forked from extern/shorewall_code
Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
e7315b8e0e | ||
|
|
c58611f7fb |
@@ -191,8 +191,6 @@ setup_logread() {
|
||||
else
|
||||
g_logread="logread"
|
||||
fi
|
||||
elif [ "$LOGFILE" = "systemd" ]; then
|
||||
g_logread="journalctl -r"
|
||||
elif [ -r $LOGFILE ]; then
|
||||
if qt mywhich tac; then
|
||||
g_logread="tac $LOGFILE"
|
||||
@@ -2524,46 +2522,21 @@ hits_command() {
|
||||
# 'allow' command executor
|
||||
#
|
||||
allow_command() {
|
||||
|
||||
[ -n "$g_debugging" ] && set -x
|
||||
[ $# -eq 1 ] && missing_argument
|
||||
|
||||
if product_is_started ; then
|
||||
local allowed
|
||||
local which
|
||||
which='-s'
|
||||
local range
|
||||
range='--src-range'
|
||||
local dynexists
|
||||
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
|
||||
case ${IPSET:=ipset} in
|
||||
*/*)
|
||||
if [ ! -x "$IPSET" ]; then
|
||||
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
IPSET="$(mywhich $IPSET)"
|
||||
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
dynexists=Yes
|
||||
elif [ -z "$g_blacklistipset" ]; then
|
||||
if ! chain_exists dynamic; then
|
||||
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
|
||||
fi
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
|
||||
allowed=''
|
||||
|
||||
case $1 in
|
||||
from)
|
||||
which='-s'
|
||||
@@ -2576,48 +2549,29 @@ allow_command() {
|
||||
continue
|
||||
;;
|
||||
*-*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$g_blacklistipset" ]; then
|
||||
if qt $IPSET -D $g_blacklistipset $1; then
|
||||
allowed=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$dynexists" ]; then
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
if qt $g_tool -D dynamic $which $1 -j reject ||\
|
||||
qt $g_tool -D dynamic $which $1 -j DROP ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logdrop ||\
|
||||
qt $g_tool -D dynamic $which $1 -j logreject
|
||||
then
|
||||
allowed=Yes
|
||||
fi
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$allowed" ]; then
|
||||
progress_message2 "$1 Allowed"
|
||||
else
|
||||
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
|
||||
fi
|
||||
done
|
||||
|
||||
[ -n "$g_nolock" ] || mutex_off
|
||||
else
|
||||
error_message "ERROR: $g_product is not started"
|
||||
@@ -3553,7 +3507,7 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -7,15 +7,15 @@ PREFIX=/usr #Top-level directory for s
|
||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
||||
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
|
||||
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
|
||||
PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2 #Directory to install Shorewall Perl module directory
|
||||
SBINDIR=/usr/sbin #Directory where system administration programs are installed
|
||||
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
|
||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
||||
INITFILE= #Name of the product's SysV init script
|
||||
INITFILE=$PRODUCT #Name of the product's SysV init script
|
||||
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
|
||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
||||
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
||||
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
# Required-Stop: $local_fs
|
||||
# X-Stop-After: $network
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Initialize the firewall at boot time
|
||||
# Description: Place the firewall in a safe state at boot time prior to
|
||||
# bringing up the network
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall-lite
|
||||
@@ -92,11 +92,10 @@ shorewall_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall Lite firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall Lite firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -702,9 +702,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -5220,8 +5220,6 @@ sub do_user( $ ) {
|
||||
|
||||
if ( supplied $2 ) {
|
||||
$user = $2;
|
||||
$user =~ s/:$//;
|
||||
|
||||
if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
|
||||
if ( supplied $2 ) {
|
||||
fatal_error "Invalid User Range ($user)" unless $3 >= $1;
|
||||
|
||||
@@ -165,7 +165,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
directive_callback
|
||||
add_ipset
|
||||
all_ipsets
|
||||
transfer_permissions
|
||||
|
||||
$product
|
||||
$Product
|
||||
@@ -5090,19 +5089,6 @@ sub update_default($$) {
|
||||
$config{$var} = $val unless defined $config{$var};
