holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 2.0.3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1404 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-23 22:10:23 +00:00
parent dbd062e23e
commit d5a38ba02b
20 changed files with 529 additions and 415 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE2/action.Drop
View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast dropBcast
DropSMB DropSMB
DropUPnP DropUPnP
dropNonSyn dropNotSyn
DropDNSrep DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
STABLE2/action.Reject
View File

@ -10,6 +10,6 @@ RejectAuth
dropBcast dropBcast
RejectSMB RejectSMB
DropUPnP DropUPnP
dropNonSyn dropNotSyn
DropDNSrep DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
STABLE2/actions.std
View File

@ -6,6 +6,13 @@
# #
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
# #
#ACTION #ACTION

83
STABLE2/changelog.txt
View File

@ -1,79 +1,36 @@
Changes since 2.0.1 Changes since 2.0.2
1) Reformat the code in define_firewall(). 1) Remove restore files; don't generate them for non-statechanging
commands.
2) Reimplement dynamic zones. 2) Restore file now loads kernel modules.
3) Tweak new dynamic zone implementation. 3) Minor tweaks to the restore mechanism.
4) Implement CONFIG_PATH. 4) Allow "!" in accounting rules.
5) Apply Stijn Jonker's fix for CONFIG_PATH. 5) Backport bug fixes from stable (/var/lib/shorewall existence and
null common action).
6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately. 6) Add lots of overhead to [re]start in order to catch typing errors.
7) Allow CONFIG_PATH to be inherited. 7) Correct reporting of installation directory in install.sh.
8) Fix ensure_config_path call. 8) Load kernel modules before detecting capabilities.
9) Make LOCAL and ALL INTERFACES independent in the nat file. 9) Added the 'rejectNonSyn' standard built-in action.
10) Add "ko.gz" to the vast list of module suffixes that distributions 10) Merged Tuomo Soini's patch to the install script.
have invented.
11) Update the bogons file 11) Correct brain-cramp in module loading fix (8 above).
12) Added example for log rate limiting knobs in shorewall.conf. 12) Add 'key' to sample tunnel file.
13) Fix init.debian.sh. 13) Allow multiple saved configurations.
14) Implement the -q option. 14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
15) Add saved configuration support (iptables-save/iptables-restore 15) Fix rules that have bridge ports in both SOURCE and DEST. Update
integration). comments in the rules file WRT "all" in SOURCE or DEST.
16) Use modprobe if it is available. 16) Pass INVALID icmp packets through the blacklisting chains.
17) Lots of fixes to 'save'
18) 'shorewall forget'
19) SNAT/MASQUERADE by proto/port(s)
20) Shorewall 2.0.2 Beta 1 changes.
21) Fix ALL INTERFACES column parsing.
22) Correct "shorewall delete" processing.
23) Apply Alex Wilms's patch for install.sh
24) Add ACCEPT+ and NONAT targets.
25) Added 'initialized' extension script.
26) Renamed 'initialized' to 'initdone'
27) Applied Stijn Jonker's fix for "shorewall add"
28) Correct typo that broke "shorewall delete"
29) Apply Stijn Jonker's -q fix.
30) Remove restore-$$ files.
31) Save 'loadmodule' commands in /var/lib/shorewall/restore-base.
32) Correct null common action handling.
33) Create /var/lib/shorewall if it doesn't exist.
34) Fix dynamic in chains in the nat table.
35) Load modules before detecting capabilities.
36) Fix 'newnotsyn' in the hosts file.
37) Fix double LOG rules in actions.
38) Another kernel module disaster fixed.

2
STABLE2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.0.2f VERSION=2.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

