forked from extern/shorewall_code
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
8236ce572e | ||
|
|
bf5be7198b | ||
|
|
6f777098d7 | ||
|
|
e545329eb9 |
@@ -1470,10 +1470,22 @@ do_dump_command() {
|
||||
$g_tool -t rawpost -L $g_ipt_options
|
||||
fi
|
||||
|
||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
local count
|
||||
local max
|
||||
|
||||
heading "Conntrack Table ($count out of $max)"
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then
|
||||
count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||
max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||
|
||||
heading "Conntrack Table ($count out of $max)"
|
||||
elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then
|
||||
count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count)
|
||||
max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max)
|
||||
|
||||
heading "Conntrack Table ($count out of $max)"
|
||||
else
|
||||
heading "Conntrack Table"
|
||||
fi
|
||||
|
||||
if [ $g_family -eq 4 ]; then
|
||||
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
|
||||
@@ -3515,14 +3527,6 @@ restart_command() {
|
||||
return $rc
|
||||
}
|
||||
|
||||
run_command() {
|
||||
if [ -x ${VARDIR}/firewall ] ; then
|
||||
run_it ${VARDIR}/firewall $g_debugging $@
|
||||
else
|
||||
fatal_error "${VARDIR}/firewall does not exist or is not executable"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
@@ -3554,7 +3558,6 @@ usage() # $1 = exit status
|
||||
echo " reset [ <chain> ... ]"
|
||||
echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
|
||||
echo " restore [ -n ] [ <file name> ]"
|
||||
echo " run <command> [ <parameter> ... ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
|
||||
echo " [ show | list | ls ] [ -f ] capabilities"
|
||||
@@ -3827,11 +3830,6 @@ shorewall_cli() {
|
||||
fatal_error "$g_product is not running"
|
||||
fi
|
||||
;;
|
||||
run)
|
||||
[ $# -gt 1 ] || fatal_error "Missing function name"
|
||||
get_config Yes
|
||||
run_command $@
|
||||
;;
|
||||
show|list|ls)
|
||||
get_config Yes No Yes
|
||||
shift
|
||||
|
||||
@@ -172,7 +172,6 @@ run_it() {
|
||||
error_message() # $* = Error Message
|
||||
{
|
||||
echo " $@" >&2
|
||||
return 1
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@@ -123,17 +123,6 @@ shorewall_start () {
|
||||
|
||||
echo "done."
|
||||
|
||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
||||
|
||||
echo -n "Restoring ipsets: "
|
||||
|
||||
if ! ipset -R < "$SAVE_IPSETS"; then
|
||||
echo_notdone
|
||||
fi
|
||||
|
||||
echo "done."
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -153,20 +142,6 @@ shorewall_stop () {
|
||||
|
||||
echo "done."
|
||||
|
||||
if [ -n "$SAVE_IPSETS" ]; then
|
||||
|
||||
echo "Saving ipsets: "
|
||||
|
||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
|
||||
else
|
||||
echo_notdone
|
||||
fi
|
||||
|
||||
echo "done."
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
@@ -63,18 +63,19 @@ shorewall_start () {
|
||||
for PRODUCT in $PRODUCTS; do
|
||||
setstatedir
|
||||
|
||||
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
|
||||
if [ -x ${STATEDIR}/firewall ]; then
|
||||
#
|
||||
# Run in a sub-shell to avoid name collisions
|
||||
#
|
||||
(
|
||||
if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
|
||||
${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1
|
||||
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
|
||||
${STATEDIR}/firewall ${OPTIONS} stop || exit 1
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
)
|
||||
else
|
||||
echo ERROR: ${STATEDIR}/firewall does not exist or is not executable!
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
@@ -95,8 +96,8 @@ shorewall_stop () {
|
||||
for PRODUCT in $PRODUCTS; do
|
||||
setstatedir
|
||||
|
||||
if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
|
||||
${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1
|
||||
if [ -x ${STATEDIR}/firewall ]; then
|
||||
${STATEDIR}/firewall ${OPTIONS} clear || exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
@@ -317,21 +317,6 @@
|
||||
<arg><replaceable>filename</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>run</option></arg>
|
||||
|
||||
<arg choice="plain">function</arg>
|
||||
|
||||
<arg><replaceable>parameter ...</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
@@ -837,23 +822,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
<replaceable>command</replaceable> in the context of the generated
|
||||
script passing the supplied <replaceable>parameter</replaceable>s.