|
||||
}
|
||||
|
||||
#
|
||||
# Transfer the permissions from an old .bak file to a newly-created file
|
||||
#
|
||||
sub transfer_permissions( $$ ) {
|
||||
my ( $old, $new ) = @_;
|
||||
|
||||
my @stat = stat $old;
|
||||
|
||||
if ( @stat ) {
|
||||
fatal_error "Can't transfer permissions from $old to $new" unless chmod( $stat[2] & 0777, $new );
|
||||
}
|
||||
}
|
||||
|
||||
sub update_config_file( $ ) {
|
||||
my ( $annotate ) = @_;
|
||||
|
||||
@@ -5252,7 +5238,6 @@ EOF
|
||||
|
||||
if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
|
||||
progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
|
||||
transfer_permissions( "$configfile.bak", $configfile );
|
||||
} else {
|
||||
if ( rename "$configfile.bak", $configfile ) {
|
||||
progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
|
||||
@@ -6200,10 +6185,8 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' );
|
||||
}
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||
}
|
||||
|
||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||
|
||||
@@ -200,7 +200,6 @@ sub remove_blacklist( $ ) {
|
||||
if ( $changed ) {
|
||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
||||
transfer_permissions( "$fn.bak", $fn );
|
||||
progress_message2 "\u$file file $fn saved in $fn.bak"
|
||||
}
|
||||
}
|
||||
@@ -309,7 +308,6 @@ sub convert_blacklist() {
|
||||
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
print $blrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5.0 - Blacklist Rules File
|
||||
@@ -403,7 +401,6 @@ sub convert_routestopped() {
|
||||
open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
print $stoppedrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5 - Stopped Rules File
|
||||
@@ -869,30 +866,15 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
|
||||
|
||||
my ( $in, $out ) = split /:/, $setting;
|
||||
|
||||
if ( $in == 1 ) {
|
||||
#
|
||||
# src
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
} elsif ( $in == 2 ) {
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
|
||||
if ( $out == 2 ) {
|
||||
#
|
||||
# dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
}
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
|
||||
@@ -369,18 +369,11 @@ sub setup_conntrack($) {
|
||||
my $conntrack;
|
||||
my $empty = 1;
|
||||
my $date = compiletime;
|
||||
my $fn1 = find_writable_file 'conntrack';
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
if ( -f $fn1 ) {
|
||||
open $conntrack, '>>', $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
if ( $fn ) {
|
||||
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
} else {
|
||||
open $conntrack, '>' , $fn1 or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
#
|
||||
# Transfer permissions from the existing notrack file
|
||||
#
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
|
||||
|
||||
print $conntrack <<'EOF';
|
||||
#
|
||||
@@ -403,6 +396,8 @@ EOF
|
||||
"# Rules generated from notrack file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
||||
"#\n" );
|
||||
|
||||
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
|
||||
|
||||
while ( read_a_line( PLAIN_READ ) ) {
|
||||
#
|
||||
# Don't copy the header comments from the old notrack file
|
||||
|
||||
@@ -4749,6 +4749,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
unless ( ( $chain || $default_chain ) == OUTPUT ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
|
||||
if ( $dest ne '-' ) {
|
||||
if ( $dest eq $fw ) {
|
||||
fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
|
||||
@@ -4791,7 +4795,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
fatal_error "Duplicate STATE ($_)" if $state{$_}++;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Call the command's processing function
|
||||
#
|
||||
@@ -4802,23 +4805,12 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( $chain == ACTIONCHAIN ) {
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chainref->{allowedchains};
|
||||
$chainref->{allowedchains} &= $commandref->{allowedchains};
|
||||
$chainref->{allowedchains} &= (OUTPUT | POSTROUTING ) if $user ne '-';
|
||||
} else {
|
||||
#
|
||||
# Inline within one of the standard chains
|
||||
#
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$resolve_chain->();
|
||||
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
|
||||
unless ( $chain == OUTPUT || $chain == POSTROUTING ) {
|
||||
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