276
STABLE2/firewall
View File

@ -51,11 +51,6 @@ my_mutex_off() {
[ -n "$have_mutex" ] && { mutex_off; have_mutex=; } [ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
} }
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
# #
# Message to stderr # Message to stderr
# #
@ -108,6 +103,17 @@ save_command()
echo "$@" >> /var/lib/shorewall/restore-$$ echo "$@" >> /var/lib/shorewall/restore-$$
} }
#
# Write a progress_message command to /var/lib/shorewall/restore-$$
#
save_progress_message()
{
echo >> /var/lib/shorewall/restore-$$
echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
echo >> /var/lib/shorewall/restore-$$
}
# #
# Save the passed command in the restore script then run it -- returns the status of the command # Save the passed command in the restore script then run it -- returns the status of the command
# If the command involves file redirection then it must be enclosed in quotes as in: # If the command involves file redirection then it must be enclosed in quotes as in:
@ -133,12 +139,13 @@ ensure_and_save_command()
} }
# #
# Append a file to /var/lib/shorewall/restore-$$ # Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
# #
append_file() { append_file() # $1 = File Name
save_command "cat > $STATEDIR/$1 << EOF" {
save_command "cat > $STATEDIR/$1 << __EOF__"
cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
save_command EOF save_command __EOF__
} }
# #
@ -576,7 +583,7 @@ known_interface() # $1 = interface name
match_source_dev() match_source_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1" list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
else else
echo -i $1 echo -i $1
fi fi
@ -585,12 +592,17 @@ match_source_dev()
match_dest_dev() match_dest_dev()
{ {
if [ -n "$BRIDGING" ]; then if [ -n "$BRIDGING" ]; then
known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1" list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
else else
echo -o $1 echo -o $1
fi fi
} }
verify_interface()
{
known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
}
# #
# #
# Find hosts in a given zone # Find hosts in a given zone
@ -765,7 +777,7 @@ validate_interfaces_file() {
if [ -z "$found_obsolete_option" ]; then if [ -z "$found_obsolete_option" ]; then
found_obsolete_option=yes found_obsolete_option=yes
error_message \ error_message \
"Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0" "WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
error_message \ error_message \
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..." " PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
sleep 5 sleep 5
@ -798,6 +810,13 @@ validate_interfaces_file() {
validate_hosts_file() { validate_hosts_file() {
local z hosts options r interface host option port ports local z hosts options r interface host option port ports
check_bridge_port()
{
list_search $1 $ports || ports="$ports $1"
list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
list_search $1 $all_ports || all_ports="$all_ports $1"
}
while read z hosts options; do while read z hosts options; do
expandv z hosts options expandv z hosts options
r="$z $hosts $options" r="$z $hosts $options"
@ -820,17 +839,14 @@ validate_hosts_file() {
*:*) *:*)
known_interface ${host%:*} && \ known_interface ${host%:*} && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
port=${host%%:*} check_bridge_port ${host%%:*}
list_search $port $ports || ports="$ports $port"
list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
;; ;;
*.*.*.*) *.*.*.*)
;; ;;
*) *)
known_interface $host && \ known_interface $host && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host" startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
list_search $host $ports || ports="$ports $host" check_bridge_port $host
list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
;; ;;
esac esac
@ -855,6 +871,8 @@ validate_hosts_file() {
fi fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
[ -n "$all_ports" ] && echo " Bridge ports are: $all_ports"
} }
# #
@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
# #
setup_forwarding() { setup_forwarding() {
save_progress_message "Restoring IP Forwarding..."
case "$IP_FORWARDING" in case "$IP_FORWARDING" in
[Oo][Nn]) [Oo][Nn])
run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1198,6 +1219,7 @@ disable_ipv6() {
if [ -n "$foo" ]; then if [ -n "$foo" ]; then
if qt which ip6tables; then if qt which ip6tables; then
save_progress_message "Disabling IPV6..."
ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP
@ -1226,10 +1248,15 @@ stop_firewall() {
;; ;;
*) *)
set +x set +x
if [ -f /var/lib/shorewall/restore ]; then
[ -z "$RESTOREFILE" ] && RESTOREFILE=restore
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall... echo Restoring Shorewall...
. /var/lib/shorewall/restore $RESTOREPATH
echo Shorewall restored echo "Shorewall restored from $RESTOREPATH"
my_mutex_off my_mutex_off
kill $$ kill $$
exit 2 exit 2
@ -1640,6 +1667,8 @@ setup_proxy_arp() {
> ${STATEDIR}/proxyarp > ${STATEDIR}/proxyarp
save_progress_message "Restoring Proxy ARP..."
while read address interface external haveroute persistent; do while read address interface external haveroute persistent; do
expandv address interface external haveroute persistent expandv address interface external haveroute persistent
setup_one_proxy_arp setup_one_proxy_arp
@ -1840,6 +1869,8 @@ setup_nat() {
# #
> ${STATEDIR}/nat > ${STATEDIR}/nat
save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do while read external interface internal allints localnat; do
expandv external interface internal allints localnat expandv external interface internal allints localnat
@ -1995,10 +2026,8 @@ process_tc_rule()
chain=tcout chain=tcout
;; ;;
*) *)
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\""
fi
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
esac esac
