forked from extern/shorewall_code
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a8dc76638f | ||
|
|
9e0c97009c | ||
|
|
66b2e28e52 | ||
|
|
aca72cb4e6 |
@@ -339,15 +339,7 @@ show_classifiers() {
|
||||
#
|
||||
# Display blacklist chains
|
||||
#
|
||||
blacklist_filter() {
|
||||
awk \
|
||||
'BEGIN { prnt=0; }; \
|
||||
/^Members:/ { print "Dynamic:"; prnt=1; next; }; \
|
||||
{ if (prnt == 1) print; };'
|
||||
}
|
||||
|
||||
show_bl() {
|
||||
[ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset | blacklist_filter && echo
|
||||
$g_tool -L $g_ipt_options | \
|
||||
awk 'BEGIN {prnt=0; };
|
||||
/^$/ {if (prnt == 1) print ""; prnt=0; };
|
||||
@@ -930,10 +922,23 @@ show_events() {
|
||||
}
|
||||
|
||||
show_actions() {
|
||||
echo "A_ACCEPT # Audit and accept the connection"
|
||||
echo "A_DROP # Audit and drop the connection"
|
||||
echo "A_REJECT # Audit and reject the connection "
|
||||
echo "allowBcast # Silently Allow Broadcast/multicast"
|
||||
echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
|
||||
echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
|
||||
echo "allowoutUPnP # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
|
||||
echo "dropBcast # Silently Drop Broadcast/multicast"
|
||||
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
|
||||
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
|
||||
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
|
||||
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
|
||||
|
||||
if [ -f ${g_confdir}/actions ]; then
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
|
||||
cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
|
||||
else
|
||||
grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
|
||||
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -3452,29 +3457,6 @@ reject_command() {
|
||||
fi
|
||||
}
|
||||
|
||||
blacklist_command() {
|
||||
local family
|
||||
|
||||
[ $# -gt 0 ] || fatal_error "Missing address"
|
||||
|
||||
[ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
|
||||
|
||||
case ${IPSET:=ipset} in
|
||||
*/*)
|
||||
if [ ! -x "$IPSET" ]; then
|
||||
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
IPSET="$(mywhich $IPSET)"
|
||||
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||
;;
|
||||
esac
|
||||
|
||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
|
||||
return 0
|
||||
}
|
||||
save_command() {
|
||||
local finished
|
||||
finished=0
|
||||
@@ -3824,38 +3806,6 @@ get_config() {
|
||||
g_pager="| $g_pager"
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_BLACKLIST" ]; then
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
lib=$(find_file lib.cli-user)
|
||||
|
||||
[ -f $lib ] && . $lib
|
||||
@@ -3882,7 +3832,7 @@ start_command() {
|
||||
rc=$?
|
||||
else
|
||||
error_message "${VARDIR}/firewall is missing or is not executable"
|
||||
mylogger kern.err "ERROR:$g_product start failed"
|
||||
logger -p kern.err "ERROR:$g_product start failed"
|
||||
rc=6
|
||||
fi
|
||||
|
||||
@@ -4015,7 +3965,7 @@ restart_command() {
|
||||
rc=$?
|
||||
else
|
||||
error_message "${VARDIR}/firewall is missing or is not executable"
|
||||
mylogger kern.err "ERROR:$g_product $COMMAND failed"
|
||||
logger -p kern.err "ERROR:$g_product $COMMAND failed"
|
||||
rc=6
|
||||
fi
|
||||
|
||||
@@ -4046,7 +3996,6 @@ usage() # $1 = exit status
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host-list>] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " blacklist <address> [ <option> ... ]"
|
||||
ecko " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
|
||||
echo " clear"
|
||||
ecko " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
|
||||
@@ -4198,7 +4147,6 @@ shorewall_cli() {
|
||||
g_loopback=
|
||||
g_compiled=
|
||||
g_pager=
|
||||
g_blacklistipset=
|
||||
|
||||
VERBOSE=
|
||||
VERBOSITY=1
|
||||
@@ -4390,13 +4338,6 @@ shorewall_cli() {
|
||||
fatal_error "$g_product is not running"
|
||||
fi
|
||||
;;
|
||||
blacklist)
|
||||
get_config Yes
|
||||
shift
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
blacklist_command $@
|
||||
[ -n "$g_nolock" ] || mutex_off
|
||||
;;
|
||||
run)
|
||||
[ $# -gt 1 ] || fatal_error "Missing function name"
|
||||
get_config Yes
|
||||
|
||||
@@ -25,22 +25,6 @@
|
||||
# scripts rather than loaded at run-time.
|
||||
#
|
||||
#########################################################################################
|
||||
#
|
||||
# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
|
||||
#
|
||||
mylogger() {
|
||||
local level
|
||||
|
||||
level=$1
|
||||
shift
|
||||
|
||||
if [ -n "$SW_LOGGERTAG" ]; then
|
||||
logger -p $level -t "$SW_LOGGERTAG" $*
|
||||
else
|
||||
logger -p $level $*
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Issue a message and stop
|
||||
#
|
||||
@@ -49,24 +33,24 @@ startup_error() # $* = Error Message
|
||||
echo " ERROR: $@: Firewall state not changed" >&2
|
||||
|
||||
if [ $LOG_VERBOSITY -ge 0 ]; then
|
||||
timestamp="$(date +'%b %e %T') "
|
||||
timestamp="$(date +'%b %d %T') "
|
||||
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
|
||||
fi
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
|
||||
logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
|
||||
;;
|
||||
restart)
|
||||
mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
|
||||
logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
|
||||
;;
|
||||
restore)
|
||||
mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
|
||||
logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ $LOG_VERBOSITY -ge 0 ]; then
|
||||
timestamp="$(date +'%b %e %T') "
|
||||
timestamp="$(date +'%b %d %T') "
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
|
||||
1
Shorewall-init/README.txt
Normal file
1
Shorewall-init/README.txt
Normal file
@@ -0,0 +1 @@
|
||||
This is the Shorewall-init stable 4.4 branch of Git.
|
||||
1
Shorewall-lite/README.txt
Normal file
1
Shorewall-lite/README.txt
Normal file
@@ -0,0 +1 @@
|
||||
This is the Shorewall-lite stable 4.4 branch of Git.
|
||||
@@ -47,19 +47,6 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>blacklist</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
@@ -706,25 +693,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis>
|
||||
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
|
||||
... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8 and requires
|
||||
DYNAMIC_BLACKLIST=ipset.. in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
Causes packets from the given host or network
|
||||
<replaceable>address</replaceable> to be dropped, based on the
|
||||
setting of BLACKLIST in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
|
||||
<replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">call <replaceable>function</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</emphasis></term>
|
||||
@@ -1585,34 +1553,6 @@
|
||||
started.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>ENVIRONMENT</title>
|
||||
|
||||
<para>Two environmental variables are recognized by Shorewall-lite:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>SHOREWALL_INIT_SCRIPT</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to 1, causes Std out to be redirected to the file
|
||||
specified in the STARTUP_LOG option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SW_LOGGERTAG</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When set to a non-empty value, that
|
||||
value is passed to the logger utility in its -t (--tag)
|
||||
option.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/macro.RedisCluster
|
||||
#
|
||||
# This macro handles Redis Cluster traffic.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
PARAM - - tcp 16379
|
||||
@@ -1,9 +0,0 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/macro.RedisSentinel
|
||||
#
|
||||
# This macro handles Redis Sentinel traffic.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
PARAM - - tcp 26379
|
||||
@@ -59,21 +59,21 @@ our $acctable;
|
||||
#
|
||||
|
||||
use constant {
|
||||
LEGACY_SECTION => 0,
|
||||
PREROUTING_SECTION => 1,
|
||||
INPUT_SECTION => 2,
|
||||
OUTPUT_SECTION => 3,
|
||||
FORWARD_SECTION => 4,
|
||||
POSTROUTING_SECTION => 5
|
||||
LEGACY => 0,
|
||||
PREROUTING => 1,
|
||||
INPUT => 2,
|
||||
OUTPUT => 3,
|
||||
FORWARD => 4,
|
||||
POSTROUTING => 5
|
||||
};
|
||||
#
|
||||
# Map names to values
|
||||
#
|
||||
our %asections = ( PREROUTING => PREROUTING_SECTION,
|
||||
INPUT => INPUT_SECTION,
|
||||
FORWARD => FORWARD_SECTION,
|
||||
OUTPUT => OUTPUT_SECTION,
|
||||
POSTROUTING => POSTROUTING_SECTION
|
||||
our %asections = ( PREROUTING => PREROUTING,
|
||||
INPUT => INPUT,
|
||||
FORWARD => FORWARD,
|
||||
OUTPUT => OUTPUT,
|
||||
POSTROUTING => POSTROUTING
|
||||
);
|
||||
|
||||
#
|
||||
@@ -157,7 +157,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
|
||||
|
||||
$jumpchainref = 0;
|
||||
|
||||
$asection = LEGACY_SECTION if $asection < 0;
|
||||
$asection = LEGACY if $asection < 0;
|
||||
|
||||
our $disposition = '';
|
||||
|
||||
|
||||
@@ -138,17 +138,6 @@ our %EXPORT_TAGS = (
|
||||
ALL_COMMANDS
|
||||
NOT_RESTORE
|
||||
|
||||
PREROUTING
|
||||
INPUT
|
||||
FORWARD
|
||||
OUTPUT
|
||||
POSTROUTING
|
||||
ALLCHAINS
|
||||
STICKY
|
||||
STICKO
|
||||
REALPREROUTING
|
||||
ACTIONCHAIN
|
||||
|
||||
unreachable_warning
|
||||
state_match
|
||||
state_imatch
|
||||
@@ -199,7 +188,6 @@ our %EXPORT_TAGS = (
|
||||
ensure_raw_chain
|
||||
ensure_rawpost_chain
|
||||
new_standard_chain
|
||||
new_action_chain
|
||||
new_builtin_chain
|
||||
new_nat_chain
|
||||
optimize_chain
|
||||
@@ -279,7 +267,6 @@ our %EXPORT_TAGS = (
|
||||
save_docker_rules
|
||||
load_ipsets
|
||||
create_save_ipsets
|
||||
create_load_ipsets
|
||||
validate_nfobject
|
||||
create_nfobjects
|
||||
create_netfilter_load
|
||||
@@ -287,7 +274,6 @@ our %EXPORT_TAGS = (
|
||||
create_chainlist_reload
|
||||
create_stop_load
|
||||
initialize_switches
|
||||
terminating
|
||||
%targets
|
||||
%builtin_target
|
||||
%dscpmap
|
||||
@@ -339,10 +325,6 @@ our $VERSION = 'MODULEVERSION';
|
||||
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
||||
# Suppresses adding additional rules to the chain end of the chain
|
||||
# sections => { <section> = 1, ... } - Records sections that have been completed.
|
||||
# chainnumber => Numeric enumeration of the builtin chains (mangle table only).
|
||||
# allowedchains
|
||||
# => Mangle action chains only -- specifies the set of builtin chains where
|
||||
# this action may be used.
|
||||
# } ,
|
||||
# <chain2> => ...
|
||||
# }
|
||||
@@ -474,22 +456,6 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i an
|
||||
ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
|
||||
DESTIFACE_DISALLOW => 32, # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
|
||||
};
|
||||
#
|
||||
# Mangle Table allowed chains enumeration
|
||||
#
|
||||
use constant {
|
||||
PREROUTING => 1, #Actually tcpre
|
||||
INPUT => 2, #Actually tcin
|
||||
FORWARD => 4, #Actually tcfor
|
||||
OUTPUT => 8, #Actually tcout
|
||||
POSTROUTING => 16, #Actually tcpost
|
||||
ALLCHAINS => 31,
|
||||
STICKY => 32,
|
||||
STICKO => 64,
|
||||
REALPREROUTING => 128,
|
||||
ACTIONCHAIN => 256,
|
||||
};
|
||||
|
||||
#
|
||||
# Possible IPSET options
|
||||
#
|
||||
@@ -621,7 +587,7 @@ our %builtin_target = ( ACCEPT => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
|
||||
RAWDNAT => STANDARD + RAW_TABLE,
|
||||
RAWSNAT => STANDARD + RAW_TABLE,
|
||||
REDIRECT => STANDARD + NAT_TABLE,
|
||||
REJECT => STANDARD + FILTER_TABLE + OPTIONS,
|
||||
REJECT => STANDARD + FILTER_TABLE,
|
||||
RETURN => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||
SAME => STANDARD,
|
||||
SECMARK => STANDARD + MANGLE_TABLE,
|
||||
@@ -649,7 +615,7 @@ our %ipset_exists;
|
||||
# => CMD_MODE if the rule contains a shell command or if it
|
||||
# part of a loop or conditional block. If it is a
|
||||
# shell command, the text of the command is in
|
||||
# the cmd member
|
||||
# the cmd
|
||||
# cmd => Shell command, if mode == CMD_MODE and cmdlevel == 0
|
||||
# cmdlevel => nesting level within loops and conditional blocks.
|
||||
# determines indentation
|
||||
@@ -810,13 +776,14 @@ sub initialize( $$$ ) {
|
||||
NETMAP => 1,
|
||||
NFQUEUE => 1,
|
||||
NOTRACK => 1,
|
||||
RAWDNAT => 1,
|
||||
REDIRECT => 1,
|
||||
RAWDNAT => 1,
|
||||
RAWSNAT => 1,
|
||||
REJECT => 1,
|
||||
SAME => 1,
|
||||
SNAT => 1,
|
||||
TPROXY => 1,
|
||||
reject => 1,
|
||||
);
|
||||
#
|
||||
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
||||
@@ -843,24 +810,6 @@ sub make_terminating( $ ) {
|
||||
$terminating{$_[0]} = 1;
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a chain is terminating
|
||||
#
|
||||
sub terminating( $ ) {
|
||||
my ( $chainref ) = @_;
|
||||
|
||||
return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
|
||||
}
|
||||
|
||||
sub is_terminating( $$ ) {
|
||||
my ( $table, $target ) = @_;
|
||||
|
||||
if ( my $chainref = $chain_table{$table}{$target} ) {
|
||||
terminating( $chainref );
|
||||
} else {
|
||||
$terminating{$target};