|
||||
Normally, the <replaceable>command</replaceable> will be a function
|
||||
declared in <filename>lib.private</filename>.</para>
|
||||
|
||||
<para>Before executing the <replaceable>command</replaceable>, the
|
||||
script will detect the configuration, setting all SW_* variables and
|
||||
will run your <filename>init</filename> extension script with
|
||||
$COMMAND = 'run'.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">save</emphasis></term>
|
||||
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4 - Citrix/Goto Meeting macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.Goto-Meeting
|
||||
# by Eric Teeter
|
||||
# This macro handles Citrix/Goto Meeting
|
||||
# Assumes that ports 80 and 443 are already open
|
||||
# If needed, use the macros that open Http and Https to reduce redundancy
|
||||
####################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 8200 # Goto Meeting only needed (TCP outbound)
|
||||
@@ -7570,7 +7570,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
|
||||
$exceptionrule,
|
||||
$actparms{disposition} || $disposition,
|
||||
$target ),
|
||||
$terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
|
||||
$terminating{$basictarget} || ( $targetref || $targetref->{complete} ),
|
||||
$matches );
|
||||
}
|
||||
|
||||
|
||||
@@ -280,42 +280,42 @@ sub generate_script_2() {
|
||||
|
||||
if ( $global_variables ) {
|
||||
|
||||
emit( 'case $COMMAND in' );
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $global_variables & NOT_RESTORE ) {
|
||||
|
||||
emit( 'case $COMMAND in' );
|
||||
|
||||
push_indent;
|
||||
|
||||
emit 'restore)';
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
|
||||
|
||||
set_global_variables(0);
|
||||
|
||||
handle_optional_interfaces(0);
|
||||
}
|
||||
|
||||
emit ';;';
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit '*)';
|
||||
|
||||
push_indent;
|
||||
emit( 'start|restart|refresh|disable|enable)' );
|
||||
} else {
|
||||
emit( 'start|restart|refresh|disable|enable|restore)' );
|
||||
}
|
||||
|
||||
push_indent;
|
||||
|
||||
set_global_variables(1);
|
||||
|
||||
handle_optional_interfaces(0);
|
||||
|
||||
if ( $global_variables & NOT_RESTORE ) {
|
||||
emit ';;';
|
||||
|
||||
if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
|
||||
pop_indent;
|
||||
|
||||
emit 'restore)';
|
||||
|
||||
push_indent;
|
||||
|
||||
set_global_variables(0);
|
||||
|
||||
handle_optional_interfaces(0);
|
||||
|
||||
emit ';;';
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
emit ( 'esac' );
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
pop_indent;
|
||||
|
||||
emit ( 'esac' ) ,
|
||||
} else {
|
||||
emit( 'true' ) unless handle_optional_interfaces(1);
|
||||
}
|
||||
|
||||
@@ -3259,11 +3259,7 @@ sub expand_variables( \$ ) {
|
||||
fatal_error "Variable Expansion Loop" if ++$count > 100;
|
||||
}
|
||||
|
||||
if ( $chain ) {
|
||||
#
|
||||
# We're in an action body -- allow escaping at signs (@) for u32
|
||||
#
|
||||
$$lineref =~ s/\\@/??/g;
|
||||
if ( $actparms{0} ) {
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
@@ -3272,8 +3268,6 @@ sub expand_variables( \$ ) {
|
||||
$$lineref = join( '', $first , $val , $rest );
|
||||
fatal_error "Variable Expansion Loop" if ++$count > 100;
|
||||
}
|
||||
|
||||
$$lineref =~ s/\?\?/@/g;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -460,6 +460,9 @@ sub process_a_provider( $ ) {
|
||||
|
||||
fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
|
||||
|
||||
#
|
||||
# Switch to the logical name if a physical name was passed
|
||||
#
|
||||
my $physical;
|
||||
|
||||
if ( $interface eq $interfaceref->{name} ) {
|
||||
@@ -1293,11 +1296,9 @@ sub start_providers() {
|
||||
emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
|
||||
}
|
||||
|
||||
emit_unindented 'EOF';
|
||||
emit_unindented "EOF\n";
|
||||
|
||||
emit( 'else',
|
||||
' error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"',
|
||||
"fi\n" );
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
emit ( '#',
|
||||
|
||||
@@ -818,7 +818,9 @@ sub apply_policy_rules() {
|
||||
progress_message2 'Applying Policies...';
|
||||
|
||||
for my $chainref ( @policy_chains ) {
|
||||
unless ( ( my $policy = $chainref->{policy} ) eq 'NONE' ) {
|
||||
my $policy = $chainref->{policy};
|
||||
|
||||
unless ( $policy eq 'NONE' ) {
|
||||
my $loglevel = $chainref->{loglevel};
|
||||
my $provisional = $chainref->{provisional};
|
||||
my $default = $chainref->{default};
|
||||
@@ -2374,7 +2376,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
my ( $tgt, $options ) = split / /, $param;
|
||||
my $target_type = $builtin_target{$tgt};
|
||||
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||
fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||
fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||
$action = $param;
|
||||
} else {
|
||||
$action = '';
|
||||
@@ -2387,7 +2389,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
my ( $tgt, $options ) = split / /, $param;
|
||||
my $target_type = $builtin_target{$tgt};
|
||||
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||
fatal_error "The $tgt TARGET is not allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||
fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||
$action = $param;
|
||||
} else {
|
||||
$action = '';
|
||||
|
||||
@@ -1499,7 +1499,7 @@ sub map_physical( $$ ) {
|
||||
|
||||
$physical =~ s/\+$//;
|
||||
|
||||
$physical . substr( $name, length( $interfaceref->{root} ) );
|
||||
$physical . substr( $name, length $interfaceref->{root} );
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@@ -17,7 +17,6 @@ usage() {
|
||||
echo " reset"
|
||||
echo " refresh"
|
||||
echo " restart"
|
||||
echo " run <command> [ <parameter> ... ]"
|
||||
echo " status"
|
||||
echo " up <interface>"
|
||||
echo " version"
|
||||
@@ -372,17 +371,6 @@ case "$COMMAND" in
|
||||
fi
|
||||
status=0
|
||||
;;
|
||||
run)
|
||||
if [ $# -gt 1 ]; then
|
||||
shift
|
||||
detect_configuration
|
||||
run_init_exit
|
||||
eval $@
|
||||
status=$?