@ -2023,7 +2052,11 @@ process_tc_rule()
esac esac
fi fi
[ "x$dest" = "x-" ] || r="${r}-d $dest " if [ "x$dest" != "x-" ]; then
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
fi
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
@ -2095,6 +2128,8 @@ setup_tc1() {
run_iptables -t mangle -A OUTPUT -j tcout run_iptables -t mangle -A OUTPUT -j tcout
run_user_exit tcstart run_user_exit tcstart
save_progress_message "Restoring Traffic Control..."
save_command . $(find_file tcstart) save_command . $(find_file tcstart)
} }
@ -2118,6 +2153,8 @@ delete_tc()
} }
save_progress_message "Clearing Traffic Control/QOS"
run_user_exit tcclear run_user_exit tcclear
run_ip link list | \ run_ip link list | \
@ -2144,6 +2181,14 @@ process_accounting_rule() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
} }
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
}
accounting_interface_verify() {
verify_interface $1 || accounting_interface_error $1
}
jump_to_chain() { jump_to_chain() {
if ! havechain $jumpchain; then if ! havechain $jumpchain; then
if ! createchain2 $jumpchain No; then if ! createchain2 $jumpchain No; then
@ -2157,6 +2202,7 @@ process_accounting_rule() {
case $source in case $source in
*:*) *:*)
accounting_interface_verify ${source%:*}
rule="-s ${source#*:} $(match_source_dev ${source%:*})" rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2165,12 +2211,16 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
[ -n "$source" ] && rule="$(match_source_dev $source)" if [ -n "$source" ]; then
accounting_interface_verify $source
rule="$(match_source_dev $source)"
fi
;; ;;
esac esac
[ -n "$dest" ] && case $dest in [ -n "$dest" ] && case $dest in
*:*) *:*)
accounting_interface_verify ${dest%:*}
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;; ;;
*.*.*.*) *.*.*.*)
@ -2179,6 +2229,7 @@ process_accounting_rule() {
-|all|any) -|all|any)
;; ;;
*) *)
accounting_interface_verify $dest
rule="$rule $(match_dest_dev $dest)" rule="$rule $(match_dest_dev $dest)"
;; ;;
esac esac
@ -2233,8 +2284,8 @@ process_accounting_rule() {
ensurechain1 $chain ensurechain1 $chain
if iptables -A $chain $rule ; then if iptables -A $chain $(fix_bang $rule) ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
else else
accounting_error accounting_error
@ -2409,6 +2460,16 @@ add_an_action()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
action_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -2417,6 +2478,7 @@ add_an_action()
-) -)
;; ;;
*:*) *:*)
action_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -2426,7 +2488,10 @@ add_an_action()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
action_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -2445,7 +2510,10 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;; ;;
*) *)
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)" if [ -n "$server" ]; then
action_interface_verify $server
dest_interface="$(match_dest_dev $server)"
fi
;; ;;
esac esac
@ -2496,20 +2564,18 @@ add_an_action()
$(fix_bang $proto $sports $multiport $cli -d $srv $dports) $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
fi fi
[ "$logtarget" = LOG ] || \ run_iptables2 -A $action $proto $multiport $cli $sports \
run_iptables2 -A $action $proto $multiport $cli $sports \ -d $srv $dports $ratelimit $userandgroup -j $target
-d $srv $dports $ratelimit $userandgroup -j $target
done done
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
fi fi
[ "$logtarget" = LOG ] || \ run_iptables2 -A $action $proto $multiport $cli $dest_interface $sports \
run_iptables2 -A $action $proto $multiport $cli $sports \ $dports $ratelimit $userandgroup -j $target
$dports $ratelimit $userandgroup -j $target
fi fi
fi fi
} }
@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
# #
process_actions1() { process_actions1() {
#
# Add the builtin actions
#
add_builtin_actions() {
if [ "$COMMAND" != check ]; then ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
createchain dropBcast no USEDACTIONS=
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
createchain dropNonSyn no
run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
fi
ACTIONS="dropBcast dropNonSyn"
USEDACTIONS="dropBcast dropNonSyn"
}
add_builtin_actions
strip_file actions strip_file actions
@ -2821,6 +2863,10 @@ process_actions2() {
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
} }
log_action() {
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
}
# #
# Generate the transitive closure of $USEDACTIONS # Generate the transitive closure of $USEDACTIONS
# #
@ -2844,7 +2890,38 @@ process_actions2() {
# #
for xaction in $USEDACTIONS; do for xaction in $USEDACTIONS; do
case $xaction in case $xaction in
dropNonSyn|dropBcast) dropBcast)
if [ "$COMMAND" != check ]; then
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
run_iptables -A dropBcast -d $address -j DROP
done
fi
fi
;;
dropNonSyn)
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
;;
dropNotSyn)
[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
;;
rejNotSyn)
[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
;;
logNotSyn)
log_action logNotSyn LOG
;;
rLogNotSyn)
log_action rLogNotSyn REJECT
;;
dLogNotSyn)
log_action dLogNotSyn DROP
;; ;;
*) *)
f=action.$xaction f=action.$xaction
@ -3091,6 +3168,16 @@ add_a_rule()
fi fi
} }
interface_error()
{
fatal_error "Unknown interface $1 in rule: \"$rule\""
}
rule_interface_verify()
{
verify_interface $1 || interface_error $1
}
# Set source variables. The 'cli' variable will hold the client match predicate(s). # Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
@ -3099,6 +3186,7 @@ add_a_rule()
-) -)
;; ;;
*:*) *:*)
rule_interface_verify ${client%:*}
cli="$(match_source_dev ${client%:*}) -s ${client#*:}" cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;; ;;
*.*.*) *.*.*)
@ -3108,7 +3196,10 @@ add_a_rule()
