,8 @@ add_common_rules() {
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..."
save_progress_message "Restoring Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
run_and_save_command "echo 0 > $f"
done
@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
save_command "#"
save_command "# Restore base file generated by Shorewall $version - $(date)"
save_command "#"
save_command ". /usr/share/shorewall/functions"
save_command "MODULESDIR=\"$MODULESDIR\""
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
save_command "date > $STATEDIR/restarted"
save_command 'iptables-restore << EOF'
save_progress_message "Restoring Netfilter Configuration..."
# 'shorewall save' appends the iptables-save output and 'EOF'
save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
@ -5948,16 +6054,16 @@ do_initialize() {
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules so that capabilities can be
# accurately detected when kernel module autoloading is not
# enabled.
# We load the kernel modules here to acurately determine
# capabilities when module autoloading isn't enabled.
#
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
load_kernel_modules
determine_capabilities
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
[ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw

8
STABLE2/functions
View File

@ -33,6 +33,14 @@ list_count() {
list_count1 $(separate_list $1)
}
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Suppress all output for a command
#

27
STABLE2/help
View File

@ -117,9 +117,9 @@ drop)
;;
forget)
echo "forget: forget
Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
files are created by the 'shorewall save' command
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
@ -194,18 +194,22 @@ restart)
;;
restore)
echo "restore: restore
Restore Shorewall to its last state saved using the 'save' command
Existing connections are maintained.
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\""
;;
save)
echo "save: save
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
and 'shorewall -f start' commands.
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
@ -240,8 +244,9 @@ start)
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings
If \"-f\" is specified, the last saved configuraton if any will be restored"
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;;
stop)

21
STABLE2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.0.2f
VERSION=2.0.3
usage() # $1 = exit status
{
@ -87,11 +87,20 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode
# RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument
#
DEST="/etc/init.d"
INIT="shorewall"
RUNLEVELS=""
ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
if [ -z "$OWNER" ] ; then
OWNER=root
fi
@ -402,7 +411,7 @@ echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
#
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
echo
echo " Default config path file installed as ${PREFIX}/etc/shorewall/configpath"
echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
#
# Install the init file
#
@ -500,7 +509,7 @@ for f in action.* ; do
else
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
echo
echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f"
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
fi
done
#