|
||||
}
|
||||
}
|
||||
#
|
||||
# Transform the passed iptables rule into an internal-form hash reference.
|
||||
# Most of the compiler has been converted to use the new form natively.
|
||||
@@ -955,7 +904,7 @@ sub set_rule_option( $$$ ) {
|
||||
#
|
||||
# Shorewall::Rules::perl_action_tcp_helper() can produce rules that have two -p specifications.
|
||||
# The first will have a modifier like '! --syn' while the second will not. We want to retain
|
||||
# the first one.
|
||||
# the first while
|
||||
if ( $option eq 'p' ) {
|
||||
my ( $proto ) = split( ' ', $ruleref->{p} );
|
||||
return if $proto eq $value;
|
||||
@@ -1328,8 +1277,6 @@ sub push_rule( $$ ) {
|
||||
my $complete = 0;
|
||||
my $ruleref = transform_rule( $_[1], $complete );
|
||||
|
||||
fatal_error "Chain $chainref->{name} jumps to itself" if ( $ruleref->{target} || '' ) eq $chainref->{name};
|
||||
|
||||
set_irule_comment( $chainref, $ruleref );
|
||||
|
||||
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
|
||||
@@ -1560,7 +1507,6 @@ sub create_irule( $$$;@ ) {
|
||||
$ruleref->{jump} = $jump;
|
||||
$ruleref->{target} = $target;
|
||||
$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
|
||||
$chainref->{complete} ||= ( ! @matches && ( $jump eq 'g' || is_terminating( $chainref->{table}, $target ) ) );
|
||||
$ruleref->{targetopts} = $targetopts if $targetopts;
|
||||
} else {
|
||||
$ruleref->{target} = '';
|
||||
@@ -2052,7 +1998,7 @@ sub chain_base( $ ) {
|
||||
sub forward_chain($)
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2107,7 +2053,7 @@ sub use_forward_chain($$) {
|
||||
#
|
||||
sub input_option_chain($) {
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2115,7 +2061,7 @@ sub input_option_chain($) {
|
||||
#
|
||||
sub output_option_chain($) {
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2123,7 +2069,7 @@ sub output_option_chain($) {
|
||||
#
|
||||
sub forward_option_chain($) {
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2132,7 +2078,7 @@ sub forward_option_chain($) {
|
||||
sub input_chain($)
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2195,7 +2141,7 @@ sub use_input_chain($$) {
|
||||
sub output_chain($)
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2204,7 +2150,7 @@ sub output_chain($)
|
||||
sub prerouting_chain($)
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2213,7 +2159,7 @@ sub prerouting_chain($)
|
||||
sub postrouting_chain($)
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2266,7 +2212,7 @@ sub use_output_chain($$) {
|
||||
sub masq_chain($)
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2282,7 +2228,7 @@ sub syn_flood_chain ( $ ) {
|
||||
sub mac_chain( $ )
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
|
||||
}
|
||||
|
||||
sub macrecent_target($)
|
||||
@@ -2319,7 +2265,7 @@ sub load_chain( $ ) {
|
||||
sub snat_chain( $ )
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2328,7 +2274,7 @@ sub snat_chain( $ )
|
||||
sub ecn_chain( $ )
|
||||
{
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2379,7 +2325,6 @@ sub new_chain($$)
|
||||
filtered => 0,
|
||||
optflags => 0,
|
||||
origin => shortlineinfo( '' ),
|
||||
restriction => NO_RESTRICT,
|
||||
};
|
||||
|
||||
trace( $chainref, 'N', undef, '' ) if $debug;
|
||||
@@ -2507,7 +2452,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
||||
}
|
||||
|
||||
if ( $ruleref->{simple} ) {
|
||||
$fromref->{complete} = 1 if $jump eq 'g' || ( $toref ? terminating( $toref ) : $terminating{$to} );
|
||||
$fromref->{complete} = 1 if $jump eq 'g' || $terminating{$to};
|
||||
}
|
||||
|
||||
$ruleref->{origin} = $origin if $origin;
|
||||
@@ -2793,13 +2738,6 @@ sub new_standard_chain($) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub new_action_chain($$) {
|
||||
my $chainref = &new_chain( @_ );
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref->{allowedchains} = ALLCHAINS | REALPREROUTING | ACTIONCHAIN;
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub new_nat_chain($) {
|
||||
my $chainref = new_chain 'nat' ,$_[0];
|
||||
$chainref->{referenced} = 1;
|
||||
@@ -2930,40 +2868,40 @@ sub initialize_chain_table($) {
|
||||
%targets = ('ACCEPT' => STANDARD,
|
||||
'ACCEPT+' => STANDARD + NONAT,
|
||||
'ACCEPT!' => STANDARD,
|
||||
'ADD' => STANDARD + SET,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'A_ACCEPT' => STANDARD + AUDIT,
|
||||
'A_ACCEPT+' => STANDARD + NONAT + AUDIT,
|
||||
'A_ACCEPT!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'AUDIT' => STANDARD + AUDIT + OPTIONS,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'A_DROP' => STANDARD + AUDIT,
|
||||
'A_DROP!' => STANDARD + AUDIT,
|
||||
'NONAT' => STANDARD + NONAT + NATONLY,
|
||||
'CONNMARK' => STANDARD + OPTIONS,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'A_REJECT' => STANDARD + AUDIT,
|
||||
'A_REJECT!' => STANDARD + AUDIT,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||
'LOG' => STANDARD + LOGRULE + OPTIONS,
|
||||
'CONTINUE' => STANDARD,
|
||||
'CONTINUE!' => STANDARD,
|
||||
'COUNT' => STANDARD,
|
||||
'DEL' => STANDARD + SET,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'DROP' => STANDARD,
|
||||
'DROP!' => STANDARD,
|
||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||
'INLINE' => INLINERULE,
|
||||
'IPTABLES' => IPTABLES,
|
||||
'LOG' => STANDARD + LOGRULE + OPTIONS,
|
||||
'MARK' => STANDARD + OPTIONS,
|
||||
'QUEUE' => STANDARD + OPTIONS,
|
||||
'QUEUE!' => STANDARD,
|
||||
'NFLOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'NFQUEUE' => STANDARD + NFQ + OPTIONS,
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'QUEUE' => STANDARD + OPTIONS,
|
||||
'QUEUE!' => STANDARD,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
'REDIRECT-' => NATRULE + REDIRECT + NATONLY,
|
||||
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||
'ULOG' => STANDARD + LOGRULE + NFLOG + OPTIONS,
|
||||
'ADD' => STANDARD + SET,
|
||||
'DEL' => STANDARD + SET,
|
||||
'WHITELIST' => STANDARD,
|
||||
'HELPER' => STANDARD + HELPER + NATONLY, #Actually RAWONLY
|
||||
'INLINE' => INLINERULE,
|
||||
'IPTABLES' => IPTABLES,
|
||||
'TARPIT' => STANDARD + TARPIT + OPTIONS,
|
||||
);
|
||||
|
||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||
@@ -3007,6 +2945,8 @@ sub initialize_chain_table($) {
|
||||
'A_DROP!' => STANDARD + AUDIT,
|
||||
'REJECT' => STANDARD + OPTIONS,
|
||||
'REJECT!' => STANDARD + OPTIONS,
|
||||
'A_REJECT' => STANDARD + AUDIT,
|
||||
'A_REJECT!' => STANDARD + AUDIT,
|
||||
'DNAT' => NATRULE + OPTIONS,
|
||||
'DNAT-' => NATRULE + NATONLY,
|
||||
'REDIRECT' => NATRULE + REDIRECT + OPTIONS,
|
||||
@@ -3061,12 +3001,6 @@ sub initialize_chain_table($) {
|
||||
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
}
|
||||
|
||||
$mangle_table->{PREROUTING}{chainnumber} = PREROUTING;
|
||||
$mangle_table->{INPUT}{chainnumber} = INPUT;
|
||||
$mangle_table->{OUTPUT}{chainnumber} = OUTPUT;
|
||||
$mangle_table->{FORWARD}{chainnumber} = FORWARD;
|
||||
$mangle_table->{POSTROUTING}{chainnumber} = POSTROUTING;
|
||||
}
|
||||
|
||||
if ( my $docker = $config{DOCKER} ) {
|
||||
@@ -4535,7 +4469,7 @@ sub clearrule() {
|
||||
sub state_match( $ ) {
|
||||
my $state = shift;
|
||||
|
||||
if ( $state eq 'ALL' || $state eq '-' ) {
|
||||
if ( $state eq 'ALL' ) {
|
||||
''
|
||||
} else {
|
||||
have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
|
||||
@@ -6353,7 +6287,7 @@ sub log_rule_limit( $$$$$$$$;$ ) {
|
||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
|
||||
|
||||
my $prefix = '';
|
||||
my $chain = get_action_chain_name || $chn;
|
||||
my $chain = get_action_chain_name || $chn;
|
||||
my $disposition = get_action_disposition || $dispo;
|
||||
my $original_matches = $matches;
|
||||
my $ruleref;
|
||||
@@ -6453,7 +6387,7 @@ sub log_irule_limit( $$$$$$$$@ ) {
|
||||
|
||||
my $prefix = '';
|
||||
my %matches;
|
||||
my $chain = get_action_chain_name || $chn;
|
||||
my $chain = get_action_chain_name || $chn;
|
||||
my $disposition = get_action_disposition || $dispo;
|
||||
my $original_matches = @matches;
|
||||
|
||||
@@ -7557,7 +7491,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
||||
log_irule_limit( $loglevel ,
|
||||
$echainref ,
|
||||
$chain ,
|
||||
$actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
[] ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
@@ -7604,7 +7538,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
|
||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||
( '', '', '', '', '', '', '', '', '', '' );
|
||||
my $chain = $actparams{chain} || $chainref->{name};
|
||||
my $chain = $actparms{chain} || $chainref->{name};
|
||||
my $table = $chainref->{table};
|
||||
my ( $jump, $mac, $targetref, $basictarget );
|
||||
our @ends = ();
|
||||
@@ -7766,10 +7700,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
# No logging or user-specified logging -- add the target rule with matches to the rule chain
|
||||
#
|
||||
if ( $targetref ) {
|
||||
add_expanded_jump( $chainref ,
|
||||
$targetref ,
|
||||
terminating( $targetref ) ,
|
||||
$prerule . $matches );
|
||||
add_expanded_jump( $chainref, $targetref , 0, $matches );
|
||||
} else {
|
||||
add_rule( $chainref, $prerule . $matches . $jump , 1 );
|
||||
}
|
||||
@@ -7781,22 +7712,22 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$chain,
|
||||
$actparams{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||
'' ,
|
||||
$logtag ,
|
||||
'add' ,
|
||||
$prerule . $matches
|
||||
$matches
|
||||
);
|
||||
} elsif ( $logname || $basictarget eq 'RETURN' ) {
|
||||
log_rule_limit(
|
||||
$loglevel ,
|
||||
$chainref ,
|
||||
$logname || $chain,
|
||||
$actparams{disposition} || $disposition,
|
||||
$actparms{disposition} || $disposition,
|
||||
'',
|
||||
$logtag,
|
||||
'add',
|
||||
$prerule . $matches );
|
||||
$matches );
|
||||
|
||||
if ( $targetref ) {
|
||||
add_expanded_jump( $chainref, $targetref, 0, $matches );
|
||||
@@ -7813,10 +7744,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
$loglevel,
|
||||
$logtag,
|
||||
$exceptionrule,
|
||||
$actparams{disposition} || $disposition,
|
||||
$actparms{disposition} || $disposition,
|
||||
$target ),
|
||||
$terminating{$basictarget} || ( $targetref && $targetref->{complete} ),
|
||||
$prerule . $matches );
|
||||
$matches );
|
||||
}
|
||||
|
||||
conditional_rule_end( $chainref ) if $cond3;
|
||||
@@ -8193,15 +8124,6 @@ else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
EOF
|
||||
if ( $config{MINIUPNPD} ) {
|
||||
emit << "EOF";
|
||||
if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
|
||||
$tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
|
||||
else
|
||||
rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
|
||||
fi
|
||||
EOF
|
||||
}
|
||||
} else {
|
||||
emit <<"EOF";
|
||||
if chain_exists 'UPnP -t nat'; then
|
||||
@@ -8222,15 +8144,6 @@ else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
EOF
|
||||
if ( $config{MINIUPNPD} ) {
|
||||
emit << "EOF";
|
||||
if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
|
||||
$utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
|
||||
else
|
||||
rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
|
||||
fi
|
||||
EOF
|
||||
}
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
@@ -8249,22 +8162,14 @@ EOF
|
||||
emit( '' ), save_docker_rules( $tool ), emit( '' ) if $config{DOCKER};
|
||||
}
|
||||
|
||||
sub ensure_ipsets( @ ) {
|
||||
my $set;
|
||||
|
||||
if ( @_ > 1 ) {
|
||||
push_indent;
|
||||
emit( "for set in @_; do" );
|
||||
$set = '$set';
|
||||
} else {
|
||||
$set = $_[0];
|
||||
}
|
||||
sub ensure_ipset( $ ) {
|
||||
my $set = shift;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( have_capability 'IPSET_V5' ) {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||
qq( \$IPSET -N $set hash:net family inet timeout 0 counters) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
|
||||
qq( \$IPSET -N $set hash:ip family inet) ,
|
||||
qq( fi) );
|
||||
} else {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
@@ -8274,15 +8179,10 @@ sub ensure_ipsets( @ ) {
|
||||
}
|
||||
} else {
|
||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||
qq( \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
|
||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
|
||||
qq( \$IPSET -N $set hash:ip family inet6) ,
|
||||
qq( fi) );
|
||||
}
|
||||
|
||||
if ( @_ > 1 ) {
|
||||
emit 'done';
|
||||
pop_indent;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@@ -8291,26 +8191,22 @@ sub ensure_ipsets( @ ) {
|
||||
sub create_save_ipsets() {
|
||||
my @ipsets = all_ipsets;
|
||||
|
||||
emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
|
||||
emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#",
|
||||
'save_ipsets() {' );
|
||||
|
||||
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
|
||||
emit( ' local file' ,
|
||||
' local set' ,
|
||||
'',
|
||||
' file=${1:-${VARDIR}/save.ipsets}'
|
||||
);
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit '';
|
||||
ensure_ipsets( @ipsets );
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
}
|
||||
|
||||
if ( $config{SAVE_IPSETS} ) {
|
||||
if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
|
||||
#
|
||||
# Requires V5 or later
|
||||
#
|
||||
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
|
||||
|
||||
emit( '' ,
|
||||
@@ -8319,6 +8215,11 @@ sub create_save_ipsets() {
|
||||
' local set' ,
|
||||
);
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit '';
|
||||
emit( " \$IPSET -S $_ >> \$file" ) for @ipsets;
|
||||
}
|
||||
|
||||
emit( '',
|
||||
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
||||
" \$IPSET save \$set >> \$file" ,
|
||||
@@ -8326,9 +8227,6 @@ sub create_save_ipsets() {
|
||||
'',
|
||||
);
|
||||
} else {
|
||||
#
|
||||
# Saving all ipsets (IPv4 and IPv6, if any )
|
||||
#
|
||||
emit (
|
||||
'',
|
||||
' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
||||
@@ -8337,48 +8235,28 @@ sub create_save_ipsets() {
|
||||
}
|
||||
|
||||
emit( " return 0",
|
||||
'',
|
||||
"}\n" );
|
||||
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
|
||||
#
|
||||
# Requires V5 or later
|
||||
#
|
||||
my %ipsets;
|
||||
#
|
||||
# Requires V
|
||||
#
|