cli=$(mac_match $client) cli=$(mac_match $client)
;; ;;
*) *)
[ -n "$client" ] && cli="$(match_source_dev $client)" if [ -n "$client" ]; then
rule_interface_verify $client
cli="$(match_source_dev $client)"
fi
;; ;;
esac esac
@ -3128,7 +3219,8 @@ add_a_rule()
;; ;;
*) *)
if [ -n "$server" ]; then if [ -n "$server" ]; then
[ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget" [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
rule_interface_verify $server
dest_interface="$(match_dest_dev $server)" dest_interface="$(match_dest_dev $server)"
fi fi
;; ;;
@ -3265,7 +3357,7 @@ add_a_rule()
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports) $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
@ -3274,8 +3366,8 @@ add_a_rule()
$cli $sports $dports $ratelimit $userandgroup -j RETURN $cli $sports $dports $ratelimit $userandgroup -j RETURN
[ "$logtarget" != NONAT ] && \ [ "$logtarget" != NONAT ] && \
run_iptables2 -A $chain $proto $multiport $dest_interface \ run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
$cli $sports $dports $ratelimit $userandgroup -j $target $sports $dports $ratelimit $userandgroup -j $target
fi fi
fi fi
fi fi
@ -3708,6 +3800,11 @@ process_tos_rule() {
# #
# Assume that this is a device name # Assume that this is a device name
# #
if ! verify_interface $src ; then
error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
return
fi
src="$(match_source_dev $src)" src="$(match_source_dev $src)"
;; ;;
esac esac
@ -4285,7 +4382,7 @@ setup_masq()
strip_file masq $1 strip_file masq $1
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
while read fullinterface networks addresses proto ports; do while read fullinterface networks addresses proto ports; do
expandv fullinterface networks addresses proto ports expandv fullinterface networks addresses proto ports
@ -4399,7 +4496,7 @@ setup_blacklist() {
createchain blacklst no createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
for host in $hosts; do for host in $hosts; do
interface=${host%%:*} interface=${host%%:*}
@ -4507,6 +4604,8 @@ add_ip_aliases()
set -- $aliases_to_add set -- $aliases_to_add
save_progress_message "Restoring IP Addresses..."
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
external=$1 external=$1
interface=$2 interface=$2
@ -4529,7 +4628,7 @@ add_ip_aliases()
# #
load_kernel_modules() load_kernel_modules()
{ {
local save_modules_dir=$MODULESDIR save_modules_dir=$MODULESDIR
[ -z "$MODULESDIR" ] && \ [ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
@ -4537,7 +4636,7 @@ load_kernel_modules()
modules=$(find_file modules) modules=$(find_file modules)
if [ -f $modules -a -d $MODULESDIR ]; then if [ -f $modules -a -d $MODULESDIR ]; then
echo "Loading Modules..." progress_message "Loading Modules..."
. $modules . $modules
fi fi
@ -4547,12 +4646,10 @@ load_kernel_modules()
save_load_kernel_modules() save_load_kernel_modules()
{ {
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
modules=$(find_file modules) modules=$(find_file modules)
save_command "reload_kernel_modules <<EOF" save_progress_message "Loading kernel modules..."
save_command "reload_kernel_modules <<__EOF__"
while read command; do while read command; do
case "$command" in case "$command" in
@ -4562,7 +4659,7 @@ save_load_kernel_modules()
esac esac
done < $modules done < $modules
save_command EOF save_command __EOF__
} }
@ -4721,7 +4818,7 @@ initialize_netfilter () {
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
done done
run_user_exit newnotsyn run_user_exit newnotsyn
@ -4754,7 +4851,7 @@ initialize_netfilter () {
fi fi
fi fi
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state= [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
echo "Creating Interface Chains..." echo "Creating Interface Chains..."
@ -5028,6 +5125,8 @@ add_common_rules() {
# #
# ARP Filtering # ARP Filtering
# #
save_progress_message "Restoring ARP filtering..."
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
done done
@ -5055,6 +5154,8 @@ add_common_rules() {
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..." echo "Setting up Kernel Route Filtering..."
save_progress_message "Restoring Route Filtering..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
run_and_save_command "echo 0 > $f" run_and_save_command "echo 0 > $f"
done done
@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
echo '#bin/sh' > /var/lib/shorewall/restore-$$ echo '#bin/sh' > /var/lib/shorewall/restore-$$
echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ save_command "#"
save_command "# Restore base file generated by Shorewall $version - $(date)"
save_command "#"
save_command ". /usr/share/shorewall/functions"
save_command "MODULESDIR=\"$MODULESDIR\"" save_command "MODULESDIR=\"$MODULESDIR\""
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
save_command "date > $STATEDIR/restarted" save_command "date > $STATEDIR/restarted"
save_command 'iptables-restore << EOF' save_progress_message "Restoring Netfilter Configuration..."
# 'shorewall save' appends the iptables-save output and 'EOF' save_command 'iptables-restore << __EOF__'
# 'shorewall save' appends the iptables-save output and '__EOF__'
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
@ -5948,10 +6054,10 @@ do_initialize() {
ensure_config_path ensure_config_path
# #
# Determine the capabilities of the installed iptables/netfilter # Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules so that capabilities can be # We load the kernel modules here to acurately determine
# accurately detected when kernel module autoloading is not # capabilities when module autoloading isn't enabled.
# enabled.
# #
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz" [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
load_kernel_modules load_kernel_modules
determine_capabilities determine_capabilities