|
||||
else
|
||||
error_message "ERROR: Missing command"
|
||||
fi
|
||||
;;
|
||||
version)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
echo $SHOREWALL_VERSION
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
#
|
||||
# Shorewall 4 - DNS Amplification Action
|
||||
#
|
||||
# /usr/share/shorewall/action.DNSAmp
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# DNSAmp[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
#
|
||||
##########################################################################################
|
||||
?format 2
|
||||
|
||||
DEFAULTS DROP
|
||||
|
||||
IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
|
||||
@@ -31,7 +31,6 @@ allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
DNSAmp # Matches one-question recursive DNS queries
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Drop smurf packets
|
||||
|
||||
@@ -16,7 +16,7 @@ startup=0
|
||||
# wait_interface=
|
||||
|
||||
#
|
||||
# Global start/restart options
|
||||
# Global start/restart/stop options
|
||||
#
|
||||
OPTIONS=""
|
||||
|
||||
|
||||
@@ -1615,15 +1615,6 @@ export_command() # $* = original arguments less the command.
|
||||
fi
|
||||
}
|
||||
|
||||
run_command() {
|
||||
if [ -x ${VARDIR}/firewall ] ; then
|
||||
uptodate ${VARDIR}/firewall || echo " WARNING: ${VARDIR}/firewall is not up to date" >&2
|
||||
run_it ${VARDIR}/firewall $g_debugging $@
|
||||
else
|
||||
fatal_error "${VARDIR}/firewall does not exist or is not executable"
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
@@ -1675,7 +1666,6 @@ usage() # $1 = exit status
|
||||
echo " reset [ <chain> ... ]"
|
||||
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
|
||||
echo " restore [ -n ] [ <file name> ]"
|
||||
echo " run <command> [ <parameter> ... ]"
|
||||
echo " safe-restart [ -t <timeout> ] [ <directory> ]"
|
||||
echo " safe-start [ -t <timeout> ] [ <directory> ]"
|
||||
echo " save [ <file name> ]"
|
||||
|
||||
@@ -71,8 +71,8 @@
|
||||
role="bold">raw</emphasis>. If no table name(s) are given,
|
||||
then <emphasis role="bold">filter</emphasis> is assumed. The
|
||||
table names follow <emphasis role="bold">builtin</emphasis>
|
||||
and are separated by commas; for example, "FOOBAR
|
||||
builtin,filter,mangle" would specify FOOBAR as a builtin
|
||||
and are separated by commas; for example,
|
||||
"FOOBAR,filter,mangle" would specify FOOBAR as a builtin
|
||||
target that can be used in the filter and mangle
|
||||
tables.</para>
|
||||
</listitem>
|
||||
|
||||
@@ -476,32 +476,24 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IPTABLES({<replaceable>iptables-target</replaceable>
|
||||
<term>IPTABLES({<replaceable>target</replaceable>
|
||||
[<replaceable>option</replaceable> ...])</term>
|
||||
|
||||
<listitem>
|
||||
<para>This action allows you to specify an iptables target
|
||||
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
|
||||
the <replaceable>iptables-target</replaceable> is not one
|
||||
recognized by Shorewall, the following error message will be
|
||||
issued:</para>
|
||||
the target is not one recognized by Shorewall, the following
|
||||
error message will be issued:</para>
|
||||
|
||||
<programlisting> ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
|
||||
<simplelist>
|
||||
<member>ERROR: Unknown target
|
||||
(<replaceable>target</replaceable>)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>This error message may be eliminated by adding the
|
||||
<replaceable>iptables-</replaceable><replaceable>target</replaceable>
|
||||
as a builtin action in <ulink
|
||||
<replaceable>target</replaceable> as a builtin action in
|
||||
<ulink
|
||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
|
||||
<important>
|
||||
<para>If you specify REJECT as the
|
||||
<replaceable>iptables-target</replaceable>, the target of
|
||||
the rule will be the iptables REJECT target and not
|
||||
Shorewall's builtin 'reject' chain which is used when REJECT
|
||||
(see below) is specified as the
|
||||
<replaceable>target</replaceable> in the ACTION
|
||||
column.</para>
|
||||
</important>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -457,21 +457,6 @@
|
||||
<arg><replaceable>filename</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>run</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>command</replaceable></arg>
|
||||
|
||||
<arg><replaceable>parameter ...</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@@ -1424,32 +1409,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
<replaceable>command</replaceable> in the context of the generated
|
||||
script passing the supplied <replaceable>parameter</replaceable>s.