||||
$ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
|
||||
|
||||
my @sets = sort keys %ipsets;
|
||||
|
||||
emit( '' ,
|
||||
' rm -f $file' ,
|
||||
' touch $file' ,
|
||||
' rm -f ${VARDIR}/ipsets.tmp' ,
|
||||
' touch ${VARDIR}/ipsets.tmp' ,
|
||||
);
|
||||
|
||||
if ( @sets > 1 ) {
|
||||
emit( '' ,
|
||||
" for set in @sets; do" ,
|
||||
' if qt $IPSET list $set; then' ,
|
||||
' $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
|
||||
' else' ,
|
||||
' error_message "ipset $set not saved (not found)"' ,
|
||||
' fi' ,
|
||||
' done' );
|
||||
} else {
|
||||
my $set = $sets[0];
|
||||
|
||||
emit( '' ,
|
||||
" if qt \$IPSET list $set; then" ,
|
||||
" \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
|
||||
' else' ,
|
||||
" error_message 'ipset $set not saved (not found)'" ,
|
||||
' fi' );
|
||||
if ( @ipsets ) {
|
||||
emit '';
|
||||
emit( " \$IPSET -S $_ >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
|
||||
}
|
||||
|
||||
emit( '' ,
|
||||
" grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
|
||||
" if qt \$IPSET list $_; then" ,
|
||||
" \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
|
||||
' else' ,
|
||||
" error_message 'ipset $_ not saved (not found)'" ,
|
||||
" fi\n" ) for @{$globals{SAVED_IPSETS}};
|
||||
|
||||
emit( '' ,
|
||||
" grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
|
||||
'' ,
|
||||
' return 0',
|
||||
'' ,
|
||||
@@ -8394,58 +8272,13 @@ sub create_save_ipsets() {
|
||||
}
|
||||
}
|
||||
|
||||
sub create_load_ipsets() {
|
||||
sub load_ipsets() {
|
||||
|
||||
my @ipsets = all_ipsets; #Dynamic Zone IPSETS
|
||||
my @ipsets = all_ipsets;
|
||||
|
||||
my $setting = $config{SAVE_IPSETS};
|
||||
|
||||
my $havesets = @ipsets || @{$globals{SAVED_IPSETS}} || ( $setting && have_ipset_rules );
|
||||
|
||||
#
|
||||
# Generate a function that flushes and destroys sets prior to restoring them
|
||||
#
|
||||
if ( $havesets ) {
|
||||
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
|
||||
|
||||
emit ( "#\n#Flush and Destroy the sets that we will subsequently attempt to restore\n#",
|
||||
'zap_ipsets() {',
|
||||
' local set',
|
||||
'' );
|
||||
|
||||
if ( $family == F_IPV6 || $setting !~ /yes/i ) {
|
||||
#
|
||||
# Requires V5 or later
|
||||
#
|
||||
emit( '' ,
|
||||
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
||||
' $IPSET flush $set' ,
|
||||
' $IPSET destroy $set' ,
|
||||
" done" ,
|
||||
'',
|
||||
);
|
||||
} else {
|
||||
#
|
||||
# Restoring all ipsets (IPv4 and IPv6, if any)
|
||||
#
|
||||
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' $IPSET -F' ,
|
||||
' $IPSET -X' ,
|
||||
' fi' );
|
||||
};
|
||||
|
||||
emit( '}' );
|
||||
}
|
||||
#
|
||||
# Now generate load_ipsets()
|
||||
|
||||
emit ( "#\n#Flush and Destroy the sets then load fresh copy from a saved ipset file\n#",
|
||||
'load_ipsets() {' );
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $havesets ) {
|
||||
emit( '',
|
||||
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
|
||||
emit ( '', );
|
||||
emit ( '',
|
||||
'case $IPSET in',
|
||||
' */*)',
|
||||
' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
|
||||
@@ -8456,56 +8289,86 @@ sub create_load_ipsets() {
|
||||
' ;;',
|
||||
'esac' ,
|
||||
'' ,
|
||||
'if [ "$COMMAND" = start ]; then' ); ##################### Start Command ##################
|
||||
'if [ "$COMMAND" = start ]; then' );
|
||||
|
||||
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
|
||||
emit( ' if [ -f ${VARDIR}/ipsets.save ]; then',
|
||||
' zap_ipsets',
|
||||
' $IPSET -R < ${VARDIR}/ipsets.save',
|
||||
' fi' );
|
||||
if ( $config{SAVE_IPSETS} ) {
|
||||
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' $IPSET -F' ,
|
||||
' $IPSET -X' ,
|
||||
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
||||
' fi' );
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( '' );
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
emit ( '' );
|
||||
|
||||
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' $IPSET flush' ,
|
||||
' $IPSET destroy' ,
|
||||
' $IPSET restore < ${VARDIR}/ipsets.save' ,
|
||||
" fi\n" ) for @{$globals{SAVED_IPSETS}};
|
||||
}
|
||||
} else {
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
|
||||
if ( @{$globals{SAVED_IPSETS}} ) {
|
||||
emit ( '' );
|
||||
|
||||
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' $IPSET flush' ,
|
||||
' $IPSET destroy' ,
|
||||
' $IPSET restore < ${VARDIR}/ipsets.save' ,
|
||||
" fi\n" ) for @{$globals{SAVED_IPSETS}};
|
||||
}
|
||||
}
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( '' );
|
||||
ensure_ipsets( @ipsets );
|
||||
}
|
||||
emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' );
|
||||
|
||||
emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); ### Restore Command #################
|
||||
|
||||
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
|
||||
if ( $config{SAVE_IPSETS} ) {
|
||||
emit( ' if [ -f $(my_pathname)-ipsets ]; then' ,
|
||||
' if chain_exists shorewall; then' ,
|
||||
' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
|
||||
' else' ,
|
||||
' zap_ipsets' ,
|
||||
' $IPSET -F' ,
|
||||
' $IPSET -X' ,
|
||||
' $IPSET -R < $(my_pathname)-ipsets' ,
|
||||
' fi' ,
|
||||
' fi' ,
|
||||
);
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( '' );
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
emit ( '' );
|
||||
}
|
||||
} else {
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
|
||||
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||
' $IPSET flush' ,
|
||||
' $IPSET destroy' ,
|
||||
' $IPSET restore < ${VARDIR}/ipsets.save' ,
|
||||
" fi\n" ) for @{$globals{SAVED_IPSETS}};
|
||||
}
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( '' );
|
||||
ensure_ipsets( @ipsets );
|
||||
emit ( 'elif [ "$COMMAND" = reload ]; then' );
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
}
|
||||
|
||||
emit ( 'elif [ "$COMMAND" = reload ]; then' ); ################### Reload Command ####################
|
||||
ensure_ipsets( @ipsets );
|
||||
emit( 'elif [ "$COMMAND" = stop ]; then' ,
|
||||
' save_ipsets'
|
||||
);
|
||||
|
||||
emit( 'elif [ "$COMMAND" = refresh ]; then' ); ################### Refresh Command ###################
|
||||
emit ( '' );
|
||||
ensure_ipsets( @ipsets );
|
||||
emit ( '' );
|
||||
if ( @ipsets ) {
|
||||
emit( 'elif [ "$COMMAND" = refresh ]; then' );
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
};
|
||||
|
||||
emit ( 'fi' ,
|
||||
'' );
|
||||
} else {
|
||||
emit 'true';
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit '}';
|
||||
}
|
||||
|
||||
#
|
||||
@@ -8712,20 +8575,18 @@ sub preview_netfilter_load() {
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name =~ /^DOCKER/ ) {
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode1;
|
||||
enter_cmd_mode;
|
||||
print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
print "\n";
|
||||
enter_cat_mode;
|
||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||
enter_cmd_mode;
|
||||
print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||
print "\n";
|
||||
enter_cat_mode1;
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||
print( ":$name - [0:0]\n" );
|
||||
print( ":$name - [0:0]" );
|
||||
}
|
||||
} else {
|
||||
print( ":$name - [0:0]\n" );
|
||||
print( ":$name - [0:0]" );
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
|
||||
@@ -95,7 +95,7 @@ sub generate_script_1( $ ) {
|
||||
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
|
||||
|
||||
copy $globals{SHAREDIRPL} . '/lib.core', 0;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
|
||||
copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -368,7 +368,6 @@ sub generate_script_3($) {
|
||||
create_arptables_load( $test ) if $have_arptables;
|
||||
create_chainlist_reload( $_[0] );
|
||||
create_save_ipsets;
|
||||
create_load_ipsets;
|
||||
|
||||
emit "#\n# Start/Reload the Firewall\n#";
|
||||
|
||||
@@ -407,9 +406,7 @@ sub generate_script_3($) {
|
||||
'fi',
|
||||
'' );
|
||||
|
||||
emit( 'load_ipsets' ,
|
||||
'' );
|
||||
|
||||
load_ipsets;
|
||||
create_nfobjects;
|
||||
verify_address_variables;
|
||||
save_dynamic_chains;
|
||||
@@ -576,16 +573,16 @@ date > ${VARDIR}/restarted
|
||||
|
||||
case $COMMAND in
|
||||
start)
|
||||
mylogger kern.info "$g_product started"
|
||||
logger -p kern.info "$g_product started"
|
||||
;;
|
||||
reload)
|
||||
mylogger kern.info "$g_product reloaded"
|
||||
reloaded)
|
||||
logger -p kern.info "$g_product reloaded"
|
||||
;;
|
||||
refresh)
|
||||
mylogger kern.info "$g_product refreshed"
|
||||
logger -p kern.info "$g_product refreshed"
|
||||
;;
|
||||
restore)
|
||||
mylogger kern.info "$g_product restored"
|
||||
logger -p kern.info "$g_product restored"
|
||||
;;
|
||||
esac
|
||||
EOF
|
||||
@@ -870,6 +867,10 @@ sub compiler {
|
||||
#
|
||||
complete_policy_chains;
|
||||
#
|
||||
# Reject Action
|
||||
#
|
||||
process_reject_action if $config{REJECT_ACTION};
|
||||
#
|
||||
# Accounting.
|
||||
#
|
||||
setup_accounting if $config{ACCOUNTING};
|
||||
|
||||
@@ -139,7 +139,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
push_action_params
|
||||
pop_action_params
|
||||
default_action_params
|
||||
setup_audit_action
|
||||
read_a_line
|
||||
which
|
||||
qt
|
||||
@@ -161,8 +160,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
set_section_function
|
||||
clear_section_function
|
||||
directive_callback
|
||||
add_ipset
|
||||
all_ipsets
|
||||
|
||||
$product
|
||||
$Product
|
||||
@@ -188,7 +185,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
%helpers_enabled
|
||||
%helpers_aliases
|
||||
|
||||
%actparams
|
||||
%actparms
|
||||
|
||||
PARMSMODIFIED
|
||||
USEDCALLER
|
||||
@@ -346,7 +343,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
=> 'Ipset Match nomatch',
|
||||
IPSET_MATCH_COUNTERS
|
||||
=> 'Ipset Match counters',
|
||||
IPSET_V5 => 'Version 5 or later ipset',
|
||||
IPSET_V5 => 'Version 5 ipsets',
|
||||
CONNMARK => 'CONNMARK Target',
|
||||
XCONNMARK => 'Extended CONNMARK Target',
|
||||
CONNMARK_MATCH => 'Connmark Match',
|
||||
@@ -555,7 +552,7 @@ our %compiler_params;
|
||||
#
|
||||
# Action parameters
|
||||
#
|
||||
our %actparams;
|
||||
our %actparms;
|
||||
our $parmsmodified;
|
||||
our $usedcaller;
|
||||
our $inline_matches;
|
||||
@@ -673,14 +670,6 @@ our %variables; # Symbol table for expanding shell variables
|
||||
|
||||
our $section_function; #Function Reference for handling ?section
|
||||
|
||||
our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
|
||||
|
||||
our %ipsets; # All required IPsets
|
||||
#
|
||||
# Files located via find_file()
|
||||
#
|
||||
our %filecache;
|
||||
|
||||
sub process_shorewallrc($$);
|
||||
sub add_variables( \% );
|
||||
#
|
||||
@@ -888,7 +877,6 @@ sub initialize( $;$$) {
|
||||
RESTART => undef ,
|
||||
DOCKER => undef ,
|
||||
PAGER => undef ,
|
||||
MINIUPNPD => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -1073,10 +1061,9 @@ sub initialize( $;$$) {
|
||||
|
||||
%compiler_params = ();
|
||||
|
||||
%actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
|
||||
%actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
|
||||
$parmsmodified = 0;
|
||||
$usedcaller = 0;
|
||||
%ipsets = ();
|
||||
|
||||
%helpers_enabled = (
|
||||
amanda => 1,
|
||||
@@ -1175,14 +1162,6 @@ sub initialize( $;$$) {
|
||||
|
||||
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
|
||||
|
||||
sub add_ipset( $ ) {
|
||||
$ipsets{$_[0]} = 1;
|
||||
}
|
||||
|
||||
sub all_ipsets() {
|
||||
sort keys %ipsets;
|
||||
}
|
||||
|
||||
#
|
||||
# Create 'currentlineinfo'
|
||||
#
|
||||
@@ -1256,34 +1235,6 @@ sub shortlineinfo( $ ) {
|
||||
|
||||
sub handle_first_entry();
|
||||
|
||||
#
|
||||
# Issue a Information Message
|
||||
#
|
||||
sub info_message
|
||||
{
|
||||
my $currentlineinfo = currentlineinfo;
|
||||
our @localtime;
|
||||
|
||||
handle_first_entry if $first_entry;
|
||||
|
||||
$| = 1; #Reset output buffering (flush any partially filled buffers).
|
||||
|
||||
if ( $log ) {
|
||||
@localtime = localtime;
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
}
|
||||
|
||||
if ( $confess ) {
|
||||
print STDERR longmess( " INFO: @_$currentlineinfo" );
|
||||
print $log longmess( " INFO: @_$currentlineinfo\n" ) if $log;
|
||||
} else {
|
||||
print STDERR " INFO: @_$currentlineinfo\n";
|
||||
print $log " INFO: @_$currentlineinfo\n" if $log;
|
||||
}
|
||||
|
||||
$| = 0; #Re-allow output buffering
|
||||
}
|
||||
|
||||
#
|
||||
# Issue a Warning Message
|
||||
#
|
||||
@@ -1518,9 +1469,9 @@ sub hex_value( $ ) {
|
||||
# Strip off superfluous leading zeros from a hex number
|
||||
#
|
||||
sub normalize_hex( $ ) {
|
||||
my $val = lc $_[0];
|
||||
my $val = lc shift;
|
||||
|
||||
$val =~ s/^0+/0/;
|
||||
$val =~ s/^0// while $val =~ /^0/ && length $val > 1;
|
||||
$val;
|
||||
}
|
||||
|
||||
@@ -1713,7 +1664,7 @@ sub progress_message {
|
||||
|
||||
@localtime = localtime unless $havelocaltime;
|
||||
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log "${leading}${line}\n";
|
||||
}
|
||||
}
|
||||
@@ -1732,7 +1683,7 @@ sub progress_message_nocompress {
|
||||
|
||||
@localtime = localtime unless $havelocaltime;
|
||||
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log "@_\n";
|
||||
}
|
||||
}
|
||||
@@ -1753,7 +1704,7 @@ sub progress_message2 {
|
||||
|
||||
@localtime = localtime unless $havelocaltime;
|
||||
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log "@_\n";
|
||||
}
|
||||
}
|
||||
@@ -1774,7 +1725,7 @@ sub progress_message3 {
|
||||
|
||||
@localtime = localtime unless $havelocaltime;
|
||||
|
||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||
print $log "@_\n";
|
||||
}
|
||||
}
|
||||
@@ -1949,10 +1900,6 @@ sub find_file($)
|
||||
|
||||
return $filename if $filename =~ '/';
|
||||
|
||||
my $file = $filecache{$filename};
|
||||
|
||||
return $file if $file;
|
||||
|
||||
for my $directory ( @config_path ) {
|
||||
my $file = "$directory$filename";
|
||||
return $file if -f $file;
|
||||
@@ -2203,12 +2150,6 @@ sub supplied( $ ) {
|
||||
defined $val && $val ne '';
|
||||
}
|
||||
|
||||
sub passed( $ ) {
|
||||
my $val = shift;