8
STABLE2/functions
View File

@ -33,6 +33,14 @@ list_count() {
list_count1 $(separate_list $1) list_count1 $(separate_list $1)
} }
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
# #
# Suppress all output for a command # Suppress all output for a command
# #

27
STABLE2/help
View File

@ -117,9 +117,9 @@ drop)
;; ;;
forget) forget)
echo "forget: forget echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
files are created by the 'shorewall save' command the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\"" See also \"help save\""
;; ;;
@ -194,18 +194,22 @@ restart)
;; ;;
restore) restore)
echo "restore: restore echo "restore: restore [ <file name> ]
Restore Shorewall to its last state saved using the 'save' command Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\"" See also \"help save\" and \"help forget\""
;; ;;
save) save)
echo "save: save echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore' firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting. Shorewall allow, drop, rejct and save implement dynamic blacklisting.
@ -240,8 +244,9 @@ start)
Start shorewall. Existing connections through shorewall managed Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies. if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the last saved configuraton if any will be restored" If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;; ;;
stop) stop)

21
STABLE2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.0.2f VERSION=2.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -87,11 +87,20 @@ install_file_with_backup() # $1 = source $2 = target $3 = mode
# RUNLEVELS is the chkconfig parmeters for firewall # RUNLEVELS is the chkconfig parmeters for firewall
# ARGS is "yes" if we've already parsed an argument # ARGS is "yes" if we've already parsed an argument
# #
DEST="/etc/init.d"
INIT="shorewall"
RUNLEVELS=""
ARGS="" ARGS=""
if [ -z "$DEST" ] ; then
DEST="/etc/init.d"
fi
if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
if [ -z "$RUNLEVELS" ] ; then
RUNLEVELS=""
fi
if [ -z "$OWNER" ] ; then if [ -z "$OWNER" ] ; then
OWNER=root OWNER=root
fi fi
@ -402,7 +411,7 @@ echo "Bogon file installed as ${PREFIX}/usr/share/shorewall/bogons"
# #
install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600 install_file_with_backup configpath ${PREFIX}/usr/share/shorewall/configpath 0600
echo echo
echo " Default config path file installed as ${PREFIX}/etc/shorewall/configpath" echo " Default config path file installed as ${PREFIX}/usr/share/shorewall/configpath"
# #
# Install the init file # Install the init file
# #
@ -500,7 +509,7 @@ for f in action.* ; do
else else
run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f run_install -o $OWNER -g $GROUP -m 0600 $f ${PREFIX}/usr/share/shorewall/$f
echo echo
echo "Action ${f#*.} file installed as ${PREFIX}/etc/shorewall/$f" echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
fi fi
done done
# #