|
||||
}
|
||||
|
||||
$chainref = ensure_chain( 'mangle', $chainnames{$chain} );
|
||||
}
|
||||
|
||||
@@ -4984,13 +4976,6 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
$mark = $rest;
|
||||
} elsif ( supplied $2 ) {
|
||||
$mark = $2;
|
||||
if ( supplied $mark && $command eq 'IPMARK' ) {
|
||||
my @params = split ',', $mark;
|
||||
$params[1] = '0xff' unless supplied $params[1];
|
||||
$params[2] = '0x00' unless supplied $params[2];
|
||||
$params[3] = '0' unless supplied $params[3];
|
||||
$mark = join ',', @params;
|
||||
}
|
||||
} else {
|
||||
$mark = '';
|
||||
}
|
||||
@@ -5001,7 +4986,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$command = ( $command ? supplied $mark ? "$command($mark)" : $command : $mark ) . $designator;
|
||||
$command = ( $command ? "$command($mark)" : $mark ) . $designator;
|
||||
my $line = ( $family == F_IPV6 ?
|
||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$headers\t$probability\t$dscp\t$state" :
|
||||
"$command\t$source\t$dest\t$proto\t$ports\t$sports\t$user\t$testval\t$length\t$tos\t$connbytes\t$helper\t$probability\t$dscp\t$state" );
|
||||
|
||||
@@ -2234,19 +2234,13 @@ sub convert_tos($$) {
|
||||
}
|
||||
}
|
||||
|
||||
sub open_mangle_for_output( $ ) {
|
||||
my ($fn ) = @_;
|
||||
sub open_mangle_for_output() {
|
||||
my ( $mangle, $fn1 );
|
||||
|
||||
if ( -f ( $fn1 = find_writable_file( 'mangle' ) ) ) {
|
||||
open( $mangle , '>>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||
} else {
|
||||
open( $mangle , '>', $fn1 ) || fatal_error "Unable to open $fn1:$!";
|
||||
#
|
||||
# Transfer permissions from the existing tcrules file to the new mangle file
|
||||
#
|
||||
transfer_permissions( $fn, $fn1 );
|
||||
|
||||
print $mangle <<'EOF';
|
||||
#
|
||||
# Shorewall version 4 - Mangle File
|
||||
@@ -2332,7 +2326,7 @@ sub setup_tc( $ ) {
|
||||
#
|
||||
# We are going to convert this tcrules file to the equivalent mangle file
|
||||
#
|
||||
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
||||
|
||||
directive_callback( sub () { print $mangle "$_[1]\n" unless $_[0] eq 'FORMAT'; 0; } );
|
||||
|
||||
@@ -2382,7 +2376,7 @@ sub setup_tc( $ ) {
|
||||
#
|
||||
# We are going to convert this tosfile to the equivalent mangle file
|
||||
#
|
||||
( $mangle, $fn1 ) = open_mangle_for_output( $fn );
|
||||
( $mangle, $fn1 ) = open_mangle_for_output;
|
||||
convert_tos( $mangle, $fn1 );
|
||||
close $mangle;
|
||||
}
|
||||
|
||||
@@ -337,7 +337,6 @@ sub initialize( $$ ) {
|
||||
arp_ignore => ENUM_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
@@ -388,7 +387,6 @@ sub initialize( $$ ) {
|
||||
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dbl => ENUM_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
@@ -1193,7 +1191,6 @@ sub process_interface( $$ ) {
|
||||
my %options;
|
||||
|
||||
$options{port} = 1 if $port;
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||
|
||||
my $hostoptionsref = {};
|
||||
|
||||
@@ -1237,8 +1234,6 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||
}
|
||||
} elsif ( $option eq 'nodbl' ) {
|
||||
$options{dbl} = '0:0';
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
@@ -1261,11 +1256,6 @@ sub process_interface( $$ ) {
|
||||
} else {
|
||||
$options{arp_ignore} = 1;
|
||||
}
|
||||
} elsif ( $option eq 'dbl' ) {
|
||||
my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
|
||||
|
||||
fatal_error q(The 'dbl' option requires a value) unless defined $value;
|
||||
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
|
||||
} else {
|
||||
assert( 0 );
|
||||
}
|
||||
@@ -1916,7 +1906,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
my $returnvalue = 0;
|
||||
|
||||
my $interfaces = find_interfaces_by_option( 'wait');
|
||||
my $interfaces = find_interfaces_by_option 'wait';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
my $first = 1;
|
||||
@@ -1982,7 +1972,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
}
|
||||
|
||||
$interfaces = find_interfaces_by_option( 'required' );
|
||||
$interfaces = find_interfaces_by_option 'required';
|
||||
|
||||
if ( @$interfaces ) {
|
||||
|
||||
@@ -2170,7 +2160,7 @@ sub process_host( ) {
|
||||
#
|
||||
$interface = '%vserver%' if $type & VSERVER;
|
||||
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
|
||||
add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 1 );
|
||||
|
||||
progress_message " Host \"$currentline\" validated";