288
STABLE2/releasenotes.txt
View File

@ -1,21 +1,6 @@
Shorewall 2.0.2f
Shorewall 2.0.3 RC2
----------------------------------------------------------------------
Problems Corrected since 2.0.1
1) The /etc/init.d/shorewall script installed on Debian by install.sh
failed silently due to a missing file
(/usr/share/shorewall/wait4ifup). That file is not part of the
normal Shorewall distribution and is provided by the Debian
maintainer.
2) A meaningless warning message out of the proxyarp file processing
has been eliminated.
3) The "shorewall delete" command now correctly removes all dynamic
rules pertaining to the host(s) being deleted. Thanks to Stefan
Engel for this correction.
Problems Corrected since 2.0.2
1) The 'firewall' script is not purging temporary restore files in
@ -34,222 +19,139 @@ Problems Corrected since 2.0.2
used, these rules cause the rule to be checked against ALL input,
not just input from the designated zone.
6) Shorewall checks netfilter capabilities before loading kernel
6) The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.
7) Shorewall checks netfilter capabilities before loading kernel
modules. Hence if kernel module autoloading isn't enabled, the
capabilities will be misdetected.
7) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
8) When used within an action, the LOG target produces two logging
rules.
9) The file /etc/init.d/shorewall now gets proper ownership when the
RPM is built by a non-root user.
10) Rules that specify bridge ports in both the SOURCE and DEST
columns no longer cause "shorewall start" to fail.
11) Comments in the rules file have been added to advise users that
"all" in the SOURCE or DEST column does not affect intra-zone
traffic.
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
passed through the blacklisting chains. Without this change, it is
not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks.
9) Kernel Modules loading is still screwed up.
-----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2:
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
1) Extension Scripts
In order for extension scripts to work properly with the new
iptables-save/restore integration (see New Feature 1 below), some
change may be required to your extension scripts.
If your extension scripts are executing commands other than iptables
then those commands must also be written to the restore file (a
temporary file in /var/lib/shorewall that is renamed
/var/lib/shorewall/restore-base at the end of the operation).
The following functions should be of help:
A. save_command() -- saves the passed command to the restore file.
Example:
save_command echo Operation Complete
That command would simply write "echo Operation Complete" to the
restore file.
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.
Example:
run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. This
applies to all of the functions described here.
C. ensure_and_save_command() -- runs the passed command. If the
command fails, the firewall is restored to it's prior saved state
and the operation is terminated. If the command succeeds, the
command is written to the restore file.
2) Dynamic Zone support.
If you don't need to use the "shorewall add" and "shorewall delete"
commands, you should set DYNAMIC_ZONES=No in
/etc/shorewall/shorewall.conf.
1) The 'dropNonSyn' standard builtin action has been replaced with the
'dropNotSyn' standard builtin action. The old name can still be used
but will generate a warning.
-----------------------------------------------------------------------
New Features:
1) Shorewall has now been integrated with
iptables-save/iptables-restore to provide very fast start and
restart. The elements of this integration are as follows:
1) Shorewall now supports multiple saved configurations.
a) The 'shorewall save' command now saves the current configuration
in addition to the current dynamic blacklist. If you have
dynamic zones, you will want to issue 'shorewall save' when the
zones are empty or the current contents of the zones will be
restored by the 'shorewall restore' and 'shorewall -f start'
commands.
a) The default saved configuration (restore script) in
/var/lib/shorewall is now specified using the RESTOREFILE option
in shorewall.conf. If this variable isn't set then to maitain
backward compatibility, 'restore' is assumed.
The value of RESTOREFILE must be a simple file name; no slashes
("/") may be included.
b) The "save" command has been extended to be able to specify the
name of a saved configuration.
b) The 'shorewall restore' command has been added. This command
restores the configuration at the time of the last 'save'.
shorewall save [ <file name> ]
c) The -f (fast) option has been added to 'shorewall start'. When
specified (e.g. 'shorewall -f start'), shorewall will perform a
'shorewall restore' if there is a saved configuration. If there
is no saved configuration, a normal 'shorewall start' is
performed.
The current state is saved to /var/lib/shorewall/<file name>. If
no <file name> is given, the configuration is saved to
the file determined by the RESTOREFILE setting.
d) The /etc/init.d/shorewall script now translates the 'start'
command into 'shorewall -f start' so that fast restart is
possible.
c) The "restore" command has been extended to be able to specify
the name of a saved configuration:
e) When a state-changing command encounters an error and there is a
current saved configuration, that configuration will be restored
(currently, the firewall is placed in the 'stopped' state).
shorewall restore [ <file name> ]
f) If you have previously saved the running configuration and want
Shorewall to discard it, use the 'shorewall forget' command.
The firewall state is restored from /var/lib/shorewall/<file
name>. If no <file name> is given, the firewall state is
restored from the file determined by the RESTOREFILE setting.
WARNING: iptables 1.2.9 is broken with respect to iptables-save;
If your kernel has connection tracking match support, you must
patch iptables 1.2.9 with the iptables patch availale from
the Shorewall errata page.
c) The "forget" command has changed. Previously, the command
unconditionally removed the /var/lib/shorewall/save file which