|
||||
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
#
|
||||
# Pre-process a line from a configuration file.
|
||||
|
||||
@@ -2550,13 +2491,6 @@ sub directive_warning( $$$ ) {
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
}
|
||||
|
||||
sub directive_info( $$$ ) {
|
||||
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
|
||||
( my $info, $currentfilename, $currentlinenumber ) = @_;
|
||||
info_message $info;
|
||||
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
|
||||
}
|
||||
|
||||
#
|
||||
# Add quotes to the passed value if the passed 'first part' has an odd number of quotes
|
||||
# Return an expression that concatenates $first, $val and $rest
|
||||
@@ -2572,49 +2506,20 @@ sub join_parts( $$$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Declare passed() in Shorewall::User
|
||||
# Evaluate an expression in an ?IF, ?ELSIF or ?SET directive
|
||||
#
|
||||
sub declare_passed() {
|
||||
my $result = ( eval q(package Shorewall::User;
|
||||
use strict;
|
||||
sub passed( $ ) {
|
||||
my $val = shift;
|
||||
defined $val && $val ne '' && $val ne '-';
|
||||
}
|
||||
|
||||
1;) );
|
||||
assert( $result, $@ );
|
||||
}
|
||||
|
||||
#
|
||||
# Evaluate an expression in an ?IF, ?ELSIF, ?SET or ?ERROR directive
|
||||
#
|
||||
sub evaluate_expression( $$$$ ) {
|
||||
my ( $expression , $filename , $linenumber, $just_expand ) = @_;
|
||||
sub evaluate_expression( $$$ ) {
|
||||
my ( $expression , $filename , $linenumber ) = @_;
|
||||
my $val;
|
||||
my $count = 0;
|
||||
my $chain = $actparams{chain};
|
||||
|
||||
# $1 $2
|
||||
if ( $expression =~ /^(!)?\s*passed\([\$@](\d+)\)$/ ) {
|
||||
my $val = passed($actparams{$2});
|
||||
|
||||
return $1 ? ! $val : $val unless $debug;
|
||||
|
||||
$val = $1 ? ! $val : $val;
|
||||
|
||||
print "EXPR=> '$val'\n" if $debug;
|
||||
|
||||
return $val;
|
||||
}
|
||||
|
||||
my $chain = $actparms{chain};
|
||||
# $1 $2 $3 - $4
|
||||
while ( $expression =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
|
||||
if ( $var =~ /^\d+$/ ) {
|
||||
fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;
|
||||
$val = $var ? $actparams{$var} : $actparams{0}->{name};
|
||||
$val = $var ? $actparms{$var} : $actparms{0}->{name};
|
||||
} else {
|
||||
$val = ( exists $variables{$var} ? $variables{$var} :
|
||||
exists $capdesc{$var} ? have_capability( $var ) : '' );
|
||||
@@ -2629,7 +2534,7 @@ sub evaluate_expression( $$$$ ) {
|
||||
while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$val = $var ? $actparams{$var} : $chain;
|
||||
$val = $var ? $actparms{$var} : $chain;
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
$expression = join_parts( $first, $val, $rest );
|
||||
directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
|
||||
@@ -2660,19 +2565,13 @@ sub evaluate_expression( $$$$ ) {
|
||||
|
||||
print "EXPR=> $expression\n" if $debug;
|
||||
|
||||
if ( $just_expand || $expression =~ /^\d+$/ ) {
|
||||
if ( $expression =~ /^\d+$/ ) {
|
||||
$val = $expression
|
||||
} else {
|
||||
#
|
||||
# Not a simple one-term expression -- compile it
|
||||
#
|
||||
|
||||
declare_passed unless $evals++;
|
||||
|
||||
$val = eval qq(package Shorewall::User;
|
||||
use strict;
|
||||
# line $linenumber "$filename"
|
||||
$expression);
|
||||
$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
|
||||
|
||||
unless ( $val ) {
|
||||
directive_error( "Couldn't parse expression ($expression): $@" , $filename, $linenumber ) if $@;
|
||||
@@ -2703,7 +2602,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
|
||||
print "CD===> $line\n" if $debug;
|
||||
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
|
||||
directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*)(.*)$/i;
|
||||
|
||||
my ($keyword, $expression) = ( uc $1, $2 );
|
||||
|
||||
@@ -2721,7 +2620,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
my %directives =
|
||||
( IF => sub() {
|
||||
directive_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
|
||||
my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber , 0 );
|
||||
my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
|
||||
push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
|
||||
$omitting = $nextomitting;
|
||||
} ,
|
||||
@@ -2733,7 +2632,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
#
|
||||
# We can only change to including if we were previously omitting
|
||||
#
|
||||
$omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber, 0 );
|
||||
$omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
|
||||
$included = ! $omitting;
|
||||
} else {
|
||||
#
|
||||
@@ -2769,17 +2668,15 @@ sub process_compiler_directive( $$$$ ) {
|
||||
$var = $2;
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparams{0};
|
||||
my $val = $actparams{$var} = evaluate_expression ( $expression,
|
||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
my $val = $actparms{$var} = evaluate_expression ( $expression,
|
||||
$filename,
|
||||
$linenumber,
|
||||
0 );
|
||||
$linenumber );
|
||||
$parmsmodified = PARMSMODIFIED;
|
||||
} else {
|
||||
$variables{$2} = evaluate_expression( $expression,
|
||||
$filename,
|
||||
$linenumber,
|
||||
0 );
|
||||
$linenumber );
|
||||
}
|
||||
}
|
||||
} ,
|
||||
@@ -2803,12 +2700,12 @@ sub process_compiler_directive( $$$$ ) {
|
||||
if ( ( $1 || '' ) eq '@' ) {
|
||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||
$var = $2 || 'chain';
|
||||
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparams{0};
|
||||
if ( exists $actparams{$var} ) {
|
||||
directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||
if ( exists $actparms{$var} ) {
|
||||
if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
|
||||
$actparams{$var} = '';
|
||||
$actparms{$var} = '';
|
||||
} else {
|
||||
delete $actparams{$var}
|
||||
delete $actparms{$var}
|
||||
}
|
||||
} else {
|
||||
directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
|
||||
@@ -2839,34 +2736,7 @@ sub process_compiler_directive( $$$$ ) {
|
||||
directive_error ( "?COMMENT is not allowed in this file", $filename, $linenumber );
|
||||
}
|
||||
}
|
||||
} ,
|
||||
|
||||
ERROR => sub() {
|
||||
directive_error( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ) ,
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
WARNING => sub() {
|
||||
directive_warning( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
|
||||
INFO => sub() {
|
||||
directive_info( evaluate_expression( $expression ,
|
||||
$filename ,
|
||||
$linenumber ,
|
||||
1 ),
|
||||
$filename ,
|
||||
$linenumber ) unless $omitting;
|
||||
} ,
|
||||
}
|
||||
|
||||
);
|
||||
|
||||
@@ -2923,11 +2793,6 @@ sub copy( $ ) {
|
||||
print $script $_;
|
||||
print $script "\n";
|
||||
$lastlineblank = 0;
|
||||
|
||||
if ( $debug ) {
|
||||
s/\n/\nGS-----> /g;
|
||||
print "GS-----> $_\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -3255,7 +3120,7 @@ sub embedded_shell( $ ) {
|
||||
sub embedded_perl( $ ) {
|
||||
my $multiline = shift;
|
||||
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
|
||||
|
||||
$directive_callback->( 'PERL', $currentline ) if $directive_callback;
|
||||
|
||||
@@ -3282,8 +3147,6 @@ sub embedded_perl( $ ) {
|
||||
|
||||
$embedded++;
|
||||
|
||||
declare_passed unless $evals++;
|
||||
|
||||
unless (my $return = eval $command ) {
|
||||
#
|
||||
# Perl found the script offensive or the script itself died
|
||||
@@ -3344,32 +3207,32 @@ sub push_action_params( $$$$$$ ) {
|
||||
my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
|
||||
my @parms = ( undef , split_list3( $parms , 'parameter' ) );
|
||||
|
||||
$actparams{modified} = $parmsmodified;
|
||||
$actparams{usedcaller} = $usedcaller;
|
||||
$actparms{modified} = $parmsmodified;
|
||||
$actparms{usedcaller} = $usedcaller;
|
||||
|
||||
my %oldparms = %actparams;
|
||||
my %oldparms = %actparms;
|
||||
|
||||
$parmsmodified = 0;
|
||||
$usedcaller = 0;
|
||||
|
||||
%actparams = ();
|
||||
%actparms = ();
|
||||
|
||||
for ( my $i = 1; $i < @parms; $i++ ) {
|
||||
my $val = $parms[$i];
|
||||
|
||||
$actparams{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
|
||||
}
|
||||
|
||||
$actparams{0} = $chainref;
|
||||
$actparams{action} = $action;
|
||||
$actparams{loglevel} = $loglevel;
|
||||
$actparams{logtag} = $logtag;
|
||||
$actparams{caller} = $caller;
|
||||
$actparams{disposition} = '' if $chainref->{action};
|
||||
$actparms{0} = $chainref;
|
||||
$actparms{action} = $action;
|
||||
$actparms{loglevel} = $loglevel;
|
||||
$actparms{logtag} = $logtag;
|
||||
$actparms{caller} = $caller;
|
||||
$actparms{disposition} = '' if $chainref->{action};
|
||||
#
|
||||
# The Shorewall variable '@chain' has non-word characters other than hyphen removed
|
||||
# The Shorewall variable '@chain' has the non-word charaters removed
|
||||
#
|
||||
( $actparams{chain} = $chainref->{name} ) =~ s/[^\w-]//g;
|
||||
( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
|
||||
|
||||
\%oldparms;
|
||||
}
|
||||
@@ -3382,10 +3245,10 @@ sub push_action_params( $$$$$$ ) {
|
||||
#
|
||||
sub pop_action_params( $ ) {
|
||||
my $oldparms = shift;
|
||||
%actparams = %$oldparms;
|
||||
%actparms = %$oldparms;
|
||||
my $return = $parmsmodified | $usedcaller;
|
||||
( $parmsmodified ) = delete $actparams{modified} || 0;
|
||||
( $usedcaller ) = delete $actparams{usedcaller} || 0;
|
||||
( $parmsmodified ) = delete $actparms{modified} || 0;
|
||||
( $usedcaller ) = delete $actparms{usedcaller} || 0;
|
||||
$return;
|
||||
}
|
||||
|
||||
@@ -3395,11 +3258,11 @@ sub default_action_params {
|
||||
|
||||
for ( $i = 1; 1; $i++ ) {
|
||||
last unless defined ( $val = shift );
|
||||
my $curval = $actparams{$i};
|
||||
$actparams{$i} = $val unless supplied( $curval );
|
||||
my $curval = $actparms{$i};
|
||||
$actparms{$i} = $val unless supplied( $curval );
|
||||
}
|
||||
|
||||
fatal_error "Too Many arguments to action $action" if defined $actparams{$i};
|
||||
fatal_error "Too Many arguments to action $action" if defined $actparms{$i};
|
||||
}
|
||||
|
||||
sub get_action_params( $ ) {
|
||||
@@ -3410,65 +3273,53 @@ sub get_action_params( $ ) {
|
||||
my @return;
|
||||
|
||||
for ( my $i = 1; $i <= $num; $i++ ) {
|
||||
my $val = $actparams{$i};
|
||||
my $val = $actparms{$i};
|
||||
push @return, defined $val ? $val eq '-' ? '' : $val eq '--' ? '-' : $val : $val;
|
||||
}
|
||||
|
||||
@return;
|
||||
}
|
||||
|
||||
sub setup_audit_action( $ ) {
|
||||
my ( $action ) = @_;
|
||||
|
||||
my ( $target, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action $action" if $audit ne 'audit';
|
||||
fatal_error "Only ACCEPT, DROP and REJECT may be audited" unless $target =~ /^(?:A_)?(?:ACCEPT|DROP|REJECT)\b/;
|
||||
$actparams{1} = "A_$target" unless $target =~ /^A_/;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Returns the Level and Tag for the current action chain
|
||||
#
|
||||
sub get_action_logging() {
|
||||
@actparams{ 'loglevel', 'logtag' };
|
||||
@actparms{ 'loglevel', 'logtag' };
|
||||
}
|
||||
|
||||
sub get_action_chain() {
|
||||
$actparams{0};
|
||||
$actparms{0};
|
||||
}
|
||||
|
||||
sub get_action_chain_name() {
|
||||
$actparams{chain};
|
||||
$actparms{chain};
|
||||
}
|
||||
|
||||
sub set_action_name_to_caller() {
|
||||
$actparams{chain} = $actparams{caller};
|
||||
$actparms{chain} = $actparms{caller};
|
||||
}
|
||||
|
||||
sub get_action_disposition() {
|
||||
$actparams{disposition};
|
||||
$actparms{disposition};
|
||||
}
|
||||
|
||||
sub set_action_disposition($) {
|
||||
$actparams{disposition} = $_[0];
|
||||
$actparms{disposition} = $_[0];
|
||||
}
|
||||
|
||||
sub set_action_param( $$ ) {
|
||||
my $i = shift;
|
||||
|
||||
fatal_error "Parameter numbers must be numeric" unless $i =~ /^\d+$/ && $i > 0;
|
||||
$actparams{$i} = shift;
|
||||
$actparms{$i} = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Expand Shell Variables in the passed buffer using %actparams, %params, %shorewallrc1 and %config,
|
||||
# Expand Shell Variables in the passed buffer using %actparms, %params, %shorewallrc1 and %config,
|
||||
#
|
||||
sub expand_variables( \$ ) {
|
||||
my ( $lineref, $count ) = ( $_[0], 0 );
|
||||
my $chain = $actparams{chain};
|
||||
my $chain = $actparms{chain};
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
|
||||
@@ -3482,16 +3333,16 @@ sub expand_variables( \$ ) {
|
||||
if ( $config{IGNOREUNKNOWNVARIABLES} ) {
|
||||
fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
|
||||
} else {
|
||||
fatal_error "Undefined parameter (\$$var)" unless ( defined $actparams{$var} &&
|
||||
fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
|
||||
( length( $var ) == 1 ||
|
||||
$var !~ /^0/ ) );
|
||||
}
|
||||
|
||||
$val = $var ? $actparams{$var} : $actparams{0}->{name};
|
||||
$val = $var ? $actparms{$var} : $actparms{0}->{name};
|
||||
} elsif ( exists $variables{$var} ) {
|
||||
$val = $variables{$var};
|
||||
} elsif ( exists $actparams{$var} ) {
|
||||
$val = $actparams{$var};
|
||||
} elsif ( exists $actparms{$var} ) {
|
||||
$val = $actparms{$var};
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
} else {
|
||||
fatal_error "Undefined shell variable (\$$var)" unless $config{IGNOREUNKNOWNVARIABLES} || exists $config{$var};
|
||||
@@ -3510,7 +3361,7 @@ sub expand_variables( \$ ) {
|
||||
# $1 $2 $3 - $4
|
||||
while ( $$lineref =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z_]\w*) (?(2)}) (.*)$ )x ) {
|
||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||
my $val = $var ? $actparams{$var} : $actparams{chain};
|
||||
my $val = $var ? $actparms{$var} : $actparms{chain};
|
||||
$usedcaller = USEDCALLER if $var eq 'caller';
|
||||
$val = '' unless defined $val;
|
||||
$$lineref = join( '', $first , $val , $rest );
|
||||
@@ -3570,17 +3421,17 @@ sub handle_first_entry() {
|
||||
sub read_a_line($) {
|
||||
my $options = $_[0];
|
||||
|
||||
LINE:
|
||||
while ( $currentfile ) {
|
||||
|
||||
$currentline = '';
|
||||
$currentlinenumber = 0;
|
||||
|
||||
while ( <$currentfile> ) {
|
||||
chomp;
|
||||
#
|
||||
# Handle directives
|
||||
# Handle conditionals
|
||||
#
|
||||
if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
|
||||
if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT)/i ) {
|
||||
$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
|
||||
next;
|
||||
}
|
||||
@@ -3594,7 +3445,7 @@ sub read_a_line($) {
|
||||
#
|
||||
# Suppress leading whitespace in certain continuation lines
|
||||
#
|
||||
s/^\s*// if $currentline && $options & CONFIG_CONTINUATION && $currentline =~ /[,:]$/;
|
||||
s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
|
||||
#
|
||||
# If this is a continued line with a trailing comment, remove comment. Note that
|
||||
# the result will now end in '\'.
|
||||
@@ -3605,20 +3456,19 @@ sub read_a_line($) {
|
||||
#
|
||||
chop $currentline, next if ($currentline .= $_) =~ /\\$/;
|
||||
#
|
||||
# We now have a (possibly concatenated) line
|
||||
# Must check for shell/perl before doing variable expansion
|
||||
#
|
||||
if ( $options & EMBEDDED_ENABLED ) {
|
||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
|
||||
handle_first_entry if $first_entry;
|
||||
embedded_perl( $1 );
|
||||
next LINE;
|
||||
}
|
||||
|
||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?//i || $currentline =~ s/^\s*\?SHELL\s*//i || $currentline =~ s/^\s*SHELL\s+// ) {
|
||||
handle_first_entry if $first_entry;
|
||||
embedded_shell( $1 );
|
||||
next LINE;
|
||||
next;
|
||||
}
|
||||
|
||||
if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?//i || $currentline =~ s/^\s*\??PERL\s*//i ) {
|
||||
handle_first_entry if $first_entry;
|
||||
embedded_perl( $1 );
|
||||
next;
|
||||
}
|
||||
}
|
||||
#
|
||||
@@ -3630,7 +3480,7 @@ sub read_a_line($) {
|
||||
#
|
||||
# Ignore (concatinated) blank lines
|
||||
#
|
||||
next LINE if $currentline =~ /^\s*$/;
|
||||
$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
|
||||
#
|
||||
# Eliminate trailing whitespace
|
||||
#
|
||||
@@ -3641,7 +3491,7 @@ sub read_a_line($) {
|
||||
#
|
||||
handle_first_entry if $first_entry;
|
||||
#
|
||||
# Expand Shell Variables using %params and %actparams
|
||||
# Expand Shell Variables using %params and %actparms
|
||||
#
|
||||
expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
|
||||
|
||||
@@ -3661,16 +3511,18 @@ sub read_a_line($) {
|
||||
push_include;
|
||||
$currentfile = undef;
|
||||
do_open_file $filename;
|
||||
} else {
|
||||
$currentlinenumber = 0;
|
||||
}
|
||||
|
||||
next LINE;
|
||||
} elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
|
||||
my $sectionname = $1;
|
||||
fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
|
||||
fatal_error "This file does not allow ?SECTION" unless $section_function;
|
||||
$section_function->($sectionname);
|
||||
$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
|
||||
next LINE;
|
||||
$currentline = '';
|
||||
} elsif ( ( $options & DO_SECTION ) && $currentline =~ /^\s*\?SECTION\s+(.*)/i ) {
|
||||
my $sectionname = $1;
|
||||
fatal_error "Invalid SECTION name ($sectionname)" unless $sectionname =~ /^[-_\da-zA-Z]+$/;
|
||||
fatal_error "This file does not allow ?SECTION" unless $section_function;
|
||||
$section_function->($sectionname);
|
||||
$directive_callback->( 'SECTION', $currentline ) if $directive_callback;
|
||||
$currentline = '';
|
||||
} else {
|
||||
fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
|
||||
print "IN===> $currentline\n" if $debug;
|
||||
@@ -4960,16 +4812,8 @@ sub ensure_config_path() {
|
||||
|
||||
@config_path = split /:/, $config{CONFIG_PATH};