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall
|
||||
@@ -97,11 +97,10 @@ shorewall_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall_stop () {
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
@@ -146,7 +145,7 @@ case "$1" in
|
||||
restart)
|
||||
shorewall_restart
|
||||
;;
|
||||
force-reload|reload)
|
||||
force0reload|reload)
|
||||
shorewall_reload
|
||||
;;
|
||||
status)
|
||||
|
||||
@@ -306,72 +306,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||
or not dynamic blacklisting is applied to packets entering the
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=No</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">none</emphasis>
|
||||
(e.g., no dynamic blacklist checking).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">src</emphasis>
|
||||
(e.g., the source IP address is checked).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||
addresses in checked against the ipset on input and the
|
||||
destination IP address is checked against the ipset on
|
||||
packets originating from the firewall and leaving
|
||||
through this interface).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The normal setting for this option will be <emphasis
|
||||
role="bold">dst</emphasis> or <emphasis
|
||||
role="bold">none</emphasis> for internal interfaces and
|
||||
<emphasis role="bold">src</emphasis> or <emphasis
|
||||
role="bold">src-dst</emphasis> for Internet-facing
|
||||
interfaces.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
@@ -414,7 +348,7 @@ loc eth2 -</programlisting>
|
||||
url="../bridge-Shorewall-perl.html">Shorewall-perl for
|
||||
firewall/bridging</ulink>, then you need to include
|
||||
DHCP-specific rules in <ulink
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).
|
||||
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(8).
|
||||
DHCP uses UDP ports 67 and 68.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@@ -446,7 +380,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -517,8 +451,8 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold"><emphasis
|
||||
role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
||||
@@ -559,10 +493,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface. Beginning with
|
||||
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||
equivalent to <emphasis
|
||||
role="bold">dbl=none</emphasis>.</para>
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -1354,7 +1354,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter tells the /sbin/shorewall program where to look
|
||||
@@ -1364,10 +1364,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. For further information, see <ulink
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
|
||||
Beginning with Shorewall 5.0.10.1, you may specify
|
||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||
read the log.</para>
|
||||
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -964,9 +964,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall6-lite
|
||||
@@ -92,11 +92,10 @@ shorewall6_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall6_stop () {
|
||||
echo -n "Stopping \"Shorewall6 Lite firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall6 Lite firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall6 Lite firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -679,9 +679,7 @@
|
||||
<para>Re-enables receipt of packets from hosts previously
|
||||
blacklisted by a <command>drop</command>,
|
||||
<command>logdrop</command>, <command>reject</command>, or
|
||||
<command>logreject</command> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
<command>logreject</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
# Required-Start: $network $remote_fs
|
||||
# Required-Stop: $network $remote_fs
|
||||
# Default-Start: S
|
||||
# Default-Stop: 0 1 6
|
||||
# Default-Stop: 0 6
|
||||
# Short-Description: Configure the firewall at boot time
|
||||
# Description: Configure the firewall according to the rules specified in
|
||||
# /etc/shorewall6
|
||||
@@ -97,11 +97,10 @@ shorewall6_start () {
|
||||
|
||||
# stop the firewall
|
||||
shorewall6_stop () {
|
||||
echo -n "Stopping \"Shorewall6 firewall\": "
|
||||
if [ "$SAFESTOP" = 1 ]; then
|
||||
echo -n "Stopping \"Shorewall6 firewall\": "
|
||||
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
else
|
||||
echo -n "Clearing all \"Shorewall6 firewall\" rules: "
|
||||