|
||||
Normally, the <replaceable>command</replaceable> will be a function
|
||||
declared in <filename>lib.private</filename>.</para>
|
||||
|
||||
<para>Before executing the <replaceable>command</replaceable>, the
|
||||
script will detect the configuration, setting all SW_* variables and
|
||||
will run your <filename>init</filename> extension script with
|
||||
$COMMAND = 'run'.</para>
|
||||
|
||||
<para>If there are files in the CONFIG_PATH that were modified after
|
||||
the current firewall script was generated, the following warning
|
||||
message is issued:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>WARNING: /var/lib/shorewall/firewall is not up to
|
||||
date</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-restart</emphasis></term>
|
||||
|
||||
|
||||
@@ -317,21 +317,6 @@
|
||||
<arg><replaceable>filename</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>run</option></arg>
|
||||
|
||||
<arg choice="plain">command</arg>
|
||||
|
||||
<arg><replaceable>parameter ...</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
@@ -835,23 +820,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
<replaceable>command</replaceable> in the context of the generated
|
||||
script passing the supplied <replaceable>parameter</replaceable>s.
|
||||
Normally, the <replaceable>command</replaceable> will be a function
|
||||
declared in <filename>lib.private</filename>.</para>
|
||||
|
||||
<para>Before executing the command, the script will detect the
|
||||
configuration, setting all SW_* variables and will run your
|
||||
<filename>init</filename> extension script with $COMMAND =
|
||||
'run'.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">save</emphasis></term>
|
||||
|
||||
|
||||
@@ -71,10 +71,9 @@
|
||||
role="bold">mangle</emphasis> and <emphasis
|
||||
role="bold">raw</emphasis>. If no table name(s) are given,
|
||||
then <emphasis role="bold">filter</emphasis> is assumed. The
|
||||
table names follow <emphasis role="bold">builtin</emphasis>
|
||||
and are separated by commas; for example, "FOOBAR
|
||||
builtin,filter,mangle" would specify FOOBAR as a builtin
|
||||
target that can be used in the filter and mangle
|
||||
table names follow builtin and are separated by commas; for
|
||||
example, "FOOBAR,filter,mangle" would specify FOOBAR as a
|
||||
builtin target that can be used in the filter and mangle
|
||||
tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -450,33 +450,24 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
|
||||
<term>IP6TABLES({<replaceable>target</replaceable>
|
||||
[<replaceable>option</replaceable> ...])</term>
|
||||
|
||||
<listitem>
|
||||
<para>This action allows you to specify an ip6tables target
|
||||
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
|
||||
the <replaceable>ip6tables-target</replaceable> is not one
|
||||
recognized by Shorewall, the following error message will be
|
||||
issued:</para>
|
||||
<para>This action allows you to specify an iptables target
|
||||
with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
|
||||
If the target is not one recognized by Shorewall, the
|
||||
following error message will be issued:</para>
|
||||
|
||||
<programlisting> ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
|
||||
<simplelist>
|
||||
<member>ERROR: Unknown target
|
||||
(<replaceable>target</replaceable>)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>This error message may be eliminated by adding
|
||||
the<replaceable>
|
||||
ip6tables-</replaceable><replaceable>target</replaceable> as a
|
||||
builtin action in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
|
||||
<important>
|
||||
<para>If you specify REJECT as the
|
||||
<replaceable>ip6tables-target</replaceable>, the target of
|
||||
the rule will be the i6ptables REJECT target and not
|
||||
Shorewall's builtin 'reject' chain which is used when REJECT
|
||||
(see below) is specified as the
|
||||
<replaceable>target</replaceable> in the ACTION
|
||||
column.</para>
|
||||
</important>
|
||||
<para>This error message may be eliminated by adding the
|
||||
<replaceable>target</replaceable> as a builtin action in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -406,21 +406,6 @@
|
||||
<arg><replaceable>filename</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>run</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>command</replaceable></arg>
|
||||
|
||||
<arg><replaceable>parameter ...</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@@ -1305,33 +1290,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">run</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.3. Executes
|
||||
<replaceable>command</replaceable> in the context of the generated
|
||||
script passing the supplied <replaceable>parameter</replaceable>s.