records the current dynamic blacklist. The "forget" command now
leaves that file alone.
2) The previous implementation of dynamic zones was difficult to
maintain. I have changed the code to make dynamic zones optional
under the control of the DYNAMIC_ZONES option in
/etc/shorewall/shorewall.conf.
Also, the "forget" command has been extended to be able to
specify the name of a saved configuration:
3) In earlier Shorewall 2.0 releases, Shorewall searches in order the
following directories for configuration files.
shorewall forget [ <file name> ]
a) The directory specified in a 'try' command or specified using
the -c option.
The file /var/lib/shorewall/<file name> is removed. If no <file
name> is given, the file determined by the RESTOREFILE setting
is removed.
b) /etc/shorewall
d) The "shorewall -f start" command restores the state from the
file determined by the RESTOREFILE setting.
c) /usr/share/shorewall
2) "!" is now allowed in accounting rules.
In this release, the CONFIG_PATH option is added to shorewall.conf.
CONFIG_PATH contains a list of directory names separated by colons
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
3) Interface names appearing within the configuration are now
verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).
Now Shorewall searches for shorewall.conf according to the old
rules and for other configuration files as follows:
4) A new 'rejNotSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.
a) The directory specified in a 'try' command or specified using
the -c option.
The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
action. The old name will be accepted until the next major release
of Shorewall but will generate a warning.
b) Each directory in $CONFIG_PATH is searched in sequence.
Several new logging actions involving "New not SYN" packets have
been added:
In case it is not obvious, your CONFIG_PATH should include
/usr/share/shorewall and your shorewall.conf file must be in the
directory specified via -c or in a try command, in /etc/shorewall
or in /usr/share/shorewall.
logNewNotSyn -- logs the packet with disposition = LOG
dLogNewNotSyn -- logs the packet with disposition = DROP
rLogNewNotSyn -- logs the packet with disposition = REJECT
For distribution packagers, the default CONFIG_PATH is set in
/usr/share/shorewall/configpath. You can customize this file to
have a default that differs from mine.
The packets are logged at the log level specified in the
LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
not specified, then 'info' is assumed.
4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column
would only take effect if the ALL INTERFACES column also contained
Yes or yes. Now, the LOCAL columns contents are treated
independently of the contents of the ALL INTERFACES column.
Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
5) The folks at Mandrake have created yet another kernel module
naming convention (module names end in "ko.gz"). As a consequence,
beginning with this release, if MODULE_SUFFIX isn't specified in
shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
A: To simulate the behavior of NEWNOTSYN=No:
6) An updated bogons file is included in this release.
a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
b) Create /etc/shorewall/action.NoNewNotSyn containing:
7) In /etc/shorewall/rules and in action files generated from
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and
the log tag.
dLogNotSyn
dropNotSyn
Example:
c) Early in your rules file, place:
ACCEPT:info:ftp net dmz tcp 21
NoNewNotSyn all all tcp
The log tag is appended to the log prefix generated by the LOGPREFIX
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank).
The maximum length of a log prefix supported by iptables is 29
characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters.
B: Drop 'New not SYN' packets from the net only. Don't log them.
8) A new "-q" option has been added to /sbin/shorewall commands. It
causes the start, restart, check and refresh commands to produce
much less output so that warning messages are more visible (when
testing this change, I discovered a bug where a bogus warning
message was being generated).
a) Early in your rules file, place:
9) Shorewall now uses 'modprobe' to load kernel modules if that utility
is available in the PATH; otherwise, 'insmod' is used.
dropNotSyn net all tcp
10) It is now possible to restrict entries in the /etc/shorewall/masq
file to particular protocols and destination port(s). Two new
columns (PROTO and PORT(S)) have been added to the file.
5) Slackware users no longer have to modify the install.sh script
before installation. Tuomo Soini has provided a change that allows
the INIT and FIREWALL variables to be specified outside the script
as in:
Example:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
You want all outgoing SMTP traffic entering the firewall
on eth1 to be sent from eth0 with source IP address
206.124.146.177. You want all other outgoing traffic
from eth1 to be sent from eth0 with source IP address
206.124.146.176.
eth0 eth1 206.124.146.177 tcp 25
eth0 eth1 206.124.146.176
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
Assuming that 10.0.0.0/8 is the only host/network connected
to eth1, the progress message at "shorewall start" would be:
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
11) Two new actions are available in the /etc/shorewall/rules file.
ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts
matching connections from subsequent DNAT[-] and
REDIRECT[-] rules.
NONAT -- Exempts matching connections from subsequent DNAT[-]
and REDIRECT[-] rules.
12) A new extension script 'initdone' has been added. This script is invoked
at the same point as the 'common' script was previously and is useful for
users who mis-used that script under Shorewall 1.x (the script was intended
for adding rules to the 'common' chain but many users treated it as a script
for adding rules before Shorewall's).
13) Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify
settings in the install.sh script before running it as follows:
DEST="/etc/rc.d"
INIT="rc.firewall"
Thanks to Alex Wilms for helping with this change.