282
STABLE2/releasenotes.txt
View File

@ -1,21 +1,6 @@
Shorewall 2.0.2f Shorewall 2.0.3 RC2
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.1
1) The /etc/init.d/shorewall script installed on Debian by install.sh
failed silently due to a missing file
(/usr/share/shorewall/wait4ifup). That file is not part of the
normal Shorewall distribution and is provided by the Debian
maintainer.
2) A meaningless warning message out of the proxyarp file processing
has been eliminated.
3) The "shorewall delete" command now correctly removes all dynamic
rules pertaining to the host(s) being deleted. Thanks to Stefan
Engel for this correction.
Problems Corrected since 2.0.2 Problems Corrected since 2.0.2
1) The 'firewall' script is not purging temporary restore files in 1) The 'firewall' script is not purging temporary restore files in
@ -34,222 +19,139 @@ Problems Corrected since 2.0.2
used, these rules cause the rule to be checked against ALL input, used, these rules cause the rule to be checked against ALL input,
not just input from the designated zone. not just input from the designated zone.
6) Shorewall checks netfilter capabilities before loading kernel 6) The install.sh script reported installing some files in
/etc/shorewall when the files were actually installed in
/usr/share/shorewall.
7) Shorewall checks netfilter capabilities before loading kernel
modules. Hence if kernel module autoloading isn't enabled, the modules. Hence if kernel module autoloading isn't enabled, the
capabilities will be misdetected. capabilities will be misdetected.
7) The 'newnotsyn' option in /etc/shorewall/hosts has no effect. 8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
8) When used within an action, the LOG target produces two logging 9) The file /etc/init.d/shorewall now gets proper ownership when the
rules. RPM is built by a non-root user.
10) Rules that specify bridge ports in both the SOURCE and DEST
columns no longer cause "shorewall start" to fail.
11) Comments in the rules file have been added to advise users that
"all" in the SOURCE or DEST column does not affect intra-zone
traffic.
12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
passed through the blacklisting chains. Without this change, it is
not possible to blacklist hosts that are mounting certain types of
ICMP-based DOS attacks.
9) Kernel Modules loading is still screwed up.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0.1 to Shorewall 2.0.2: Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
1) Extension Scripts 1) The 'dropNonSyn' standard builtin action has been replaced with the
'dropNotSyn' standard builtin action. The old name can still be used
In order for extension scripts to work properly with the new but will generate a warning.
iptables-save/restore integration (see New Feature 1 below), some
change may be required to your extension scripts.
If your extension scripts are executing commands other than iptables
then those commands must also be written to the restore file (a
temporary file in /var/lib/shorewall that is renamed
/var/lib/shorewall/restore-base at the end of the operation).
The following functions should be of help:
A. save_command() -- saves the passed command to the restore file.
Example:
save_command echo Operation Complete
That command would simply write "echo Operation Complete" to the
restore file.
B. run_and_save_command() -- saves the passed command to the restore
file then executes it. The return value is the exit status of the
command.
Example:
run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Note that as in this example, when the command involves file
redirection then the entire command must be enclosed in quotes. This
applies to all of the functions described here.
C. ensure_and_save_command() -- runs the passed command. If the
command fails, the firewall is restored to it's prior saved state
and the operation is terminated. If the command succeeds, the
command is written to the restore file.
2) Dynamic Zone support.
If you don't need to use the "shorewall add" and "shorewall delete"
commands, you should set DYNAMIC_ZONES=No in
/etc/shorewall/shorewall.conf.
-----------------------------------------------------------------------
New Features: New Features:
1) Shorewall has now been integrated with 1) Shorewall now supports multiple saved configurations.
iptables-save/iptables-restore to provide very fast start and
restart. The elements of this integration are as follows:
a) The 'shorewall save' command now saves the current configuration a) The default saved configuration (restore script) in
in addition to the current dynamic blacklist. If you have /var/lib/shorewall is now specified using the RESTOREFILE option
dynamic zones, you will want to issue 'shorewall save' when the in shorewall.conf. If this variable isn't set then to maitain
zones are empty or the current contents of the zones will be backward compatibility, 'restore' is assumed.
restored by the 'shorewall restore' and 'shorewall -f start'
commands.
b) The 'shorewall restore' command has been added. This command The value of RESTOREFILE must be a simple file name; no slashes
restores the configuration at the time of the last 'save'. ("/") may be included.
c) The -f (fast) option has been added to 'shorewall start'. When b) The "save" command has been extended to be able to specify the
specified (e.g. 'shorewall -f start'), shorewall will perform a name of a saved configuration.
'shorewall restore' if there is a saved configuration. If there
is no saved configuration, a normal 'shorewall start' is
performed.
d) The /etc/init.d/shorewall script now translates the 'start' shorewall save [ <file name> ]
command into 'shorewall -f start' so that fast restart is
possible.
e) When a state-changing command encounters an error and there is a The current state is saved to /var/lib/shorewall/<file name>. If
current saved configuration, that configuration will be restored no <file name> is given, the configuration is saved to
(currently, the firewall is placed in the 'stopped' state). the file determined by the RESTOREFILE setting.
f) If you have previously saved the running configuration and want c) The "restore" command has been extended to be able to specify
Shorewall to discard it, use the 'shorewall forget' command. the name of a saved configuration:
WARNING: iptables 1.2.9 is broken with respect to iptables-save; shorewall restore [ <file name> ]
If your kernel has connection tracking match support, you must
patch iptables 1.2.9 with the iptables patch availale from
the Shorewall errata page.
2) The previous implementation of dynamic zones was difficult to The firewall state is restored from /var/lib/shorewall/<file
maintain. I have changed the code to make dynamic zones optional name>. If no <file name> is given, the firewall state is
