holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Untabify major files and fix 'hits' bug

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@114 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-07-05 22:24:40 +00:00
parent ee19fb9ea6
commit e899d2a8ab
2 changed files with 373 additions and 373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

468
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

278
Shorewall/shorewall
View File

@ -2,75 +2,75 @@
# #
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 # Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
# #
# #
# This file should be placed in /sbin/shorewall. # This file should be placed in /sbin/shorewall.
# #
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
# If an error occurs while starting or restarting the firewall, the # If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped. # firewall is automatically stopped.
# #
# The firewall uses configuration files in /etc/shorewall/ - skeleton # The firewall uses configuration files in /etc/shorewall/ - skeleton
# files is included with the firewall. # files is included with the firewall.
# #
# Commands are: # Commands are:
# #
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status # shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
# plus the last 20 "interesting" # plus the last 20 "interesting"
# packets # packets
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptables packet and # shorewall reset Resets iptables packet and
# byte counts # byte counts
# shorewall clear Open the floodgates by # shorewall clear Open the floodgates by
# removing all iptables rules # removing all iptables rules
# and setting the three permanent # and setting the three permanent
# chain policies to ACCEPT # chain policies to ACCEPT
# shorewall refresh Rebuild the common chain to # shorewall refresh Rebuild the common chain to
# compensate for a change of # compensate for a change of
# broadcast address on any "detect" # broadcast address on any "detect"
# interface. # interface.
# shorewall show <chain> Display the rules in a <chain> # shorewall show <chain> Display the rules in a <chain>
# shorewall show log Print the last 20 log messages # shorewall show log Print the last 20 log messages
# shorewall show connections Show the kernel's connection # shorewall show connections Show the kernel's connection
# tracking table # tracking table
# shorewall show nat Display the rules in the nat table # shorewall show nat Display the rules in the nat table
# shorewall show {mangle|tos} Display the rules in the mangle table # shorewall show {mangle|tos} Display the rules in the mangle table
# shorewall show tc Display traffic control info # shorewall show tc Display traffic control info
# shorewall version Display the installed version id # shorewall version Display the installed version id
# shorewall check Verify the more heavily-used # shorewall check Verify the more heavily-used
# configuration files. # configuration files.
# shorewall try <directory> [ <timeout> ] Try a new configuration and if # shorewall try <directory> [ <timeout> ] Try a new configuration and if
# it doesn't work, revert to the # it doesn't work, revert to the
# standard one. If a timeout is supplied # standard one. If a timeout is supplied
# the command reverts back to the # the command reverts back to the
# standard configuration after that many # standard configuration after that many
# seconds have elapsed after successfully # seconds have elapsed after successfully
# starting the new configuration. # starting the new configuration.
# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall # shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
# messages. # messages.
# shorewall drop <address> ... Temporarily drop all packets from the # shorewall drop <address> ... Temporarily drop all packets from the
# listed address(es) # listed address(es)
# shorewall reject <address> ... Temporarily reject all packets from the # shorewall reject <address> ... Temporarily reject all packets from the
# listed address(es) # listed address(es)
# shorewall allow <address> ... Reenable address(es) previously # shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject" # disabled with "drop" or "reject"
@ -84,11 +84,11 @@
showfirstchain() # $1 = name of chain showfirstchain() # $1 = name of chain
{ {
awk \ awk \
'BEGIN {prnt=0; rslt=1; }; \ 'BEGIN {prnt=0; rslt=1; }; \
/^$/ { next; };\ /^$/ { next; };\
/^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\
/Chain '$1'/ { prnt=1; }; \ /Chain '$1'/ { prnt=1; }; \
{ if (prnt == 1) print; };\ { if (prnt == 1) print; };\
END { exit rslt; }' /tmp/chains-$$ END { exit rslt; }' /tmp/chains-$$
} }
@ -100,16 +100,16 @@ showchain() # $1 = name of chain
fi fi
else else
awk \ awk \
'BEGIN {prnt=0;};\ 'BEGIN {prnt=0;};\
/^$|^ pkts/ { next; };\ /^$|^ pkts/ { next; };\
/^Chain/ {if ( prnt == 1 ) exit; };\ /^Chain/ {if ( prnt == 1 ) exit; };\
/Chain '$1'/ { prnt=1; };\ /Chain '$1'/ { prnt=1; };\
{ if (prnt == 1) print; }' /tmp/chains-$$ { if (prnt == 1) print; }' /tmp/chains-$$
fi fi
} }
################################################################################# #################################################################################
# Set the configuration variables from shorewall.conf # # Set the configuration variables from shorewall.conf #
################################################################################# #################################################################################
get_config() { get_config() {
get_statedir get_statedir
@ -125,17 +125,17 @@ get_config() {