|
||||
Normally, the <replaceable>command</replaceable> will be a function
|
||||
declared in <filename>lib.private</filename>.</para>
|
||||
|
||||
<para>Before executing the <replaceable>command</replaceable>, the
|
||||
script will detect the configuration, setting all SW_* variables and
|
||||
will run your <filename>init</filename> extension script with
|
||||
$COMMAND = 'run'.</para>
|
||||
|
||||
<para>If there are files in the CONFIG_PATH that were modified after
|
||||
the current firewall script was generated, the following warning
|
||||
message is issued before the script's run command is
|
||||
executed:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>WARNING: /var/lib/shorewall6/firewall is not up to
|
||||
date</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-restart</emphasis></term>
|
||||
|
||||
|
||||
@@ -164,7 +164,7 @@
|
||||
<section>
|
||||
<title>build</title>
|
||||
|
||||
<para>This is the script that builds Shorewall 4.6 packages from
|
||||
<para>This is the script that builds Shorewall 4.4 packages from
|
||||
Git.</para>
|
||||
|
||||
<para>The script copies content from Git using the <command>git
|
||||
@@ -220,7 +220,7 @@
|
||||
<para>You should ensure that you have the latest scripts. The scripts
|
||||
change periodically as we move through the release cycles.</para>
|
||||
|
||||
<para>The build46 script may need to be modified to fit your particular
|
||||
<para>The build44 script may need to be modified to fit your particular
|
||||
environment. There are a number of variables that are set near the top
|
||||
of the file:</para>
|
||||
|
||||
@@ -270,12 +270,10 @@
|
||||
</variablelist>
|
||||
|
||||
<para>The scripts assume that there will be a separate <firstterm>build
|
||||
directory</firstterm> per major release.</para>
|
||||
directory</firstterm> per major release. To build a release, you cd to
|
||||
the appropriate directory and run the build script.</para>
|
||||
|
||||
<para>To build a release, you cd to the appropriate directory and run
|
||||
the build46 script.</para>
|
||||
|
||||
<para>The general form of the build46 command is:</para>
|
||||
<para>The general form of the build command is:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>build</command> [ -<replaceable>options</replaceable> ]
|
||||
@@ -403,13 +401,13 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>build45 and build46</title>
|
||||
<title>build45</title>
|
||||
|
||||
<para>These are the scripts that respectively build Shorewall 4.5 and
|
||||
Shorewall 4.6 packages from Git.</para>
|
||||
<para>This is the script that builds Shorewall 4.5 packages from
|
||||
Git.</para>
|
||||
|
||||
<para>The scripts copy content from Git using the <command>git
|
||||
archive</command> command. They then use that content to build the
|
||||
<para>The script copies content from Git using the <command>git
|
||||
archive</command> command. It then uses that content to build the
|
||||
packages. In addition to the usual Gnu utilities, the following software
|
||||
is required:</para>
|
||||
|
||||
@@ -453,7 +451,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Required to convert the XML manpages to manpages. Be sure
|
||||
that you have a recent version; I use 0.0.25.</para>
|
||||
that you have a recent version; I use 0.0.23.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -461,7 +459,7 @@
|
||||
<para>You should ensure that you have the latest scripts. The scripts
|
||||
change periodically as we move through the release cycles.</para>
|
||||
|
||||
<para>The scripts may need to be modified to fit your particular
|
||||
<para>The build44 script may need to be modified to fit your particular
|
||||
environment. There are a number of variables that are set near the top
|
||||
of the file:</para>
|
||||
|
||||
@@ -511,17 +509,14 @@
|
||||
</variablelist>
|
||||
|
||||
<para>The scripts assume that there will be a separate <firstterm>build
|
||||
directory</firstterm> per major release. Each build directory should
|
||||
contain the empty file <filename>shorewall-pkg.config</filename>; that
|
||||
file is no longer used but has been retained just as a guard against
|
||||
initiating a build in an unintended directory. To build a release, you
|
||||
cd to the appropriate directory and run the build script.</para>
|
||||
directory</firstterm> per major release. To build a release, you cd to
|
||||
the appropriate directory and run the build script.</para>
|
||||
|
||||
<para>The general form of the build command is:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>build</command>4x [ -<replaceable>options</replaceable>
|
||||
] <replaceable>release</replaceable> [ <replaceable>prior
|
||||
<para><command>build</command> [ -<replaceable>options</replaceable> ]
|
||||
<replaceable>release</replaceable> [ <replaceable>prior
|
||||
release</replaceable> ]</para>
|
||||
</blockquote>
|
||||
|
||||
@@ -637,8 +632,8 @@
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Example 1 - Build Shorewall 4.5.7 and generate patches against
|
||||
4.5.6:</para>
|
||||
<para>Example 1 - Build Shorewall 4.3.7 and generate patches against
|
||||