under the control of the DYNAMIC_ZONES option in restored from the file determined by the RESTOREFILE setting.
/etc/shorewall/shorewall.conf.
3) In earlier Shorewall 2.0 releases, Shorewall searches in order the c) The "forget" command has changed. Previously, the command
following directories for configuration files. unconditionally removed the /var/lib/shorewall/save file which
records the current dynamic blacklist. The "forget" command now
leaves that file alone.
a) The directory specified in a 'try' command or specified using Also, the "forget" command has been extended to be able to
the -c option. specify the name of a saved configuration:
b) /etc/shorewall shorewall forget [ <file name> ]
c) /usr/share/shorewall The file /var/lib/shorewall/<file name> is removed. If no <file
name> is given, the file determined by the RESTOREFILE setting
is removed.
In this release, the CONFIG_PATH option is added to shorewall.conf. d) The "shorewall -f start" command restores the state from the
CONFIG_PATH contains a list of directory names separated by colons file determined by the RESTOREFILE setting.
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed.
Now Shorewall searches for shorewall.conf according to the old 2) "!" is now allowed in accounting rules.
rules and for other configuration files as follows:
a) The directory specified in a 'try' command or specified using 3) Interface names appearing within the configuration are now
the -c option. verified. Interface names must match the name of an entry in
/etc/shorewall/interfaces (or if bridging is enabled, they must
match the name of an entry in /etc/shorewall/interfaces or the name
of a bridge port appearing in /etc/shorewall/hosts).
b) Each directory in $CONFIG_PATH is searched in sequence. 4) A new 'rejNotSyn' built-in standard action has been added. This
action responds to "New not SYN" packets with an RST.
In case it is not obvious, your CONFIG_PATH should include The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
/usr/share/shorewall and your shorewall.conf file must be in the action. The old name will be accepted until the next major release
directory specified via -c or in a try command, in /etc/shorewall of Shorewall but will generate a warning.
or in /usr/share/shorewall.
For distribution packagers, the default CONFIG_PATH is set in Several new logging actions involving "New not SYN" packets have
/usr/share/shorewall/configpath. You can customize this file to been added:
have a default that differs from mine.
4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column logNewNotSyn -- logs the packet with disposition = LOG
would only take effect if the ALL INTERFACES column also contained dLogNewNotSyn -- logs the packet with disposition = DROP
Yes or yes. Now, the LOCAL columns contents are treated rLogNewNotSyn -- logs the packet with disposition = REJECT
independently of the contents of the ALL INTERFACES column.
5) The folks at Mandrake have created yet another kernel module The packets are logged at the log level specified in the
naming convention (module names end in "ko.gz"). As a consequence, LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
beginning with this release, if MODULE_SUFFIX isn't specified in not specified, then 'info' is assumed.
shorewall.conf, then the default value is "o gz ko o.gz ko.gz".
6) An updated bogons file is included in this release. Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
7) In /etc/shorewall/rules and in action files generated from A: To simulate the behavior of NEWNOTSYN=No:
/usr/share/shorewall/action.template, rules that perform logging can
specify an optional "log tag". A log tag is a string of alphanumeric
characters and is specified by following the log level with ":" and
the log tag.
Example: a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
b) Create /etc/shorewall/action.NoNewNotSyn containing:
ACCEPT:info:ftp net dmz tcp 21 dLogNotSyn
dropNotSyn
The log tag is appended to the log prefix generated by the LOGPREFIX c) Early in your rules file, place:
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will
generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank).
The maximum length of a log prefix supported by iptables is 29
characters; if a larger prefix is generated, Shorewall will issue a
warning message and will truncate the prefix to 29 characters.
8) A new "-q" option has been added to /sbin/shorewall commands. It NoNewNotSyn all all tcp
causes the start, restart, check and refresh commands to produce
much less output so that warning messages are more visible (when
testing this change, I discovered a bug where a bogus warning
message was being generated).
9) Shorewall now uses 'modprobe' to load kernel modules if that utility B: Drop 'New not SYN' packets from the net only. Don't log them.
is available in the PATH; otherwise, 'insmod' is used.
10) It is now possible to restrict entries in the /etc/shorewall/masq a) Early in your rules file, place:
file to particular protocols and destination port(s). Two new
columns (PROTO and PORT(S)) have been added to the file.
Example: dropNotSyn net all tcp
You want all outgoing SMTP traffic entering the firewall 5) Slackware users no longer have to modify the install.sh script
on eth1 to be sent from eth0 with source IP address before installation. Tuomo Soini has provided a change that allows
206.124.146.177. You want all other outgoing traffic the INIT and FIREWALL variables to be specified outside the script
from eth1 to be sent from eth0 with source IP address as in:
206.124.146.176.
eth0 eth1 206.124.146.177 tcp 25 DEST=/etc/rc.d INIT=rc.firewall ./install.sh
eth0 eth1 206.124.146.176
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
Assuming that 10.0.0.0/8 is the only host/network connected
to eth1, the progress message at "shorewall start" would be:
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
11) Two new actions are available in the /etc/shorewall/rules file.
ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts
matching connections from subsequent DNAT[-] and
REDIRECT[-] rules.
NONAT -- Exempts matching connections from subsequent DNAT[-]
and REDIRECT[-] rules.
12) A new extension script 'initdone' has been added. This script is invoked
at the same point as the 'common' script was previously and is useful for
users who mis-used that script under Shorewall 1.x (the script was intended
for adding rules to the 'common' chain but many users treated it as a script
for adding rules before Shorewall's).
13) Installing/Upgrading Shorewall on Slackware has been
improved. Slackware users must use the tarball and must modify
settings in the install.sh script before running it as follows:
DEST="/etc/rc.d"
INIT="rc.firewall"
Thanks to Alex Wilms for helping with this change.