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -237,66 +237,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.10. This option defined whether
|
||||
or not dynamic blacklisting is applied to packets entering the
|
||||
firewall through this interface and whether the source address
|
||||
and/or destination address is to be compared against the
|
||||
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
|
||||
<ulink
|
||||
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
|
||||
The default is determine by the setting of
|
||||
DYNAMIC_BLACKLIST:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=No</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">none</emphasis>
|
||||
(e.g., no dynamic blacklist checking).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=Yes</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis role="bold">src</emphasis>
|
||||
(e.g., the source IP address is checked against the
|
||||
ipset).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
|
||||
|
||||
<listitem>
|
||||
<para>Default is <emphasis
|
||||
role="bold">src-dst</emphasis> (e.g., the source IP
|
||||
addresses in checked against the ipset on input and the
|
||||
destination IP address is checked against the ipset on
|
||||
packets originating from the firewall and leaving
|
||||
through this interface).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
@@ -381,7 +321,7 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">loopback</emphasis></term>
|
||||
<term>loopback</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||
@@ -430,10 +370,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface. Beginning with
|
||||
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
|
||||
equivalent to <emphasis
|
||||
role="bold">dbl=none</emphasis>.</para>
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -1166,7 +1166,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>|<option>systemd</option>]</term>
|
||||
role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This parameter tells the /sbin/shorewall6 program where to
|
||||
@@ -1175,9 +1175,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
role="bold">logwatch</emphasis>, <emphasis role="bold">show
|
||||
log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
|
||||
If not assigned or if assigned an empty value, /var/log/messages is
|
||||
assumed. Beginning with Shorewall 5.0.10.1, you may specify
|
||||
<option>systemd</option> to use <command>journelctl -r</command> to
|
||||
read the log.</para>
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -932,9 +932,7 @@
|
||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||
role="bold">logdrop</emphasis>, <emphasis
|
||||
role="bold">reject</emphasis>, or <emphasis
|
||||
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||
5.0.10, this command can also re-enable addresses blacklisted using
|
||||
the <command>blacklist</command> command.</para>
|
||||
role="bold">logreject</emphasis> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -61,7 +61,7 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall6</emphasis>. This package
|
||||
requires the Shorewall package and adds those components needed to
|
||||
create an IPv6 firewall.</para>
|
||||
create an IPv6 fireawall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -26,8 +26,6 @@
|
||||
|
||||
<year>2011</year>
|
||||
|
||||
<year>2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -91,9 +89,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
|
||||
acting as a firewall/router for a small local network. For
|
||||
Redhat-specific install/configure information, see <ulink url="???">this
|
||||
article </ulink>contributed by Digimer.</para>
|
||||
acting as a firewall/router for a small local network</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -398,7 +398,7 @@ ACCEPT net $FW tcp 22</programlisting>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall6</emphasis>. This package
|
||||
requires the Shorewall package and adds those components needed to
|
||||
create an IPv6 firewall.</para>
|
||||
create an IPv6 fireawall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2016</year>
|
||||
<year>2001-2013</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@@ -35,9 +35,9 @@
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 5.0 and
|
||||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
5.0.0 then please see the documentation for that
|
||||
4.3.5 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user