4.3.6:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>build45 4.5.7 4.5.6</command></para>
|
||||
|
||||
@@ -710,7 +710,7 @@
|
||||
up.</para>
|
||||
</section>
|
||||
|
||||
<section id="masq">
|
||||
<section>
|
||||
<title>./etc/shorewall/masq and Multi-ISP</title>
|
||||
|
||||
<para>If you masquerade a local network, you will need to add masquerade
|
||||
@@ -976,6 +976,51 @@ eth1 0.0.0.0/0 130.252.99.27
|
||||
eth3 0.0.0.0/0 16.105.78.4</programlisting></para>
|
||||
</section>
|
||||
|
||||
<section id="Local">
|
||||
<title>Applications running on the Firewall -making them use a
|
||||
particular provider</title>
|
||||
|
||||
<para>As <link linkend="Applications">noted above</link>, separate
|
||||
entries in <filename>/etc/shorewall/mangle</filename> are required for
|
||||
traffic originating from the firewall.</para>
|
||||
|
||||
<para>Experience has shown that in some cases, problems occur with
|
||||
applications running on the firewall itself. This is especially true
|
||||
when you have specified <emphasis role="bold">routefilter</emphasis> on
|
||||
your external interfaces in /etc/shorewall/interfaces (see <link
|
||||
linkend="Martians">above</link>). When this happens, it is suggested
|
||||
that you have the application use specific local IP addresses rather
|
||||
than 0.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Squid: In <filename>squid.conf</filename>, set <emphasis
|
||||
role="bold">tcp_outgoing_address</emphasis> to the IP address of the
|
||||
interface that you want Squid to use.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In OpenVPN, set <emphasis role="bold">local
|
||||
</emphasis>(<emphasis role="bold">--local</emphasis> on the command
|
||||
line) to the IP address that you want the server to receive
|
||||
connections on.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Note that some traffic originating on the firewall doesn't have a
|
||||
SOURCE IP address before routing. At least one Shorewall user reports
|
||||
that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
|
||||
in the SOURCE column seems to be the most reliable way to direct such
|
||||
traffic to a particular ISP.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
lo - shorewall 1000</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="rtrules">
|
||||
<title>/etc/shorewall/rtrules (formerly
|
||||
/etc/shorewall/route_rules)</title>
|
||||
@@ -1141,51 +1186,6 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Local">
|
||||
<title>Applications running on the Firewall - making them use a
|
||||
particular provider</title>
|
||||
|
||||
<para>As <link linkend="Applications">noted above</link>, separate
|
||||
entries in <filename>/etc/shorewall/mangle</filename> are required for
|
||||
traffic originating from the firewall.</para>
|
||||
|
||||
<para>Experience has shown that in some cases, problems occur with
|
||||
applications running on the firewall itself. This is especially true
|
||||
when you have specified <emphasis role="bold">routefilter</emphasis> on
|
||||
your external interfaces in /etc/shorewall/interfaces (see <link
|
||||
linkend="Martians">above</link>). When this happens, it is suggested
|
||||
that you have the application use specific local IP addresses rather
|
||||
than 0.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Squid: In <filename>squid.conf</filename>, set <emphasis
|
||||
role="bold">tcp_outgoing_address</emphasis> to the IP address of the
|
||||
interface that you want Squid to use.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In OpenVPN, set <emphasis role="bold">local
|
||||
</emphasis>(<emphasis role="bold">--local</emphasis> on the command
|
||||
line) to the IP address that you want the server to receive
|
||||
connections on.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Note that some traffic originating on the firewall doesn't have a
|
||||
SOURCE IP address before routing. At least one Shorewall user reports
|
||||
that an entry in <filename>/etc/shorewall/rtrules</filename> with 'lo'
|
||||
in the SOURCE column seems to be the most reliable way to direct such
|
||||
traffic to a particular ISP.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
lo - shorewall 1000</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="routes">
|
||||
<title>/etc/shorewall/routes File</title>
|
||||
|
||||
@@ -2123,11 +2123,6 @@ net eth1 detect <emphasis role="bold">optional</emphasis><
|
||||
later.</para>
|
||||
</warning>
|
||||
|
||||
<para><filename>/etc/shorewall/params:</filename></para>
|
||||
|
||||
<programlisting>EXT_IF=eth0
|
||||
COM_IF=eth1</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
||||
|
||||
<programlisting>local status=0
|
||||
|
||||
@@ -388,31 +388,122 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
|
||||
details.</para>
|
||||
</section>
|
||||
|
||||
<section id="capabilities">
|
||||
<title>Capabilities</title>
|
||||
<section id="COMMENT">
|
||||
<title>Attach Comment to Netfilter Rules</title>
|
||||
|
||||
<para>Shorewall probes your system to determine the features that it
|
||||
supports. The result of this probing is a set of