8
STABLE2/rules
View File

@ -93,6 +93,10 @@
# excluded from the rule by following the zone name with # excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names. # "!' and a comma-separated list of sub-zone names.
# #
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further # Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by # restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets # appending ":" and a comma-separated list of subnets
@ -123,6 +127,10 @@
# /etc/shorewall/zones, $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all" # itself or "all"
# #
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be # Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or # further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or # interface by appending ":" and the subnet, host or

155
STABLE2/shorewall
View File

@ -76,14 +76,17 @@
# listed address(es) # listed address(es)
# shorewall allow <address> ... Reenable address(es) previously # shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject" # disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and # shorewall save [ <file> ] Save the list of "rejected" and
# "dropped" addresses so that it will # "dropped" addresses so that it will
# be automatically reinstated the # be automatically reinstated the
# next time that Shorewall starts. # next time that Shorewall starts.
# Save the current state so that 'shorewall # Save the current state so that 'shorewall
# restore' can be used. # restore' can be used.
# #
# shorewall forget Discard the data saved by 'shorewall save' # shorewall forget [ <file> ] Discard the data saved by 'shorewall save'
#
# shorewall restore [ <file> ] Restore the state of the firewall from
# previously saved information.
# #
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ] # shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
# #
@ -131,6 +134,19 @@ showchain() # $1 = name of chain
fi fi
} }
#
# Validate the value of RESTOREFILE
#
validate_restorefile() # $* = label
{
case $RESTOREFILE in
*/*)
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
}
# #
# Set the configuration variables from shorewall.conf # Set the configuration variables from shorewall.conf
# #
@ -160,11 +176,17 @@ get_config() {
if [ -n "$SHOREWALL_SHELL" ]; then if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2 exit 2
fi fi
fi fi
[ -n "$RESTOREFILE" ] || RESTOREFILE=restore
validate_restorefile RESTOREFILE
export RESTOREFILE
} }
# #
@ -535,7 +557,7 @@ help()
# #
usage() # $1 = exit status usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host>] <zone>" echo " add <interface>[:<host>] <zone>"
echo " allow <address> ..." echo " allow <address> ..."
@ -543,7 +565,7 @@ usage() # $1 = exit status
echo " clear" echo " clear"
echo " delete <interface>[:<host>] <zone>" echo " delete <interface>[:<host>] <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " forget" echo " forget [ <file name> ]"
echo " help [ <command > | host | address ]" echo " help [ <command > | host | address ]"
echo " hits" echo " hits"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]" echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -554,8 +576,8 @@ usage() # $1 = exit status
echo " reject <address> ..." echo " reject <address> ..."
echo " reset" echo " reset"
echo " restart" echo " restart"
echo " restore" echo " restore [ <file name> ]"
echo " save" echo " save [ <file name> ]"
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]" echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
echo " start" echo " start"
echo " stop" echo " stop"
@ -735,11 +757,14 @@ case "$1" in
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
get_config get_config
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
if [ -f /var/lib/shorewall/restore ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall... echo Restoring Shorewall...
. /var/lib/shorewall/restore $RESTOREPATH
date > $STATEDIR/restarted date > $STATEDIR/restarted
echo Shorewall restored echo Shorewall restored from $RESTOREPATH
else else
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
fi fi
@ -963,28 +988,57 @@ case "$1" in
;; ;;
save) save)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -ne 1 ] && usage 1
get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
echo " Dynamic Rules Saved" echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo EOF >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
chmod +x /var/lib/shorewall/restore
echo " Currently-running Configuration Saved"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
fi
else else
echo "Error Saving the Dynamic Rules" case $RESTOREFILE in
save|restore-base)
echo " ERROR: Reserved file name: save"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
echo __EOF__ >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
else
rm -f /var/lib/shorewall/restore-$$
echo " ERROR: Currently-running Configuration Not Saved"
fi
else
echo " ERROR: /var/lib/shorewall/restore-base does not exist"
fi
else
echo "Error Saving the Dynamic Rules"
fi
;;
esac
fi fi
else else
echo "Shorewall isn't started" echo "Shorewall isn't started"
@ -992,9 +1046,28 @@ case "$1" in
mutex_off mutex_off
;; ;;
forget) forget)
rm -f /var/lib/shorewall/restore get_config
rm -f /var/lib/shorewall/save case $# in
echo " Previously saved information discarded" 1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
rm -f $RESTOREPATH
echo " $RESTOREPATH removed"
elif [ -f $RESTOREPATH ]; then
echo " ERROR: $RESTOREPATH is not a restore script"
fi
;; ;;
ipcalc) ipcalc)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
@ -1032,12 +1105,26 @@ case "$1" in
esac esac
;; ;;
restore) restore)
if [ -f /var/lib/shorewall/restore ]; then get_config
case $# in
1)
;;
2)
RESTOREFILE="$2"
validate_restorefile '<restore file>'
;;
*)
usage 1
;;
esac
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
echo Restoring Shorewall... echo Restoring Shorewall...
. /var/lib/shorewall/restore $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
echo Shorewall restored
else else
echo "File /var/lib/shorewall/restore: file not found" echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
exit 2 exit 2
fi fi
;; ;;

18
STABLE2/shorewall.conf
View File

@ -258,6 +258,24 @@ MODULESDIR=
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################ ################################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
################################################################################ ################################################################################

22
STABLE2/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 2.0.2f %define version 2.0.3
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -68,7 +68,7 @@ if [ $1 = 0 ]; then
fi fi
%files %files
/etc/init.d/shorewall %attr(0544,root,root) /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall %attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/share/shorewall %attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall %attr(0700,root,root) %dir /var/lib/shorewall
@ -141,16 +141,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Thu Jun 03 2004 Tom Eastep tom@shorewall.net * Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2f-1 - Updated to 2.0.2-1
* Sat May 29 2004 Tom Eastep tom@shorewall.net * Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2e-1 - Updated to 2.0.2-0RC2
* Thu May 27 2004 Tom Eastep tom@shorewall.net * Tue Jun 15 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2d-1 - Updated to 2.0.2-0RC1
* Fri May 21 2004 Tom Eastep tom@shorewall.net * Mon Jun 14 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2c-1 - Added %attr spec for /etc/init.d/shorewall
* Mon May 17 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2b-1
* Sat May 15 2004 Tom Eastep tom@shorewall.net * Sat May 15 2004 Tom Eastep tom@shorewall.net
- Updated for 2.0.2a-1 - Updated for 2.0.2a-1
* Thu May 13 2004 Tom Eastep tom@shorewall.net * Thu May 13 2004 Tom Eastep tom@shorewall.net

9
STABLE2/tunnel
View File

@ -59,6 +59,13 @@ gateway="x.x.x.x"
subnet="192.168.9.0/24" subnet="192.168.9.0/24"
# GRE Key -- set this to a number or to a dotted quad if you want
# a keyed GRE tunnel. You must specify a KEY if you
# intend to load ip_conntrack_proto_gre on either
# gateway system
key=
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
load_modules () { load_modules () {
@ -101,7 +108,7 @@ do_start() {
case $tunnel_type in case $tunnel_type in
gre) gre)
ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 ${key:+key $key)
;; ;;
*) *)
ip tunnel add $tunnel mode ipip remote $gateway ip tunnel add $tunnel mode ipip remote $gateway

2
STABLE2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.2f VERSION=2.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=2.0.3-RC2 VERSION=2.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=2.0.3-RC2 VERSION=2.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall2/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 2.0.3 %define version 2.0.3
%define release 0RC2 %define release 1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Wed Jun 23 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-1
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net * Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC2 - Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net * Tue Jun 15 2004 Tom Eastep tom@shorewall.net

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.3-RC2 VERSION=2.0.3
usage() # $1 = exit status usage() # $1 = exit status
{ {