8
STABLE2/rules
View File

@ -93,6 +93,10 @@
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
@ -123,6 +127,10 @@
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or

155
STABLE2/shorewall
View File

@ -76,14 +76,17 @@
# listed address(es)
# shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and
# shorewall save [ <file> ] Save the list of "rejected" and
# "dropped" addresses so that it will
# be automatically reinstated the
# next time that Shorewall starts.
# Save the current state so that 'shorewall
# restore' can be used.
#
# shorewall forget Discard the data saved by 'shorewall save'
# shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
#
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
#
@ -131,6 +134,19 @@ showchain() # $1 = name of chain
fi
}
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
}
#
# Set the configuration variables from shorewall.conf
#
@ -160,11 +176,17 @@ get_config() {
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2
fi
fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
}
#
@ -535,7 +557,7 @@ help()
#
usage() # $1 = exit status
{
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..."
@ -543,7 +565,7 @@ usage() # $1 = exit status
echo " clear"
echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..."
echo " forget"
echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]"
echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -554,8 +576,8 @@ usage() # $1 = exit status
echo " reject <address> ..."
echo " reset"
echo " restart"
echo " restore"
echo " save"
echo " restore [ <file name> ]"
echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start"
echo " stop"
@ -735,11 +757,14 @@ case "$1" in
[ $# -ne 1 ] && usage 1
get_config
if [ -n "$FAST" ]; then
if [ -f /var/lib/shorewall/restore ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
$RESTOREPATH
date > $STATEDIR/restarted
echo Shorewall restored
echo Shorewall restored from $RESTOREPATH
else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi
@ -963,28 +988,57 @@ case "$1" in
;;
save)
[ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo EOF >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
chmod +x /var/lib/shorewall/restore
echo " Currently-running Configuration Saved"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
fi
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
else
echo "Error Saving the Dynamic Rules"
case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: save"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi
else
echo "Shorewall isn't started"
@ -992,9 +1046,28 @@ case "$1" in
mutex_off
;;
forget)
rm -f /var/lib/shorewall/restore
rm -f /var/lib/shorewall/save
echo " Previously saved information discarded"
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH is not a restore script"
fi
;;
ipcalc)
[ -n "$debugging" ] && set -x
@ -1032,12 +1105,26 @@ case "$1" in
esac
;;
restore)
if [ -f /var/lib/shorewall/restore ]; then
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall...
. /var/lib/shorewall/restore
echo Shorewall restored
$RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
else
echo "File /var/lib/shorewall/restore: file not found"
echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
exit 2
fi
;;

18
STABLE2/shorewall.conf
View File

@ -258,6 +258,24 @@ MODULESDIR=
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################

22
STABLE2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 2.0.2f
%define version 2.0.3
%define release 1
%define prefix /usr
@ -68,7 +68,7 @@ if [ $1 = 0 ]; then
fi
%files
/etc/init.d/shorewall
%attr(0544,root,root) /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall
@ -141,16 +141,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Thu Jun 03 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2f-1
* Sat May 29 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2e-1
* Thu May 27 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2d-1
* Fri May 21 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2c-1
* Mon May 17 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2b-1
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-1
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC1
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
- Added %attr spec for /etc/init.d/shorewall
* Sat May 15 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2a-1
* Thu May 13 2004 Tom Eastep tom@shorewall.net

9
STABLE2/tunnel
View File

@ -59,6 +59,13 @@ gateway="x.x.x.x"
subnet="192.168.9.0/24"
# GRE Key -- set this to a number or to a dotted quad if you want
# a keyed GRE tunnel. You must specify a KEY if you
# intend to load ip_conntrack_proto_gre on either
# gateway system
key=
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
load_modules () {
@ -101,7 +108,7 @@ do_start() {
case $tunnel_type in
gre)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
;;
*)
ip tunnel add $tunnel mode ipip remote $gateway

2
STABLE2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.2f
VERSION=2.0.3
usage() # $1 = exit status
{

2
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.3-RC2
VERSION=2.0.3
usage() # $1 = exit status
{

2
Shorewall2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.0.3-RC2
VERSION=2.0.3
usage() # $1 = exit status
{

4
Shorewall2/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 2.0.3
%define release 0RC2
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-1
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.3-RC2
VERSION=2.0.3
usage() # $1 = exit status
{