|
||||
<firstterm>capabilities</firstterm>. This probing is normally done each
|
||||
time that the compiler is run but can also be done by executing the
|
||||
<command>shorewall show capabilities</command> command. Regardless of
|
||||
whether the compiler or the command does the probing, this probing may
|
||||
produce error messages in your system log. These log messages are to be
|
||||
expected and do not represent a problem; they merely indicate that
|
||||
capabilities that are being probed are not supported on your
|
||||
system.</para>
|
||||
<para>If you kernel and iptables contain comment match support (see the
|
||||
output of <command>shorewall show capabilities</command>), then you can
|
||||
attach comments to Netfilter rules. This feature is available in the
|
||||
following files:</para>
|
||||
|
||||
<para>Probing may be suppressed by using a <firstterm>capabilities
|
||||
file</firstterm>. A capabilities file may be generated using this
|
||||
command:</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/conntrack</filename> (formerly
|
||||
<filename>/etc/shorewall/notrack</filename>)</para>
|
||||
</listitem>
|
||||
|
||||
<programlisting><command>shorewall show -f capabilities > /etc/shorewall/capabilities</command></programlisting>
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/accounting</filename></para>
|
||||
</listitem>
|
||||
|
||||
<important>
|
||||
<para>If you use a capabilities file, be sure to regenerate it after you
|
||||
have performed a Shorewall upgrade to ensure that all current
|
||||
capabilities have been recorded in your file.</para>
|
||||
</important>
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/masq</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/nat</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/rules</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/secmarks</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/tcrules</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/tunnels</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Action definition files
|
||||
(<filename>/etc/shorewall/action.*</filename>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Macro definition files (/etc/shorewall/macro.*)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>To attach a comment to one or more rules, insert a record above the
|
||||
rules that begins with the word ?COMMENT (must be in all caps). The
|
||||
remainder of the line is treated as a comment -- that comment will appear
|
||||
delimited by "/* ... */" in the output of the <command>shorewall[-lite]
|
||||
show</command> and <command>shorewall[-lite] dump</command> commands. The
|
||||
comment will be attached to each generated rule until another ?COMMENT
|
||||
line appears. To stop attaching comments to rules, simply insert a line
|
||||
that contains the single word ?COMMENT.</para>
|
||||
|
||||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||||
|
||||
<programlisting>?COMMENT Stop NETBIOS noise
|
||||
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
|
||||
?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||||
|
||||
DROP loc:!192.168.0.0/22 net
|
||||
|
||||
?COMMENT</programlisting>
|
||||
|
||||
<para>Here's the corresponding output from
|
||||
<filename>/sbin/shorewall-lite</filename>:</para>
|
||||
|
||||
<programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
|
||||
Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
|
||||
|
||||
Counters reset Mon Oct 16 14:52:17 PDT 2006
|
||||
|
||||
Chain loc-net (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
|
||||
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||||
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031
|
||||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,445 <emphasis
|
||||
role="bold">/* Stop NETBIOS noise */</emphasis>
|
||||
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 <emphasis
|
||||
role="bold">/* Stop NETBIOS noise */</emphasis>
|
||||
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 <emphasis
|
||||
role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
|
||||
5 316 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
gateway:~ #
|
||||
|
||||
</programlisting>
|
||||
|
||||
<para>?COMMENT lines in macro files work somewhat differently from other
|
||||
files. ?COMMENT lines in macros are ignored if COMMENT support is not
|
||||
available or if there was a COMMENT in use when the top-level macro was
|
||||
invoked. This allows the following:</para>
|
||||
|
||||
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
?COMMENT SSH
|
||||
PARAM - - tcp 22 </programlisting>
|
||||
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
|
||||
SSH(ACCEPT) net:$MYIP $FW
|
||||
?COMMENT</programlisting>The comment line in macro.SSH will not override the
|
||||
?COMMENT line in the rules file and the generated rule will show <emphasis
|
||||
role="bold">/* Allow SSH from home */</emphasis> when displayed through
|
||||
the Shorewall show and dump commands.</para>
|
||||
</section>
|
||||
|
||||
<section id="BlankColumn">
|
||||
@@ -535,11 +626,9 @@ ACCEPT net:\
|
||||
port:1024</emphasis></member>