|
||||
|
||||
#
|
||||
# To accomodate Cygwin-based compilation, we have separate directories for files whose names
|
||||
# clash on a case-insensitive filesystem.
|
||||
#
|
||||
push @config_path, $globals{SHAREDIR} . "/deprecated";
|
||||
push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
|
||||
|
||||
for ( @config_path ) {
|
||||
$_ .= '/' unless m|/$|;
|
||||
s|//|/|g;
|
||||
}
|
||||
|
||||
if ( $shorewall_dir ) {
|
||||
@@ -5485,7 +5329,7 @@ sub get_params( $ ) {
|
||||
#
|
||||
delete $params{$_};
|
||||
} else {
|
||||
unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' || $_ eq 'SW_LOGGERTAG' ) {
|
||||
unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
|
||||
fatal_error "The variable name $_ is reserved and may not be set in the params file"
|
||||
if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
|
||||
}
|
||||
@@ -5925,21 +5769,16 @@ sub get_configuration( $$$$ ) {
|
||||
unsupported_yes_no 'BRIDGING';
|
||||
unsupported_yes_no_warning 'RFC1918_STRICT';
|
||||
|
||||
$val = $config{SAVE_IPSETS};
|
||||
|
||||
unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
|
||||
if ( $val eq 'ipv4' ) {
|
||||
fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
|
||||
} else {
|
||||
$val = $config{SAVE_IPSETS};
|
||||
unless ( $val eq 'ipv4' ) {
|
||||
my @sets = split_list( $val , 'ipset' );
|
||||
$globals{SAVED_IPSETS} = \@sets;
|
||||
require_capability 'IPSET_V5', 'A saved ipset list', 's';
|
||||
$config{SAVE_IPSETS} = '';
|
||||
}
|
||||
|
||||
require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
|
||||
}
|
||||
|
||||
|
||||
default_yes_no 'SAVE_ARPTABLES' , '';
|
||||
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
||||
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
||||
@@ -6022,7 +5861,7 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'INLINE_MATCHES' , '';
|
||||
default_yes_no 'BASIC_FILTERS' , '';
|
||||
default_yes_no 'WORKAROUNDS' , 'Yes';
|
||||
default_yes_no 'DOCKER' , '';
|
||||
default_yes_no 'DOCKER' , '';
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
|
||||
@@ -6070,33 +5909,7 @@ sub get_configuration( $$$$ ) {
|
||||
$config{ACCOUNTING_TABLE} = 'filter';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
||||
if ( $val =~ /^ipset/ ) {
|
||||
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
|
||||
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
|
||||
|
||||
if ( supplied( $set ) ) {
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
|
||||
} else {
|
||||
$set = 'SW_DBL' . $family;
|
||||
}
|
||||
|
||||
add_ipset( $set );
|
||||
|
||||
$level = validate_level( $level );
|
||||
|
||||
$tag = '' unless defined $tag;
|
||||
|
||||
$config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
|
||||
|
||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||
|
||||
} else {
|
||||
default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' );
|
||||
}
|
||||
}
|
||||
|
||||
default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes';
|
||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
|
||||
default_yes_no 'COMPLETE' , '';
|
||||
@@ -6108,9 +5921,8 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'IGNOREUNKNOWNVARIABLES' , 'Yes';
|
||||
default_yes_no 'WARNOLDCAPVERSION' , 'Yes';
|
||||
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
|
||||
default_yes_no 'MINIUPNPD' , '';
|
||||
|
||||
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
|
||||
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
|
||||
|
||||
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
||||
|
||||
@@ -6213,7 +6025,7 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_log_level 'SFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( supplied( $val = $config{SFILTER_DISPOSITION} ) ) {
|
||||
if ( $val = $config{SFILTER_DISPOSITION} ) {
|
||||
fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
@@ -6222,14 +6034,14 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_log_level 'RPFILTER_LOG_LEVEL', 'info';
|
||||
|
||||
if ( supplied ( $val = $config{RPFILTER_DISPOSITION} ) ) {
|
||||
if ( $val = $config{RPFILTER_DISPOSITION} ) {
|
||||
fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
|
||||
require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
$config{RPFILTER_DISPOSITION} = 'DROP';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{MACLIST_DISPOSITION} ) ) {
|
||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?DROP$/ ) {
|
||||
$globals{MACLIST_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6248,7 +6060,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{MACLIST_TARGET} = 'reject';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{RELATED_DISPOSITION} ) ) {
|
||||
if ( $val = $config{RELATED_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{RELATED_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6267,7 +6079,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{RELATED_TARGET} = 'ACCEPT';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{INVALID_DISPOSITION} ) ) {
|
||||
if ( $val = $config{INVALID_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?DROP$/ ) {
|
||||
$globals{INVALID_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6286,7 +6098,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{INVALID_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{UNTRACKED_DISPOSITION} ) ) {
|
||||
if ( $val = $config{UNTRACKED_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{UNTRACKED_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
@@ -6305,7 +6117,7 @@ sub get_configuration( $$$$ ) {
|
||||
$globals{UNTRACKED_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{MACLIST_TABLE} ) ) {
|
||||
if ( $val = $config{MACLIST_TABLE} ) {
|
||||
if ( $val eq 'mangle' ) {
|
||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
||||
} else {
|
||||
@@ -6315,7 +6127,7 @@ sub get_configuration( $$$$ ) {
|
||||
default 'MACLIST_TABLE' , 'filter';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{TCP_FLAGS_DISPOSITION} ) ) {
|
||||
if ( $val = $config{TCP_FLAGS_DISPOSITION} ) {
|
||||
fatal_error "Invalid value ($config{TCP_FLAGS_DISPOSITION}) for TCP_FLAGS_DISPOSITION" unless $val =~ /^(?:(A_)?(?:REJECT|DROP))|ACCEPT$/;
|
||||
require_capability 'AUDIT_TARGET' , "TCP_FLAGS_DISPOSITION=$val", 's' if $1;
|
||||
} else {
|
||||
@@ -6346,7 +6158,7 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
|
||||
if ( $val = $config{TC_PRIOMAP} ) {
|
||||
my @priomap = split ' ',$val;
|
||||
fatal_error "Invalid TC_PRIOMAP ($val)" unless @priomap == 16;
|
||||
for ( @priomap ) {
|
||||
@@ -6365,13 +6177,12 @@ sub get_configuration( $$$$ ) {
|
||||
default 'QUEUE_DEFAULT' , 'none';
|
||||
default 'NFQUEUE_DEFAULT' , 'none';
|
||||
default 'ACCEPT_DEFAULT' , 'none';
|
||||
default 'OPTIMIZE' , 0;
|
||||
|
||||
for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
|
||||
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
|
||||
}
|
||||
|
||||
default 'OPTIMIZE' , 0;
|
||||
|
||||
if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
|
||||
$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
|
||||
} elsif ( $val =~ /^none$/i ) {
|
||||
@@ -6608,7 +6419,7 @@ sub generate_aux_config() {
|
||||
|
||||
emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
|
||||
|
||||
for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
|
||||
for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) {
|
||||
conditionally_add_option $option;
|
||||
}
|
||||
|
||||
@@ -6706,7 +6517,6 @@ sub report_used_capabilities() {
|
||||
}
|
||||
|
||||
END {
|
||||
print "eval() called $evals times\n" if $debug;
|
||||
cleanup;
|
||||
}
|
||||
|
||||
|
||||
@@ -89,7 +89,6 @@ sub setup_ecn()
|
||||
{
|
||||
my %interfaces;
|
||||
my @hosts;
|
||||
my $interfaceref;
|
||||
|
||||
if ( my $fn = open_file 'ecn' ) {
|
||||
|
||||
@@ -106,13 +105,7 @@ sub setup_ecn()
|
||||
2 );
|
||||
|
||||
fatal_error 'INTERFACE must be specified' if $interface eq '-';
|
||||
fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
|
||||
|
||||
if ( $interfaceref->{root} ) {
|
||||
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
|
||||
} else {
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
||||
|
||||
my $lineinfo = shortlineinfo( '' );
|
||||
|
||||
@@ -646,7 +639,6 @@ sub create_docker_rules() {
|
||||
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $chainref );
|
||||
add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
|
||||
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
|
||||
add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
|
||||
@@ -675,88 +667,16 @@ sub add_common_rules ( $ ) {
|
||||
my $level = $config{BLACKLIST_LOG_LEVEL};
|
||||
my $tag = $globals{BLACKLIST_LOG_TAG};
|
||||
my $rejectref = $filter_table->{reject};
|
||||
my $dbl_type;
|
||||
my $dbl_ipset;
|
||||
my $dbl_level;
|
||||
my $dbl_tag;
|
||||
my $dbl_target;
|
||||
|
||||
if ( $config{REJECT_ACTION} ) {
|
||||
process_reject_action;
|
||||
fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
|
||||
} else {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
|
||||
} else {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_commands $rejectref, 'for address in $ALL_BCASTS; do';
|
||||
} else {
|
||||
add_commands $rejectref, 'for address in $ALL_ACASTS; do';
|
||||
}
|
||||
|
||||
incr_cmd_level $rejectref;
|
||||
add_ijump $rejectref, j => 'DROP', d => '$address';
|
||||
decr_cmd_level $rejectref;
|
||||
add_commands $rejectref, 'done';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
|
||||
} else {
|
||||
add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
|
||||
}
|
||||
|
||||
add_ijump $rejectref , j => 'DROP', p => 2;
|
||||
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||
|
||||
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
||||
add_ijump $rejectref , j => 'REJECT', p => 17;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
|
||||
} else {
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
|
||||
}
|
||||
} else {
|
||||
add_ijump $rejectref , j => 'REJECT';
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Insure that Docker jumps are early in the builtin chains
|
||||
#
|
||||
create_docker_rules if $config{DOCKER};
|
||||
|
||||
if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
|
||||
( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
|
||||
|
||||
unless ( $dbl_type =~ /^ipset-only/ ) {
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
|
||||
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
|
||||
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
|
||||
}
|
||||
|
||||
if ( $dbl_ipset ) {
|
||||
if ( $dbl_level ) {
|
||||
my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
|
||||
|
||||
log_rule_limit( $dbl_level,
|
||||
$chainref,
|
||||
'dbl_log',
|
||||
'DROP',
|
||||
$globals{LOGLIMIT},
|
||||
$dbl_tag,
|
||||
'add',
|
||||
'',
|
||||
$origin{DYNAMIC_BLACKLIST} );
|
||||
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
|
||||
} else {
|
||||
$dbl_target = 'DROP';
|
||||
}
|
||||
}
|
||||
if ( $config{DYNAMIC_BLACKLIST} ) {
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
|
||||
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
|
||||
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
|
||||
}
|
||||
|
||||
setup_mss;
|
||||
@@ -860,13 +780,8 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
|
||||
}
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' );
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
|
||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
@@ -1025,6 +940,46 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
unless ( $config{REJECT_ACTION} ) {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
|
||||
} else {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_commands $rejectref, 'for address in $ALL_BCASTS; do';
|
||||
} else {
|
||||
add_commands $rejectref, 'for address in $ALL_ACASTS; do';
|
||||
}
|
||||
|
||||
incr_cmd_level $rejectref;
|
||||
add_ijump $rejectref, j => 'DROP', d => '$address';
|
||||
decr_cmd_level $rejectref;
|
||||
add_commands $rejectref, 'done';
|
||||
}
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
|
||||
} else {
|
||||
add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
|
||||
}
|
||||
|
||||
add_ijump $rejectref , j => 'DROP', p => 2;
|
||||
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||
|
||||
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
||||
add_ijump $rejectref , j => 'REJECT', p => 17;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
|
||||
} else {
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
|
||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
|
||||
}
|
||||
} else {
|
||||
add_ijump $rejectref , j => 'REJECT';
|
||||
}
|
||||
}
|
||||
|
||||
$list = find_interfaces_by_option 'dhcp';
|
||||
|
||||
if ( @$list ) {
|
||||
@@ -1140,18 +1095,10 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
|
||||
|
||||
my $chainref1;
|
||||
|
||||
if ( $config{MINIUPNPD} ) {
|
||||
$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE );
|
||||
add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
|
||||
}
|
||||
|
||||
$announced = 1;
|
||||
|
||||
for $interface ( @$list ) {
|
||||
add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
|
||||
add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD} , imatch_dest_dev ( $interface ) if $chainref1;
|
||||
add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1839,14 +1786,12 @@ sub add_output_jumps( $$$$$$$$ ) {
|
||||
my $use_output = 0;
|
||||
my @dest = imatch_dest_net $net;
|
||||
my @ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||
my @zone_interfaces = keys %{zone_interfaces( $zone )};
|
||||
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
||||
#
|
||||
# - There are vserver zones (so OUTPUT will have multiple source; or
|
||||
# - We must use the interface output chain; or
|
||||
# - There are rules in the interface chain and none in the rules chain
|
||||
# - The zone has multiple interfaces
|
||||
#
|
||||
# In any of these cases use the inteface output chain
|
||||
#
|
||||
@@ -1863,7 +1808,7 @@ sub add_output_jumps( $$$$$$$$ ) {
|
||||
unless $output_jump_added{$interface}++;
|
||||
} else {
|
||||
#
|
||||
# Not a bridge -- match the output interface
|
||||
# Not a bridge -- match the input interface
|
||||
#
|
||||
add_ijump_extended $filter_table->{OUTPUT}, j => $outputref, $origin, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||
}
|
||||
@@ -2473,16 +2418,16 @@ EOF
|
||||
emit <<'EOF';
|
||||
case $COMMAND in
|
||||
start)
|
||||
mylogger kern.err "ERROR:$g_product start failed"
|
||||
logger -p kern.err "ERROR:$g_product start failed"
|
||||
;;
|
||||
reload)
|
||||
mylogger kern.err "ERROR:$g_product reload failed"
|
||||
logger -p kern.err "ERROR:$g_product reload failed"
|
||||
;;
|
||||
refresh)
|
||||
mylogger kern.err "ERROR:$g_product refresh failed"
|
||||
logger -p kern.err "ERROR:$g_product refresh failed"
|
||||
;;
|
||||
enable)
|
||||
mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
|
||||
logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
|
||||
;;
|
||||
esac
|
||||
|
||||
@@ -2691,7 +2636,7 @@ EOF
|
||||
emit '
|
||||
|
||||
set_state "Stopped"
|
||||
mylogger kern.info "$g_product Stopped"
|
||||
logger -p kern.info "$g_product Stopped"
|
||||
|
||||
case $COMMAND in
|
||||
stop|clear)
|
||||
|
||||
@@ -69,7 +69,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
my $destnets = '';
|
||||
my $baserule = '';
|
||||
my $inlinematches = '';
|
||||
my $prerule = '';
|
||||
#
|
||||
# Leading '+'
|
||||
#
|
||||
@@ -84,13 +83,6 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
$inlinematches = get_inline_matches(0);
|
||||
}
|
||||
#
|
||||
# Handle early matches
|
||||
#
|
||||
if ( $inlinematches =~ s/s*\+// ) {
|
||||
$prerule = $inlinematches;
|
||||
$inlinematches = '';
|
||||
}
|
||||
#
|
||||
# Parse the remaining part of the INTERFACE column
|
||||
#
|
||||
if ( $family == F_IPV4 ) {
|
||||
@@ -173,9 +165,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
if ( $interfaceref->{root} ) {
|
||||
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
|
||||
} else {
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rule .= match_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
@@ -346,7 +336,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
|
||||
#
|
||||
expand_rule( $chainref ,
|
||||
POSTROUTE_RESTRICT ,
|
||||
$prerule ,
|
||||
'' ,
|
||||
$baserule . $inlinematches . $rule ,
|
||||
$networks ,
|
||||
$destnets ,
|
||||
@@ -459,9 +449,7 @@ sub do_one_nat( $$$$$ )
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
if ( $interfaceref->{root} ) {
|
||||
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
|
||||
} else {
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = match_source_dev $interface;
|
||||
$ruleout = match_dest_dev $interface;
|
||||
$interface = $interfaceref->{name};
|
||||
@@ -563,9 +551,7 @@ sub setup_netmap() {
|
||||
$net1 = validate_net $net1, 0;
|
||||
$net2 = validate_net $net2, 0;
|
||||
|
||||
if ( $interfaceref->{root} ) {
|
||||
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
|
||||
} else {
|
||||
unless ( $interfaceref->{root} ) {
|
||||
@rulein = imatch_source_dev( $interface );
|
||||
@ruleout = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
|
||||
@@ -392,7 +392,7 @@ sub start_provider( $$$$$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Look up a provider and return a reference to its table entry. If unknown provider, undef is returned
|
||||
# Look up a provider and return it's number. If unknown provider, 0 is returned
|
||||
#
|
||||
sub lookup_provider( $ ) {
|
||||
my $provider = $_[0];
|
||||
@@ -408,7 +408,7 @@ sub lookup_provider( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$providerref;
|
||||
$providerref ? $providerref->{number} : 0;
|
||||
}
|
||||
|
||||
#
|
||||
@@ -666,9 +666,7 @@ sub process_a_provider( $ ) {
|
||||
if ( $duplicate ne '-' ) {
|
||||
fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
my $p = lookup_provider( $duplicate );
|
||||
my $n = $p ? $p->{number} : 0;
|
||||
warning_message "Unknown routing table ($duplicate)" unless $n && ( $n == MAIN_TABLE || $n < BALANCE_TABLE );
|
||||
warning_message "An optional provider ($duplicate) is listed in the DUPLICATE column - enable and disable will not work correctly on that provider" if $p && $p->{optional};
|
||||
warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
|
||||
} elsif ( $copy ne '-' ) {
|
||||
fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -82,7 +82,6 @@ our @EXPORT = ( qw( NOTHING
|
||||
find_interface
|
||||
known_interface
|
||||
get_physical
|
||||
get_logical
|
||||
physical_name
|
||||
have_bridges
|
||||