# that ash (aka /bin/sh on LRP) doesn't crap # that ash (aka /bin/sh on LRP) doesn't crap
# #
if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then
realtail="Yes" realtail="Yes"
else else
realtail="" realtail=""
fi fi
[ -n "$FW" ] || FW=fw [ -n "$FW" ] || FW=fw
} }
################################################################################# #################################################################################
# Display IPTABLES rules -- we used to store them in a variable but ash # # Display IPTABLES rules -- we used to store them in a variable but ash #
# dies when trying to display large sets of rules # # dies when trying to display large sets of rules #
################################################################################# #################################################################################
display_chains() display_chains()
{ {
@ -150,7 +150,7 @@ display_chains()
clear clear
echo -e "$banner `date`\\n" echo -e "$banner `date`\\n"
echo -e "Standard Chains\\n" echo -e "Standard Chains\\n"
firstchain="Yes" firstchain="Yes"
showchain INPUT showchain INPUT
showchain OUTPUT showchain OUTPUT
@ -161,7 +161,7 @@ display_chains()
clear clear
echo -e "$banner `date`\\n" echo -e "$banner `date`\\n"
firstchain=Yes firstchain=Yes
echo -e "Input Chains\\n" echo -e "Input Chains\\n"
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -183,7 +183,7 @@ display_chains()
showchain ${zone}2$zone1 showchain ${zone}2$zone1
showchain @${zone}2$zone1 showchain @${zone}2$zone1
[ "$zone" != "$zone1" ] && \ [ "$zone" != "$zone1" ] && \
showchain ${zone1}2${zone} && \ showchain ${zone1}2${zone} && \
showchain @${zone1}2${zone} showchain @${zone1}2${zone}
done done
@ -196,7 +196,7 @@ display_chains()
firstchain=Yes firstchain=Yes
echo -e "Policy Chains\\n" echo -e "Policy Chains\\n"
showchain common showchain common
showchain badpkt showchain badpkt
showchain icmpdef showchain icmpdef
showchain rfc1918 showchain rfc1918
showchain blacklst showchain blacklst
@ -205,7 +205,7 @@ display_chains()
showchain ${zone}2all showchain ${zone}2all
showchain @${zone}2all showchain @${zone}2all
[ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; }
done done
timed_read timed_read
@ -226,8 +226,8 @@ display_chains()
} }
################################################################################# #################################################################################
# Delay $timeout seconds -- if we're running on a recent bash2 then allow # # Delay $timeout seconds -- if we're running on a recent bash2 then allow #
# <enter> to terminate the delay # # <enter> to terminate the delay #
################################################################################# #################################################################################
timed_read () timed_read ()
{ {
@ -237,7 +237,7 @@ timed_read ()
} }
################################################################################# #################################################################################
# Display the last $1 packets logged # # Display the last $1 packets logged #
################################################################################# #################################################################################
packet_log() # $1 = number of messages packet_log() # $1 = number of messages
{ {
@ -246,20 +246,20 @@ packet_log() # $1 = number of messages
[ -n "$realtail" ] && options="-n$1" [ -n "$realtail" ] && options="-n$1"
grep 'Shorewall:\|ipt_unclean' $LOGFILE | \ grep 'Shorewall:\|ipt_unclean' $LOGFILE | \
sed s/" $host kernel: Shorewall:"/" "/ | \ sed s/" $host kernel: Shorewall:"/" "/ | \
sed s/" $host kernel: ipt_unclean: "/" "/ | \ sed s/" $host kernel: ipt_unclean: "/" "/ | \
sed 's/MAC=.*SRC=/SRC=/' | \ sed 's/MAC=.*SRC=/SRC=/' | \
tail $options tail $options
} }
################################################################################# #################################################################################
# Show traffic control information # # Show traffic control information #
################################################################################# #################################################################################
show_tc() { show_tc() {
show_one_tc() { show_one_tc() {
local device=${1%@*} local device=${1%@*}
qdisc=`tc qdisc list dev $device` qdisc=`tc qdisc list dev $device`
if [ -n "$qdisc" ]; then if [ -n "$qdisc" ]; then
echo Device $device: echo Device $device:
@ -274,7 +274,7 @@ show_tc() {
case $inx in case $inx in
[0-9]*) [0-9]*)
show_one_tc ${interface%:} show_one_tc ${interface%:}
;; ;;
*) *)
;; ;;
esac esac
@ -283,10 +283,10 @@ show_tc() {
} }
################################################################################# #################################################################################
# Monitor the Firewall # # Monitor the Firewall #
################################################################################# #################################################################################
monitor_firewall() # $1 = timeout -- if negative, prompt each time that monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes # an 'interesting' packet count changes
{ {
get_config get_config
@ -360,7 +360,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
# Watch the Firewall Log # # Watch the Firewall Log #
################################################################################# #################################################################################
logwatch() # $1 = timeout -- if negative, prompt each time that logwatch() # $1 = timeout -- if negative, prompt each time that
# an 'interesting' packet count changes # an 'interesting' packet count changes
{ {