|
||||
</simplelist>
|
||||
|
||||
<important>
|
||||
<para>That usage is deprecated beginning with Shorewall 4.6.0. See
|
||||
the INLINE_MATCHES option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</important>
|
||||
<para>That usage is deprecated beginning with Shorewall 4.6.0. See the
|
||||
INLINE_MATCHES option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -1091,7 +1180,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
<section>
|
||||
<title>?FORMAT Directive</title>
|
||||
|
||||
<para>A number of configuration files support multiple formats. Prior to
|
||||
<para>A number of different files support multiple formats. Prior to
|
||||
Shorewall 4.5.11, the format was specified by a line having 'FORMAT' as
|
||||
the first token. This requires each of the file processors to handle
|
||||
FORMAT separately.</para>
|
||||
@@ -1195,16 +1284,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
centralize processing of COMMENT directives. The old entries, while still
|
||||
supported, are now deprecated.</para>
|
||||
|
||||
<para>Use of this directive requires Comment support in your kernel and
|
||||
iptables - see the output of <command><link
|
||||
linkend="capabilities">shorewall show
|
||||
capabilities</link></command>.</para>
|
||||
|
||||
<para>The ?COMMENT directive is as follows:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
|
||||
<term>COMMENT [ <replaceable>comment</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <replaceable>comment</replaceable> is present, it will
|
||||
@@ -1215,69 +1299,13 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||||
|
||||
<programlisting>?COMMENT Stop NETBIOS noise
|
||||
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
|
||||
?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||||
|
||||
DROP loc:!192.168.0.0/22 net
|
||||
|
||||
?COMMENT</programlisting>
|
||||
|
||||
<para>Here's the corresponding output from
|
||||
<filename>/sbin/shorewall-lite</filename>:</para>
|
||||
|
||||
<programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
|
||||
Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
|
||||
|
||||
Counters reset Mon Oct 16 14:52:17 PDT 2006
|
||||
|
||||
Chain loc-net (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
|
||||
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
|
||||
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031
|
||||
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,445 <emphasis
|
||||
role="bold">/* Stop NETBIOS noise */</emphasis>
|
||||
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 <emphasis
|
||||
role="bold">/* Stop NETBIOS noise */</emphasis>
|
||||
0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 <emphasis
|
||||
role="bold">/* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */</emphasis>
|
||||
5 316 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
gateway:~ #
|
||||
|
||||
</programlisting>
|
||||
|
||||
<para>?COMMENT lines in macro files work somewhat differently from other
|
||||
files. ?COMMENT lines in macros are ignored if COMMENT support is not
|
||||
available or if there was a COMMENT in use when the top-level macro was
|
||||
invoked. This allows the following:</para>
|
||||
|
||||
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
?COMMENT SSH
|
||||
PARAM - - tcp 22 </programlisting>
|
||||
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
|
||||
SSH(ACCEPT) net:$MYIP $FW
|
||||
?COMMENT</programlisting>The comment line in macro.SSH will not override the
|
||||
?COMMENT line in the rules file and the generated rule will show <emphasis
|
||||
role="bold">/* Allow SSH from home */</emphasis> when displayed through
|
||||
the Shorewall show and dump commands.</para>
|
||||
</section>
|
||||
|
||||
<section id="CONFIG_PATH">
|
||||
<title>CONFIG_PATH</title>
|
||||
|
||||
<para>The CONFIG_PATH option in shorewall.conf determines where the
|
||||
compiler searches for configuration files. The default setting is
|
||||
compiler searches for files. The default setting is
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
|
||||
compiler first looks in /etc/shorewall and if it doesn't find the file, it
|
||||
then looks in /usr/share/shorewall.</para>
|
||||
@@ -2122,8 +2150,8 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
ACCEPT loc fw tcp 22
|
||||
ACCEPT dmz fw tcp 22</programlisting></para>
|
||||
|
||||
<para>Perl scripts run in the context of the compiler process using Perl's
|
||||
eval() function. Perl scripts are implicitly prefixed by the
|
||||
<para>Perl scripts run in the context of the compiler process using
|
||||
Perl's eval() function. Perl scripts are implicitly prefixed by the
|
||||
following:</para>
|
||||
|
||||
<programlisting>package Shorewall::User;
|
||||
|
||||
@@ -466,12 +466,6 @@ cat -</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shell variables used in extension scripts must follow the same
|
||||
rules as those in<filename> /etc/shorewall/params</filename>. See
|
||||
<ulink url="???">this article</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para></para>
|
||||
|
||||
Reference in New Issue
Block a user