port_to_bridge
|
||||
@@ -103,6 +102,7 @@ our @EXPORT = ( qw( NOTHING
|
||||
find_hosts_by_option
|
||||
find_zone_hosts_by_option
|
||||
find_zones_by_option
|
||||
all_ipsets
|
||||
have_ipsec
|
||||
),
|
||||
);
|
||||
@@ -209,6 +209,8 @@ our @interfaces;
|
||||
our %interfaces;
|
||||
our %roots;
|
||||
our @bport_zones;
|
||||
our %ipsets;
|
||||
our %physical;
|
||||
our %basemap;
|
||||
our %basemap1;
|
||||
our %mapbase;
|
||||
@@ -324,6 +326,8 @@ sub initialize( $$ ) {
|
||||
%roots = ();
|
||||
%interfaces = ();
|
||||
@bport_zones = ();
|
||||
%ipsets = ();
|
||||
%physical = ();
|
||||
%basemap = ();
|
||||
%basemap1 = ();
|
||||
%mapbase = ();
|
||||
@@ -345,7 +349,6 @@ sub initialize( $$ ) {
|
||||
logmartians => BINARY_IF_OPTION,
|
||||
loopback => BINARY_IF_OPTION,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
nodbl => SIMPLE_IF_OPTION,
|
||||
norfc1918 => OBSOLETE_IF_OPTION,
|
||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
@@ -393,7 +396,6 @@ sub initialize( $$ ) {
|
||||
loopback => BINARY_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
|
||||
nodbl => SIMPLE_IF_OPTION,
|
||||
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
@@ -1279,7 +1281,7 @@ sub process_interface( $$ ) {
|
||||
fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
|
||||
fatal_error "Duplicate $option option" if $netsref;
|
||||
if ( $value eq 'dynamic' ) {
|
||||
require_capability( 'IPSET_V5', 'Dynamic nets', '');
|
||||
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
|
||||
$hostoptions{dynamic} = 1;
|
||||
#
|
||||
# Defer remaining processing until we have the final physical interface name
|
||||
@@ -1309,7 +1311,7 @@ sub process_interface( $$ ) {
|
||||
fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
|
||||
fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;
|
||||
|
||||
fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );
|
||||
fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
|
||||
|
||||
fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
|
||||
$physical = $value;
|
||||
@@ -1343,7 +1345,7 @@ sub process_interface( $$ ) {
|
||||
my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
|
||||
$ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};
|
||||
$netsref = [ "+$ipset" ];
|
||||
add_ipset($ipset);
|
||||
$ipsets{$ipset} = 1;
|
||||
}
|
||||
|
||||
if ( $options{bridge} ) {
|
||||
@@ -1383,23 +1385,21 @@ sub process_interface( $$ ) {
|
||||
$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
|
||||
}
|
||||
|
||||
my $interfaceref = $interfaces{$interface} = { name => $interface ,
|
||||
bridge => $bridge ,
|
||||
filter => $filterref ,
|
||||
nets => 0 ,
|
||||
number => $nextinum ,
|
||||
root => $root ,
|
||||
broadcasts => $broadcasts ,
|
||||
options => \%options ,
|
||||
zone => '',
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ),
|
||||
zones => {},
|
||||
origin => shortlineinfo( '' ),
|
||||
wildcard => $wildcard,
|
||||
};
|
||||
|
||||
$interfaces{$physical} = $interfaceref if $physical ne $interface;
|
||||
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
|
||||
bridge => $bridge ,
|
||||
filter => $filterref ,
|
||||
nets => 0 ,
|
||||
number => $nextinum ,
|
||||
root => $root ,
|
||||
broadcasts => $broadcasts ,
|
||||
options => \%options ,
|
||||
zone => '',
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ),
|
||||
zones => {},
|
||||
origin => shortlineinfo( '' ),
|
||||
wildcard => $wildcard,
|
||||
};
|
||||
|
||||
if ( $zone ) {
|
||||
fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
|
||||
@@ -1570,23 +1570,20 @@ sub known_interface($)
|
||||
|
||||
my $physical = map_physical( $interface, $interfaceref );
|
||||
|
||||
$interfaceref =
|
||||
$interfaces{$interface} =
|
||||
$interfaces{$physical} = { options => $interfaceref->{options} ,
|
||||
bridge => $interfaceref->{bridge} ,
|
||||
name => $i ,
|
||||
number => $interfaceref->{number} ,
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ) ,
|
||||
wildcard => $interfaceref->{wildcard} ,
|
||||
zones => $interfaceref->{zones} ,
|
||||
};
|
||||
return $interfaceref;
|
||||
return $interfaces{$interface} = { options => $interfaceref->{options} ,
|
||||
bridge => $interfaceref->{bridge} ,
|
||||
name => $i ,
|
||||
number => $interfaceref->{number} ,
|
||||
physical => $physical ,
|
||||
base => var_base( $physical ) ,
|
||||
wildcard => $interfaceref->{wildcard} ,
|
||||
zones => $interfaceref->{zones} ,
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
0;
|
||||
$physical{$interface} || 0;
|
||||
}
|
||||
|
||||
#
|
||||
@@ -1658,19 +1655,12 @@ sub find_interface( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Returns the physical interface associated with the passed interface name
|
||||
# Returns the physical interface associated with the passed logical name
|
||||
#
|
||||
sub get_physical( $ ) {
|
||||
$interfaces{ $_[0] }->{physical};
|
||||
}
|
||||
|
||||
#
|
||||
# Returns the logical interface associated with the passed interface name
|
||||
#
|
||||
sub get_logical( $ ) {
|
||||
$interfaces{ $_[0] }->{name};
|
||||
}
|
||||
|
||||
#
|
||||
# This one doesn't insist that the passed name be the name of a configured interface
|
||||
#
|
||||
@@ -2050,7 +2040,6 @@ sub process_host( ) {
|
||||
$interface = $1;
|
||||
$hosts = $2;
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
|
||||
$interface = $interfaceref->{name};
|
||||
} else {
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||
}
|
||||
@@ -2064,7 +2053,7 @@ sub process_host( ) {
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
|
||||
fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
|
||||
$interface = $interfaceref->{name};
|
||||
|
||||
if ( $interfaceref->{physical} eq $loopback_interface ) {
|
||||
fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
|
||||
} else {
|
||||
@@ -2152,7 +2141,7 @@ sub process_host( ) {
|
||||
|
||||
$hosts = "+$set";
|
||||
$optionsref->{dynamic} = 1;
|
||||
add_ipset($set);
|
||||
$ipsets{$set} = 1;
|
||||
}
|
||||
|
||||
#
|
||||
@@ -2272,4 +2261,8 @@ sub find_zones_by_option( $$ ) {
|
||||
\@zns;
|
||||
}
|
||||
|
||||
sub all_ipsets() {
|
||||
sort keys %ipsets;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
1
Shorewall/README.txt
Normal file
1
Shorewall/README.txt
Normal file
@@ -0,0 +1 @@
|
||||
This is the Shorewall 4.4 stable branch of Git.
|
||||
@@ -192,8 +192,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
MINIUPNPD=No
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
MODULE_SUFFIX="ko ko.xz"
|
||||
|
||||
@@ -203,8 +203,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
MINIUPNPD=No
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
MODULE_SUFFIX="ko ko.xz"
|
||||
|
||||
@@ -200,8 +200,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
MINIUPNPD=No
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
MODULE_SUFFIX="ko ko.xz"
|
||||
|
||||
@@ -203,8 +203,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
MINIUPNPD=No
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
MODULE_SUFFIX="ko ko.xz"
|
||||
|
||||
@@ -1,39 +1,41 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.A_Drop
|
||||
# Shorewall version 5 - Drop Action
|
||||
#
|
||||
# The audited default DROP common rules
|
||||
# /usr/share/shorewall/action.A_Drop
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
# The audited default DROP common rules
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is
|
||||
# DROP. Otherwise, you may experience problems establishing
|
||||
# connections with servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Count packets that come through here
|
||||
#
|
||||
COUNT
|
||||
#
|
||||
# Special Handling for Auth
|
||||
# Silently DROP 'auth'
|
||||
#
|
||||
Auth(A_DROP)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
# For IPv6 connectivity ipv6-icmp broadcasting is required so
|
||||
# AllowICMPs must be before broadcast Drop.
|
||||
#
|
||||
A_AllowICMPs - - icmp
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
dropBcast(audit)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
A_AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
|
||||
@@ -1,41 +0,0 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
|
||||
#
|
||||
# A_REJECT Action.
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
|
||||
###############################################################################
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
AUDIT(reject)
|
||||
|
||||
?if passed @1
|
||||
?if @1 =~ /tcp-reset$/
|
||||
?set reject_proto 6
|
||||
?else
|
||||
?set reject_proto ''
|
||||
?endif
|
||||
REJECT(@1) - - $reject_proto
|
||||
?else
|
||||
REJECT
|
||||
?endif
|
||||
@@ -1,30 +0,0 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.A_REJECT!
|
||||
#
|
||||
# A_REJECT! Action.
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
|
||||
###############################################################################
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
A_REJECT(@1)
|
||||
@@ -1,35 +1,34 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.A_Reject
|
||||
# Shorewall version 5 - Reject Action
|
||||
#
|
||||
# The audited default REJECT action common rules
|
||||
# /usr/share/shorewall/action.A_Reject
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
# The audited default REJECT action common rules
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Count packets that come through here
|
||||
#
|
||||
COUNT
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
# For IPv6 connectivity ipv6-icmp broadcasting is required so
|
||||
# AllowICMPs must be before broadcast Drop.
|
||||
#
|
||||
A_AllowICMPs - - icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast(audit)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
A_AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
@@ -1,24 +1,22 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.AutoBL
|
||||
#
|
||||
# Auto Blacklist Action
|
||||
# Shorewall version 5 - Auto Blacklist Action
|
||||
#
|
||||
# Parameters are:
|
||||
#
|
||||
# Event - Name of the event to associate with this blacklist
|
||||
# Interval
|
||||
# Count - Interval and number of Packets to trigger blacklisting
|
||||
# Default is 60 seconds and 5 packets.
|
||||
# Successive - If a matching packet arrives within this many
|
||||
# seconds of the preceding one, it should be logged
|
||||
# and dealt with according to the Disposition and
|
||||
# Log Level parameters below. Default is 2 seconds.
|
||||
# Blacklist time - Number of seconds to blacklist
|
||||
# Default is 300 (5 minutes)
|
||||
# Disposition - Disposition of blacklisted packets
|
||||
# Default is DROP
|
||||
# Log Level - Level to Log Rejects
|
||||
# Default is info (6)
|
||||
# Event - Name of the event to associate with this blacklist
|
||||
# Interval
|
||||
# Count - Interval and number of Packets to trigger blacklisting
|
||||
# Default is 60 seconds and 5 packets.
|
||||
# Successive - If a matching packet arrives within this many
|
||||
# seconds of the preceding one, it should be logged
|
||||
# and dealt with according to the Disposition and
|
||||
# Log Level parameters below. Default is 2 seconds.
|
||||
# Blacklist time - Number of seconds to blacklist
|
||||
# Default is 300 (5 minutes)
|
||||
# Disposition - Disposition of blacklisted packets
|
||||
# Default is DROP
|
||||
# Log Level - Level to Log Rejects
|
||||
# Default is info (6)
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
@@ -39,7 +37,7 @@ validate_level( $level );
|
||||
1;
|
||||
?end perl
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Silently reject the client if blacklisted
|
||||
#
|
||||
|
||||
@@ -1,16 +1,13 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.AutoBLL
|
||||
#
|
||||
# Auto Blacklisting Logger Action
|
||||
# Shorewall version 5 - Auto Blacklisting Logger Action
|
||||
#
|
||||
# Arguments are
|
||||
#
|
||||
# Event - Name of the blacklisted event
|
||||
# Disposition - What to do with packets
|
||||
# Level - Log level and optional tag for logging
|
||||
#
|
||||
# Event: Name of the blacklisted event
|
||||
# Disposition: What to do with packets
|
||||
# Level: Log level and optional tag for logging.
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Log the Reject
|
||||
#
|
||||
|
||||
@@ -1,59 +1,73 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.Broadcast
|
||||
# Shorewall 4 - Broadcast Action
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# /usr/share/shorewall/action.Broadcast
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# (c) 2011 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# Broadcast[([<action>|-[,{audit|-}])]
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Default action is DROP
|
||||
# Broadcast[([<action>|-[,{audit|-}])]
|
||||
#
|
||||
###############################################################################
|
||||
# Default action is DROP
|
||||
#
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
?if __ADDRTYPE
|
||||
@1 - - - ;; -m addrtype --dst-type BROADCAST
|
||||
@1 - - - ;; -m addrtype --dst-type MULTICAST
|
||||
@1 - - - ;; -m addrtype --dst-type ANYCAST
|
||||
?else
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid parameter ($audit) to action Broadcast" if supplied $audit && $audit ne 'audit';
|
||||
fatal_error "Invalid parameter ($action) to action Broadcast" unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
|
||||
|
||||
my $chainref = get_action_chain;
|
||||
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
|
||||
}
|
||||
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
?endif
|
||||
|
||||
@@ -1,34 +1,33 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.DNSAmp
|
||||
# Shorewall 5 - DNS Amplification Action
|
||||
#
|
||||
# DNS Amplification Action
|
||||
# /usr/share/shorewall/action.DNSAmp
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# DNSAmp[([<action>])]
|
||||
# DNSAmp[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP
|
||||
|
||||
@1 - - udp 53 ;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
|
||||
IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
|
||||
|
||||
@@ -1,45 +1,59 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.Drop
|
||||
# Shorewall version 5 - Drop Action
|
||||
#
|
||||
# The default DROP common rules
|
||||
# /usr/share/shorewall/action.Drop
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
# The default DROP common rules
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# The action accepts six optional parameters:
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is to do nothing special
|
||||
# with them.
|
||||
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
|
||||
# depending on the first parameter.
|
||||
# The action accepts five optional parameters:
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is to do nothing special
|
||||
# with them.
|
||||
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for @2 thru @5, when @1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
|
||||
?else
|
||||
?error The first parameter to Drop must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
|
||||
?endif
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
DEFAULTS -,-,DROP,ACCEPT,DROP
|
||||
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Count packets that come through here
|
||||
#
|
||||
@@ -47,21 +61,18 @@ COUNT
|
||||
#
|
||||
# Special Handling for Auth
|
||||
#
|
||||
?if passed(@2)
|
||||
?if @2 ne '-'
|
||||
Auth(@2)
|
||||
?endif
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
# For IPv6 connectivity ipv6-icmp broadcasting is required so
|
||||
# AllowICMPs must be before silent broadcast Drop.
|
||||
#
|
||||
AllowICMPs(@4) - - icmp
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
Broadcast(DROP,@1)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs(@4) - - icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
@@ -70,7 +81,7 @@ Invalid(DROP,@1)
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(@3)
|
||||
DropUPnP(@6)
|
||||
DropUPnP(@5)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.DropSmurfs
|
||||
# Shorewall version 5 - Drop Smurfs Action
|
||||
#
|
||||
# Drop Smurfs Action
|
||||
# /usr/share/shorewall/action.DropSmurfs
|
||||
#
|
||||
# Accepts a single optional parameter:
|
||||
# Accepts a single optional parameter:
|
||||
#
|
||||
# - = Do not Audit
|
||||
# audit = Audit dropped packets.
|
||||
# - = Do not Audit
|
||||
# audit = Audit dropped packets.
|
||||
#
|
||||
###############################################################################
|
||||
#################################################################################
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
@@ -79,3 +79,8 @@ if ( $family == F_IPV4 ) {
|
||||
}
|
||||
|
||||
?end perl;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -1,35 +1,48 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.Established
|
||||
# Shorewall 5 - Established Action
|
||||
#
|
||||
# Established Action
|
||||
# /usr/share/shorewall/action.Established
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Established[([<action>])]
|
||||
# Established[([<action>])]
|
||||
#
|
||||
# Default action is ACCEPT
|
||||
# Default action is ACCEPT
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'ESTABLISHED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,25 +1,33 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.GlusterFS
|
||||
# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
|
||||
#
|
||||
# GlusterFS Handler for GlusterFS 3.4 and Later
|
||||
# /etc/shorewall/action.GlusterFS
|
||||
#
|
||||
# Parameters:
|
||||
# Bricks: Number of bricks
|
||||
# IB: 0 or 1, indicating whether Infiniband is used or not
|
||||
#
|
||||
# Bricks - Number of bricks
|
||||
# IB - 0 or 1, indicating whether Infiniband is used or not
|
||||
#
|
||||
###############################################################################
|
||||
#########################################################################################
|
||||
|
||||
DEFAULTS 2,0
|
||||
|
||||
?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
|
||||
?error Invalid value for Bricks (@1)
|
||||
?elsif @2 !~ /^[01]$/
|
||||
?error Invalid value for IB (@2)
|
||||
?endif
|
||||
?begin perl
|
||||
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
use Shorewall::Config qw(:DEFAULT :internal);
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
use strict;
|
||||
|
||||
my ( $bricks, $ib ) = get_action_params( 2 );
|
||||
|
||||
fatal_error "Invalid value for Bricks ( $bricks )" unless $bricks =~ /^\d+$/ && $bricks > 1 && $bricks < 1024;
|
||||
fatal_error "Invalid value for IB ( $ib )" unless $ib =~ /^[01]$/;