get_config get_config
@ -456,23 +456,23 @@ while [ $done -eq 0 ]; do
[ $# -eq 0 ] && usage 1 [ $# -eq 0 ] && usage 1
case $1 in case $1 in
-c) -c)
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if [ ! -d $2 ]; then if [ ! -d $2 ]; then
if [ -e $2 ]; then if [ -e $2 ]; then
echo "$2 is not a directory" >&2 && exit 2 echo "$2 is not a directory" >&2 && exit 2
else else
echo "Directory $2 does not exist" >&2 && exit 2 echo "Directory $2 does not exist" >&2 && exit 2
fi fi
fi fi
SHOREWALL_DIR=$2 SHOREWALL_DIR=$2
shift shift
shift shift
;; ;;
*) *)
done=1 done=1
;; ;;
esac esac
done done
@ -496,10 +496,10 @@ firewall=/var/lib/shorewall/firewall
if [ ! -f $firewall ]; then if [ ! -f $firewall ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $firewall ]; then if [ -L $firewall ]; then
echo " $firewall is a symbolic link to a" echo " $firewall is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /var/lib/shorewall/firewall does not exist" echo " The file /var/lib/shorewall/firewall does not exist"
fi fi
exit 2 exit 2
@ -513,7 +513,7 @@ if [ -f $version_file ]; then
version=`cat $version_file` version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /var/lib/shorewall/version does not exist" echo " The file /var/lib/shorewall/version does not exist"
exit 1 exit 1
fi fi
@ -525,7 +525,7 @@ case "$1" in
exec $firewall $debugging $nolock $1 exec $firewall $debugging $nolock $1
;; ;;
show) show)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
case "$2" in case "$2" in
connections) connections)
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n"
@ -540,7 +540,7 @@ case "$1" in
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
;; ;;
log) log)
get_config get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n"
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20 packet_log 20
@ -549,11 +549,11 @@ case "$1" in
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n"
show_tc show_tc
;; ;;
*) *)
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
iptables -L $2 -n -v iptables -L $2 -n -v
;; ;;
esac esac
;; ;;
monitor) monitor)
if [ $# -eq 2 ]; then if [ $# -eq 2 ]; then
@ -563,9 +563,9 @@ case "$1" in
else else
usage 1 usage 1
fi fi
;; ;;
status) status)
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
get_config get_config
clear clear
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
@ -581,46 +581,46 @@ case "$1" in
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
;; ;;
hits) hits)
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
get_config get_config
clear clear
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n" echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n"
timeout=30 timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then
echo " HITS IP DATE" echo " HITS IP DATE"
echo " ---- --------------- ------" echo " ---- --------------- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn
echo "" echo ""
echo " HITS IP PORT" echo " HITS IP PORT"
echo " ---- --------------- -----" echo " ---- --------------- -----"
grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
t t
s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn
echo "" echo ""
echo " HITS DATE" echo " HITS DATE"
echo " ---- ------" echo " ---- ------"
grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn
echo "" echo ""
echo " HITS PORT SERVICE(S)" echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------" echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do while read count port ; do
# List all services defined for the given port # List all services defined for the given port
srv=`grep "\\b$port/" /etc/services | cut -f 1 | sort -u` srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
srv=`echo $srv | sed 's/ /,/g'` srv=`echo $srv | sed 's/ /,/g'`
if [ -n "$srv" ] ; then if [ -n "$srv" ] ; then
printf '%7d %5d %s\n' $count $port $srv printf '%7d %5d %s\n' $count $port $srv
else else
printf '%7d %5d\n' $count $port printf '%7d %5d\n' $count $port
fi fi
done done
fi fi
;; ;;
version) version)
echo $version echo $version
;; ;;
@ -636,7 +636,7 @@ case "$1" in
elif [ $# -eq 3 ]; then elif [ $# -eq 3 ]; then
sleep $3 sleep $3
$0 restart $0 restart
fi fi
;; ;;
logwatch) logwatch)
if [ $# -eq 2 ]; then if [ $# -eq 2 ]; then
@ -646,9 +646,9 @@ case "$1" in
else else
usage 1 usage 1
fi fi
;; ;;
drop) drop)
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
@ -658,7 +658,7 @@ case "$1" in
mutex_off mutex_off
;; ;;
reject) reject)
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
@ -668,18 +668,18 @@ case "$1" in
mutex_off mutex_off
;; ;;
allow) allow)
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
if qt iptables -D dynamic -s $1 -j reject; then if qt iptables -D dynamic -s $1 -j reject; then
# #
# Address was rejected -- silently remove any drop as well # Address was rejected -- silently remove any drop as well
# #
qt iptables -D dynamic -s $1 -j DROP qt iptables -D dynamic -s $1 -j DROP
echo "$1 Allowed" echo "$1 Allowed"
elif qt iptables -D dynamic -s $1 -j DROP; then elif qt iptables -D dynamic -s $1 -j DROP; then
echo "$1 Allowed" echo "$1 Allowed"
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"
fi fi
@ -687,13 +687,13 @@ case "$1" in
mutex_off mutex_off
;; ;;
save) save)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
mutex_on mutex_on
if qt iptables -L shorewall -n; then if qt iptables -L shorewall -n; then
if iptables -L dynamic -n > /var/lib/shorewall/save; then if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved" echo "Dynamic Rules Saved"
else else
echo "Error Saving the Dynamic Rules" echo "Error Saving the Dynamic Rules"
fi fi
else else
echo "Shorewall isn't started" echo "Shorewall isn't started"