|
||||
|
||||
?end perl
|
||||
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT - - udp 111,2049
|
||||
ACCEPT - - tcp 38465:38467
|
||||
|
||||
@@ -32,3 +40,4 @@ ACCEPT - - tcp 24007
|
||||
?set last_port 49150 + @{1}
|
||||
|
||||
ACCEPT - - tcp 49151:$last_port
|
||||
|
||||
|
||||
@@ -1,38 +1,34 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.IfEvent
|
||||
# Shorewall version 5 - Perform an Action based on a Event
|
||||
#
|
||||
# Perform an Action based on a Event
|
||||
# /etc/shorewall/action.IfEvent
|
||||
#
|
||||
# Parameters:
|
||||
# Event: Must start with a letter and be composed of letters, digits, '-', and '_'.
|
||||
# Action: Anything that can appear in the ACTION column of a rule.
|
||||
# Duration: Duration in seconds over which the event is to be tested.
|
||||
# Hit Count: Number of packets seen within the duration -- default is 1
|
||||
# Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
|
||||
# address (src) or destination address (dst)
|
||||
# Command: 'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
|
||||
# the Action is taken. If 'update', the timestamp associated with the event will
|
||||
# be updated and the action taken if the time limit/hitcount are matched.
|
||||
# If '-', the action will be taken if the limit/hitcount are matched but the
|
||||
# event's timestamp will not be updated.
|
||||
#
|
||||
# Event - Must start with a letter and be composed of letters, digits,
|
||||
# '-', and '_'.
|
||||
# Action - Anything that can appear in the ACTION column of a rule.
|
||||
# Duration - Duration in seconds over which the event is to be tested.
|
||||
# Hit Count - Number of packets seen within the duration -- default is 1
|
||||
# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
|
||||
# associated with the source address (src) or destination
|
||||
# address (dst)
|
||||
# Command - 'check' (default) 'reset', or 'update'. If 'reset',
|
||||
# the event will be reset before the Action is taken.
|
||||
# If 'update', the timestamp associated with the event will
|
||||
# be updated and the action taken if the time limit/hitcount
|
||||
# are matched.
|
||||
# If '-', the action will be taken if the limit/hitcount are
|
||||
# matched but the event's timestamp will not be updated.
|
||||
#
|
||||
# If a duration is specified, then 'checkreap' and 'updatereap'
|
||||
# may also be used. These are like 'check' and 'update'
|
||||
# respectively, but they also remove any event entries for
|
||||
# the IP address that are older than <duration> seconds.
|
||||
# Disposition - Disposition for any event generated.
|
||||
# If a duration is specified, then 'checkreap' and 'updatereap' may also
|
||||
# be used. These are like 'check' and 'update' respectively, but they also
|
||||
# remove any event entries for the IP address that are older than <duration>
|
||||
# seconds.
|
||||
# Disposition: Disposition for any event generated.
|
||||
#
|
||||
# For additional information, see http://www.shorewall.net/Events.html
|
||||
#
|
||||
###############################################################################
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
DEFAULTS -,ACCEPT,-,1,src,check,-
|
||||
|
||||
|
||||
@@ -1,35 +1,53 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.Invalid
|
||||
# Shorewall 4 - Invalid Action
|
||||
#
|
||||
# Invalid Action
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# /usr/share/shorewall/action.Invalid
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# Invalid[([<action>])]
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Default action is DROP
|
||||
# Invalid[([<action>])]
|
||||
#
|
||||
###############################################################################
|
||||
# Default action is DROP
|
||||
#
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
#
|
||||
# All logic for this action is triggered by the 'audit' and 'state' options
|
||||
# in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
if ( my $check = check_state( 'INVALID' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,35 +1,48 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.New
|
||||
# Shorewall 4 - New Action
|
||||
#
|
||||
# New Action
|
||||
# /usr/share/shorewall/action.New
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# New[([<action>])]
|
||||
# Untracked[([<action>])]
|
||||
#
|
||||
# Default action is ACCEPT
|
||||
# Default action is ACCEPT
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'NEW' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,33 +1,52 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.NotSyn
|
||||
# Shorewall 4 - NotSyn Action
|
||||
#
|
||||
# NotSyn Action
|
||||
# /usr/share/shorewall/action.NotSyn
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# NotSyn[([<action>])]
|
||||
# NotSyn[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
@1 - - ;;+ -p 6 ! --syn
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p 6 ! --syn' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,33 +1,50 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.RST
|
||||
# Shorewall 4 - RST Action
|
||||
#
|
||||
# RST Action
|
||||
# /usr/share/shorewall/action.RST
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# RST[([<action>])]
|
||||
# RST[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
@1 - - ;;+ -p 6 --tcp-flags RST RST
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action, $audit ) = get_action_params( 2 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
|
||||
$action = "A_$action";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,44 +1,58 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.Reject
|
||||
# Shorewall version 5 - Reject Action
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
# /usr/share/shorewall/action.Reject
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# The action accepts six optional parameters:
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is to do nothing
|
||||
# special with them.
|
||||
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
|
||||
# depending on the first parameter.
|
||||
# The action accepts five optional parameters:
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is to do nothing
|
||||
# special with them.
|
||||
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for @2 thru @5, when @1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
|
||||
?else
|
||||
?error The first parameter to Reject must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
|
||||
?endif
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
#ACTION SOURCE DEST PROTO
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 3, 'A_REJECT') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
DEFAULTS -,-,REJECT,ACCEPT,DROP
|
||||
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Count packets that come through here
|
||||
#
|
||||
@@ -46,22 +60,19 @@ COUNT
|
||||
#
|
||||
# Special handling for Auth
|
||||
#
|
||||
?if passed(@2)
|
||||
?if @2 ne '-'
|
||||
Auth(@2)
|
||||
?endif
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
# For IPv6 connectivity ipv6-icmp broadcasting is required so
|
||||
# AllowICMPs must be before silent broadcast Drop.
|
||||
#
|
||||
AllowICMPs(@4) - - icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
Broadcast(DROP,@1)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs(@4) - - icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
@@ -71,7 +82,7 @@ Invalid(DROP,@1)
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(@3)
|
||||
DropUPnP(@6)
|
||||
DropUPnP(@5)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
|
||||
@@ -1,35 +1,49 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.Related
|
||||
# Shorewall 4 - Related Action
|
||||
#
|
||||
# Related Action
|
||||
# /usr/share/shorewall/action.Related
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Related[([<action>])]
|
||||
# Related[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'RELATED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,24 +1,22 @@
|
||||
#
|
||||
# Shorewall -- /etc/shorewall/action.ResetEvent
|
||||
# Shorewall version 5 - Reset an Event
|
||||
#
|
||||
# Reset an Event
|
||||
# /etc/shorewall/action.ResetEvent
|
||||
#
|
||||
# Parameters:
|
||||
#
|
||||
# Event - Must start with a letter and be composed of letters, digits,
|
||||
# '-', and '_'.
|
||||
# Action - Action to perform after setting the event. Default is ACCEPT
|
||||
# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
|
||||
# associated with the source address (src) or destination
|
||||
# address (dst)
|
||||
# Disposition - Disposition for any rule generated.
|
||||
# Event: Must start with a letter and be composed of letters, digits, '-', and '_'.
|
||||
# Action: Action to perform after setting the event. Default is ACCEPT
|
||||
# Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
|
||||
# address (src) or destination address (dst)
|
||||
# Disposition: Disposition for any rule generated.
|
||||
#
|
||||
# For additional information, see http://www.shorewall.net/Events.html
|
||||
#
|
||||
###############################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
#################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
DEFAULTS -,ACCEPT,src,-
|
||||
|
||||
|
||||
@@ -1,20 +1,22 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.SetEvent
|
||||
# Shorewall version 5 - Set an Event
|
||||
#
|
||||
# Set an Event
|
||||
# /etc/shorewall/action.SetEvent
|
||||
#
|
||||
# Parameters:
|
||||
#
|
||||
# Event - Must start with a letter and be composed of letters, digits,
|
||||
# '-', and '_'.
|
||||
# Action - Action to perform after setting the event. Default is ACCEPT
|
||||
# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
|
||||
# associated with the source address (src) or destination
|
||||
# address (dst)
|
||||
# Disposition - Disposition for any event generated.
|
||||
# Event: Must start with a letter and be composed of letters, digits, '-', and '_'.
|
||||
# Action: Action to perform after setting the event. Default is ACCEPT
|
||||
# Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
|
||||
# address (src) or destination address (dst)
|
||||
# Disposition: Disposition for any event generated.
|
||||
#
|
||||
# For additional information, see http://www.shorewall.net/Events.html
|
||||
#
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
#################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
DEFAULTS -,ACCEPT,src
|
||||
|
||||
|
||||
@@ -1,29 +1,41 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.TCPFlags
|
||||
# Shorewall version 5 - Drop TCPFlags Action
|
||||
#
|
||||
# Drop TCPFlags Action
|
||||
# /usr/share/shorewall/action.TCPFlags
|
||||
#
|
||||
# Accepts a single optional parameter:
|
||||
# Accepts a single optional parameter:
|
||||
#
|
||||
# - = Do not Audit
|
||||
# audit = Audit dropped packets.
|
||||
# - = Do not Audit
|
||||
# audit = Audit dropped packets.
|
||||
#
|
||||
###############################################################################
|
||||
#################################################################################
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
?set tcpflags_action 'A_DROP'
|
||||
?else
|
||||
?error The parameter to TCPFlags must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
?set tcpflags_action 'DROP'
|
||||
?endif
|
||||
?begin perl;
|
||||
use strict;
|
||||
use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'DROP';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
|
||||
$action = "A_DROP";
|
||||
}
|
||||
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
|
||||
perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
|
||||
|
||||
?end perl;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags ALL NONE
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,RST SYN,RST
|
||||
$tcpflags_action - - ;;+ -p 6 --tcp-flags SYN,FIN SYN,FIN
|
||||
$tcpflags_action - - ;;+ -p tcp --syn --sport 0
|
||||
|
||||
@@ -1,35 +1,47 @@
|
||||
#
|
||||
# Shorewall --/usr/share/shorewall/action.Untracked
|
||||
# Shorewall 4 - Untracked Action
|
||||
#
|
||||
# Untracked Action
|
||||
# /usr/share/shorewall/action.Untracked
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Untracked[([<action>])]
|
||||
# Untracked[([<action>])]
|
||||
#
|
||||
# Default action is DROP
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
|
||||
##########################################################################################
|
||||
DEFAULTS DROP
|
||||
|
||||
#
|
||||
# All logic for this action is supplied by the 'state' option in actions.std
|
||||
#
|
||||
?begin perl;
|
||||
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my ( $action ) = get_action_params( 1 );
|
||||
|
||||
if ( my $check = check_state( 'UNTRACKED' ) ) {
|
||||
perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,37 +1,52 @@
|
||||
\#
|
||||
# Shorewall 4 - allowInvalid Action
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.allowInvalid
|
||||
# /usr/share/shorewall/action.allowInvalid
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# allowInvalid[([audit])]
|
||||
# allowInvalid[([audit])]
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
Invalid(A_ACCEPT)
|
||||
?else
|
||||
?error The first parameter to allowInvalid must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
Invalid(ACCEPT)
|
||||
?endif
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'ACCEPT';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
|
||||
$action = "A_ACCEPT";
|
||||
}
|
||||
|
||||
perl_action_helper( "Invalid($action)", '' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,39 +1,52 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.dropInvalid
|
||||
# Shorewall 5 - dropInvalid Action
|
||||
#
|
||||
# dropInvalid Action
|
||||
# /usr/share/shorewall/action.dropInvalid
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# dropInvalid[([audit])]
|
||||
# dropInvalid[([audit])]
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS -
|
||||
|
||||
?if passed(@1)
|
||||
?if @1 eq 'audit'
|
||||
Invalid(A_DROP)
|
||||
?else
|
||||
?error The first parameter to dropInvalid must be 'audit' or '-'
|
||||
?endif
|
||||
?else
|
||||
Invalid(DROP)
|
||||
?endif
|
||||
?begin perl;
|
||||
|
||||
use strict;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Chains;
|
||||
use Shorewall::Rules;
|
||||
|
||||
my $action = 'DROP';
|
||||
|
||||
my ( $audit ) = get_action_params( 1 );
|
||||
|
||||
if ( supplied $audit ) {
|
||||
fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
|
||||
$action = "A_DROP";
|
||||
}
|
||||
|
||||
perl_action_helper( "Invalid($action)", '' );
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
#
|
||||
# Shorewall -- /etc/shorewall/action.mangletemplate
|
||||
#
|
||||
# Mangle Action Template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined with the mangle option in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall/actions with the mangle option
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall/mangle.
|
||||
#
|
||||
####################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
|
||||
@@ -1,20 +1,20 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/action.template
|
||||
# Shorewall version 5 - Action Template
|
||||
#
|
||||
# Action Template
|
||||
# /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined in /etc/shorewall/actions.
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall/actions
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
# 1. Add the <action name> to /etc/shorewall/actions
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall/rules.
|
||||
#
|
||||
|
||||
@@ -8,45 +8,43 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
?if 0
|
||||
A_ACCEPT # Audits then accepts a connection request
|
||||
A_DROP # Audits then drops a connection request
|
||||
allowBcast # Silently Allow Broadcast/multicast
|
||||
dropBcast # Silently Drop Broadcast/multicast
|
||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
|
||||
Limit # Limit the rate of connections from each individual IP address
|
||||
?endif
|
||||
# A_ACCEPT # Audits then accepts a connection request
|
||||
# A_DROP # Audits then drops a connection request
|
||||
# A_REJECT # Audits then drops a connection request
|
||||
# allowBcast # Silently Allow Broadcast/multicast
|
||||
# dropBcast # Silently Drop Broadcast/multicast
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
# allowoutUPnP # Allow traffic from local command 'upnpd' (does not
|
||||
# # work with kernel 2.6.14 and later).
|
||||
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||
# forwardUPnP # Allow traffic that upnpd has redirected from
|
||||
# # 'upnp' interfaces.
|
||||
# Limit # Limit the rate of connections from each individual
|
||||
# # IP address
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
A_REJECT noinline,logjump # Audits then rejects a connection request
|
||||
A_REJECT! inline # Audits then rejects a connection request
|
||||
A_Reject # Audited Default action for REJECT policy
|
||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||
AutoBLL noinline # Helper for AutoBL
|
||||
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
||||
Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
DNSAmp # Matches one-question recursive DNS queries
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Drop smurf packets
|
||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||
state=ESTABLISHED #
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
GlusterFS inline # Handles GlusterFS
|
||||
IfEvent noinline # Perform an action based on an event
|
||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||
state=INVALID #
|
||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
New inline # Handles packets in the NEW conntrack state
|
||||
NotSyn inline # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||
state=RELATED #
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
ResetEvent inline # Reset an Event
|
||||
RST inline,audit # Handle packets with RST set
|
||||
RST inline # Handle packets with RST set
|
||||
SetEvent inline # Initialize an event
|
||||
TCPFlags # Handle bad flag combinations.
|
||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||
state=UNTRACKED #
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
|
||||
@@ -194,8 +194,6 @@ MAPOLDACTIONS=No
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
MINIUPNPD=No
|
||||
|
||||
MODULE_SUFFIX=ko
|
||||
|
||||
MULTICAST=No
|
||||
|
||||
@@ -419,13 +419,11 @@ mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
|
||||
mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
|
||||
mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
|
||||
mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
|
||||
mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
|
||||
mkdir -p ${DESTDIR}${VARDIR}
|
||||
|
||||
chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
|
||||
chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
|
||||
chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
|
||||
chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated
|
||||
|
||||
if [ -n "$DESTDIR" ]; then
|
||||
mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
|
||||
@@ -1062,31 +1060,15 @@ fi
|
||||
# Install the Action files
|
||||
#
|
||||
for f in action.* ; do
|
||||
case $f in
|
||||
*.deprecated)
|
||||
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
|
||||
echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
|
||||
;;
|
||||
*)
|
||||
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
|
||||
echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
|
||||
;;
|
||||
esac
|
||||
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
|
||||
echo "Action ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
|
||||
done
|
||||
|
||||
cd Macros
|
||||
|
||||
for f in macro.* ; do
|
||||
case $f in
|
||||
*.deprecated)
|
||||
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*} 0644
|
||||
echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/deprecated/${f%.*}"
|
||||
;;
|
||||
*)
|
||||
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
|
||||
echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
|
||||
;;
|
||||
esac
|
||||
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
|
||||
echo "Macro ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
|
||||
done
|
||||
|
||||
cd ..
|
||||
|
||||
@@ -333,38 +333,6 @@ get_config() {
|
||||
g_pager="| $g_pager"
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_BLACKLIST" ]; then
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
lib=$(find_file lib.cli-user)
|
||||
|
||||
[ -f $lib ] && . $lib
|
||||
@@ -435,7 +403,7 @@ compiler() {
|
||||
get_config Yes
|
||||
|
||||
case $COMMAND in
|
||||
*start|try|refresh|reload|restart|safe-*)
|
||||
*start|try|refresh)
|
||||
;;
|
||||
*)
|
||||
STARTUP_LOG=
|
||||
@@ -502,15 +470,11 @@ compiler() {
|
||||
[ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
|
||||
;;
|
||||
esac
|
||||
#
|
||||
# Only use the pager if 'trace' or -r was specified and -d was not
|
||||
#
|
||||
[ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager=
|
||||
|
||||
if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
|
||||
eval $PERL $debugflags $pc $options $@ $g_pager
|
||||
$PERL $debugflags $pc $options $@
|
||||
else
|
||||
eval PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@ $g_pager
|
||||
PERL5LIB=${PERLLIBDIR} $PERL $debugflags $pc $options $@
|
||||
fi
|
||||
|
||||
status=$?
|
||||
@@ -530,6 +494,7 @@ compiler() {
|
||||
start_command() {
|
||||
local finished
|
||||
finished=0
|
||||
local object
|
||||
local rc
|
||||
rc=0
|
||||
|
||||
@@ -548,7 +513,7 @@ start_command() {
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
else
|
||||
rc=$?
|
||||
mylogger kern.err "ERROR:$g_product start failed"
|
||||
logger -p kern.err "ERROR:$g_product start failed"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -639,7 +604,7 @@ start_command() {
|
||||
esac
|
||||
|
||||
if [ -n "${g_fast}${AUTOMAKE}" ]; then
|
||||
if ! uptodate ${VARDIR}/firewall; then
|
||||
if ! uptodate ${VARDIR}/$object; then
|
||||
g_fast=
|
||||
AUTOMAKE=
|
||||
fi
|
||||
@@ -1028,7 +993,7 @@ restart_command() {
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
else
|
||||
rc=$?
|
||||
mylogger kern.err "ERROR:$g_product ${COMMAND} failed"
|
||||
logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
|
||||
fi
|
||||
else
|
||||
[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
|
||||
|
||||
@@ -53,19 +53,7 @@
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>audit</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. When this option is specified,
|
||||
the action is expected to have at least two parameters; the
|
||||
first is a target and the second is either 'audit' or omitted.
|
||||
If the second is 'audit', then the first must be an auditable
|
||||
target (ACCEPT, DROP or REJECT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>builtin</option></term>
|
||||
<term>builtin</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. Defines the action as a rule
|
||||
@@ -98,7 +86,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>inline</option></term>
|
||||
<term>inline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes the action body (defined in
|
||||
@@ -114,9 +102,9 @@
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>DropSmurfs</member>
|
||||
<member>Broadcast</member>
|
||||
|
||||
<member>IfEvent</member>
|
||||
<member>DropSmurfs</member>
|
||||
|
||||
<member>Invalid (Prior to Shorewall 4.5.13)</member>
|
||||
|
||||
@@ -131,31 +119,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>logjump</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. Performs the same function as
|
||||
<option>nolog</option> (below), with the addition that the
|
||||
jump to the actions chain is logged if a log level is
|
||||
specified on the action invocation. For inline actions, this
|
||||
option is identical to <option>nolog</option>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>mangle</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||
to be used in <ulink
|
||||
url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
|
||||
than <ulink
|
||||
url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>noinline</option></term>
|
||||
<term>noinline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes any later <option>inline</option> option for the
|
||||
@@ -164,7 +128,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>nolog</option></term>
|
||||
<term>nolog</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.11. When this option is
|
||||
@@ -178,16 +142,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
|
||||
in <filename>actions.std</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>terminating</option></term>
|
||||
<term>terminating</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.4. When used with
|
||||
|
||||
@@ -488,15 +488,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nodbl</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nosmurfs</emphasis></term>
|
||||
|
||||
|
||||
@@ -68,9 +68,8 @@
|
||||
<replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>chain-designator </replaceable>indicates the
|
||||
Netfilter chain that the entry applies to and may be one of the
|
||||
following:</para>
|
||||
<para>The chain-specifier indicates the Netfilter chain that the
|
||||
entry applies to and may be one of the following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@@ -112,14 +111,10 @@
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and
|
||||
FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A <replaceable>chain-designator</replaceable> may not be
|
||||
specified if the SOURCE or DEST columns begin with '$FW'. When the
|
||||
SOURCE is $FW, the generated rule is always placed in the OUTPUT
|
||||
chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
|
||||
Additionally, a <replaceable>chain-designator</replaceable> may not
|
||||
be specified in an action body unless the action is declared as
|
||||
<option>inline</option> in <ulink
|
||||
url="shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
is always placed in the OUTPUT chain. If DEST is '$FW', then the
|
||||
rule is placed in the INPUT chain.</para>
|
||||
|
||||
<para>Where a command takes parameters, those parameters are
|
||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||
@@ -128,21 +123,6 @@
|
||||
following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7.
|
||||
<replaceable>action</replaceable> must be an action declared
|
||||
with the <option>mangle</option> option in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall-actions(5)</ulink>.
|
||||
If the action accepts paramaters, they are specified as a
|
||||
comma-separated list within parentheses following the
|
||||
<replaceable>action</replaceable> name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
@@ -390,7 +370,7 @@ DIVERTHA - - tcp</programlisting>
|
||||
<para>Allows you to place your own ip[6]tables matches at the
|
||||
end of the line following a semicolon (";"). If an
|
||||
<replaceable>action</replaceable> is specified, the compiler
|
||||
proceeds as if that <replaceable>action</replaceable> had been
|
||||
procedes as if that <replaceable>action</replaceable> had been
|
||||
specified in this column. If no action is specified, then you
|
||||
may include your own jump ("-j
|
||||
<replaceable>target</replaceable>
|
||||
@@ -740,6 +720,33 @@ Normal-Service => 0x00</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<orderedlist numeration="arabic">
|
||||
<listitem>
|
||||
<para><emphasis role="bold">TTL</emphasis>([<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
|
||||
|
||||
<para>Added in Shorewall 4.4.24.</para>
|
||||
|
||||
<para>Prior to Shorewall 4.5.7.2, may be optionally followed by
|
||||
<emphasis role="bold">:F</emphasis> but the resulting rule is
|
||||
always added to the FORWARD chain. Beginning with Shorewall
|
||||
4.5.7.s, it may be optionally followed by <emphasis
|
||||
role="bold">:P</emphasis>, in which case the rule is added to
|
||||
the PREROUTING chain.</para>
|
||||
|
||||
<para>If <emphasis role="bold">+</emphasis> is included, packets
|
||||
matching the rule will have their TTL incremented by
|
||||
<replaceable>number</replaceable>. Similarly, if <emphasis
|
||||
role="bold">-</emphasis> is included, matching packets have
|
||||
their TTL decremented by <replaceable>number</replaceable>. If
|
||||
neither <emphasis role="bold">+</emphasis> nor <emphasis
|
||||
role="bold">-</emphasis> is given, the TTL of matching packets
|
||||
is set to <replaceable>number</replaceable>. The valid range of
|
||||
values for <replaceable>number</replaceable> is 1-255.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -328,18 +328,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
|
||||
with the exception that the mark is assigned to connection to
|
||||
which the packet belongs is marked rather than to the packet
|
||||
itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||
|
||||
@@ -558,35 +546,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>mark</replaceable> is a packet mark
|
||||
value.</para>
|
||||
|
||||
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
|
||||
table" support in your kernel and iptables.</para>
|
||||
|
||||
<para>Normally will set the mark value of the current packet.
|
||||
If preceded by a vertical bar ("|"), the mark value will be
|
||||
logically ORed with the current mark value to produce a new
|
||||
mark value. If preceded by an ampersand ("&"), will be
|
||||
logically ANDed with the current mark value to produce a new
|
||||
mark value.</para>
|
||||
|
||||
<para>Both "|" and "&" require Extended MARK Target
|
||||
support in your kernel and iptables.</para>
|
||||
|
||||
<para>The mark value may be optionally followed by "/" and a
|
||||
mask value (used to determine those bits of the connection
|
||||
mark to actually be set). When a mask is specified, the result
|
||||
of logically ANDing the mark value with the mask must be the
|
||||
same as the mark value.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
@@ -672,37 +631,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
|
||||
<term><emphasis role="bold">REJECT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>disallow the request and return an icmp-unreachable or
|
||||
an RST packet. If no option is passed, Shorewall selects the
|
||||
appropriate option based on the protocol of the packet.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.8, the type of reject may
|
||||
be specified in the <replaceable>option</replaceable>
|
||||
paramater. Valid <replaceable>option</replaceable> values
|
||||
are:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><option>icmp-net-unreachable</option></member>
|
||||
|
||||
<member><option>icmp-host-unreachable</option></member>
|
||||
|
||||
<member><option>i</option><option>cmp-port-unreachable</option></member>
|
||||
|
||||
<member><option>icmp-proto-unreachable</option></member>
|
||||
|
||||
<member><option>icmp-net-prohibited</option></member>
|
||||
|
||||
<member><option>icmp-host-prohibited</option></member>
|
||||
|
||||
<member><option>icmp-admin-prohibited</option></member>
|
||||
|
||||
<member><option>icmp-tcp-reset</option> (the PROTO column
|
||||
must specify TCP)</member>
|
||||
</simplelist>
|
||||
an RST packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1467,7 +1400,7 @@
|
||||
<para>When <option>s:</option> or <option>d:</option> is specified,
|
||||
the rate applies per source IP address or per destination IP address
|
||||
respectively. The <replaceable>name</replaceable>s may be chosen by
|
||||
the user and specify a hash table to be used to count matching
|
||||
the user and specifiy a hash table to be used to count matching
|
||||
connections. If not given, the name <emphasis
|
||||
role="bold">shorewallN</emphasis> (where N is a unique integer) is
|
||||
assumed. Where more than one rule or POLICY specifies the same name,
|
||||
|
||||
@@ -156,23 +156,20 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> -
|
||||
{-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
|
||||
{-|<emphasis>value</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
|
||||
file, marking the traffic you want to fit in the classes defined in
|
||||
here. You can use the same marks for different interfaces.</para>
|
||||
here. Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink
|
||||
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
and you are running Shorewall 4.5.5 or earlier.</para>
|
||||
|
||||
<para>The <replaceable>priority</replaceable>, if specified, is an
|
||||
integer in the range 1-65535 and determines the relative order in
|
||||
which the tc mark classification filter for this class is to be
|
||||
applied to packets being sent on the
|
||||
<replaceable>interface</replaceable>. Filters are applied in
|
||||
ascending numerical order. If not supplied, the value is derived
|
||||
from the class priority (PRIORITY column value below):
|
||||
(<replaceable>class priority</replaceable> << 8) | 20.</para>
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -296,7 +293,7 @@
|
||||
<para>This is the default class for that interface where all
|
||||
traffic should go, that is not classified otherwise.</para>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>You must define <emphasis
|
||||
@@ -323,7 +320,7 @@
|
||||
priority determines the order in which filter rules are
|
||||
processed during packet classification. If not specified, the
|
||||
value (<replaceable>class priority</replaceable> << 8) |
|
||||
15) is used.</para>
|
||||
10) is used.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -342,7 +339,7 @@
|
||||
(":") and a <replaceable>priority</replaceable>. This priority
|
||||
determines the order in which filter rules are processed
|
||||
during packet classification. If not specified, the value
|
||||
(<replaceable>class priority</replaceable> << 8) | 15)
|
||||
(<replaceable>class priority</replaceable> << 8) | 10)
|
||||
is used.</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">tos-minimize-delay</emphasis> 0x10/0x10
|
||||
@@ -375,7 +372,7 @@
|
||||
(":") and a <replaceable>priority</replaceable>. This priority
|
||||
determines the order in which filter rules are processed
|
||||
during packet classification. If not specified, the value
|
||||
(<replaceable>class priority</replaceable> << 8) | 10)
|
||||
(<replaceable>class priority</replaceable> << 8) | 20)
|
||||
is used.</para>
|
||||
|
||||
<note>
|
||||
|
||||
@@ -761,38 +761,15 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>||<emphasis
|
||||
role="bold">ipset</emphasis>[<emphasis
|
||||
role="bold">-only</emphasis>][,<emphasis
|
||||
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
chain-based dynamic blacklisting using the <command>shorewall6
|
||||
drop</command>, <command>shorewall6 reject</command>,
|
||||
<command>shorewall6 logdrop</command> and <command>shorewall6
|
||||
logreject</command> is disabled. Default is <emphasis
|
||||
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
|
||||
ipset-based dynamic blacklisting is also supported. The name of the
|
||||
set (<replaceable>setname</replaceable>) and the level
|
||||
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
||||
traffic is to be logged may also be specified. The default set name
|
||||
is SW_DBL4 and the default log level is <option>none</option> (no
|
||||
logging). if <option>ipset-only</option> is given, then chain-based
|
||||
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
||||
had been specified. Normally, only packets whose source address
|
||||
matches an entry in the ipsec are dropped. If
|
||||
<option>src-dst</option> is included, then packets whose destination
|
||||
address matches an entry in the ipset are also dropped.</para>
|
||||
|
||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||
of the blacklist will be preserved over
|
||||
<command>stop</command>/<command>reboot</command>/<command>start</command>
|
||||
sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
|
||||
<replaceable>setname</replaceable> is included in the list of sets
|
||||
to be saved in SAVE_IPSETS.</para>
|
||||
dynamic blacklisting using the <command>shorewall drop</command>,
|
||||
<command>shorewall reject</command>, <command>shorewall
|
||||
logdrop</command> and <command>shorewall logreject</command> is
|
||||
disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -847,8 +824,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
packets until these packets reach the chain in which the original
|
||||
connection was accepted. So for packets going from the 'loc' zone to
|
||||
the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
|
||||
'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
|
||||
(see below).</para>
|
||||
'loc2net' chain.</para>
|
||||
|
||||
<para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
|
||||
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
||||
@@ -1022,7 +998,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
iptables text in a rule. You may simply preface that text with a
|
||||
pair of semicolons (";;"). If alternate input is also specified in
|
||||
the rule, it should appear before the semicolons and may be
|
||||
separated from normal column input by a single semicolon.</para>
|
||||
seperated from normal column input by a single semicolon.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1572,18 +1548,6 @@ LOG:info:,bar net fw</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
|
||||
a chain in the nat table named MINIUPNPD-POSTROUTING and will add
|
||||
jumps from POSTROUTING to that chain for each interface with the
|
||||
<option>upnpd</option> option specified. Default is No.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
|
||||
@@ -1672,7 +1636,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
|
||||
role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -1683,10 +1647,6 @@ LOG:info:,bar net fw</programlisting>
|
||||
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||
'<command>uname -r</command>' and <emphasis
|
||||
role="bold">g_family</emphasis> holds '4'.</para>
|
||||
|
||||
<para>The option plus sign ('+') was added in Shorewall 5.0.3 and
|
||||
causes the listed pathnames to be appended to the default list
|
||||
above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2504,11 +2464,9 @@ INLINE - - - ; -j REJECT
|
||||
<para>If specified, determines where Shorewall will log the details
|
||||
of each <emphasis role="bold">start</emphasis>, <emphasis
|
||||
role="bold">reload</emphasis>, <emphasis
|
||||
role="bold">restart</emphasis>, <emphasis
|
||||
role="bold">refresh</emphasis>, <emphasis
|
||||
role="bold">try</emphasis>, and <emphasis
|
||||
role="bold">safe-</emphasis>* command. Logging verbosity is
|
||||
determined by the setting of LOG_VERBOSITY above. </para>
|
||||
role="bold">restart</emphasis> and <emphasis
|
||||
role="bold">refresh</emphasis> command. Logging verbosity is
|
||||
determined by the setting of LOG_VERBOSITY above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@@ -49,19 +49,6 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>blacklist</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@@ -968,25 +955,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis>
|
||||
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
|
||||
... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8 and requires
|
||||
DYNAMIC_BLACKLIST=ipset.. in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
|
||||
Causes packets from the given host or network
|
||||
<replaceable>address</replaceable> to be dropped, based on the
|
||||
setting of BLACKLIST in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
|
||||
<replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">call <replaceable>function</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</emphasis></term>
|
||||
@@ -2625,34 +2593,6 @@
|
||||
started.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>ENVIRONMENT</title>
|
||||
|
||||
<para>Two environmental variables are recognized by Shorewall:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>SHOREWALL_INIT_SCRIPT</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to 1, causes Std out to be redirected to the file
|
||||
specified in the STARTUP_LOG option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SW_LOGGERTAG</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When set to a non-empty value, that
|
||||
value is passed to the logger utility in its -t (--tag)
|
||||
option.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/modules.essential
|
||||
# Shorewall version 5 - Essential Modules File
|
||||
#
|
||||
# Essential Modules File
|
||||
# /usr/share/shorewall/modules.essential
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/modules.extensions
|
||||
# Shorewall version 5 - Extensions Modules File
|
||||
#
|
||||
# Extensions Modules File
|
||||
# /usr/share/shorewall/modules.extensions
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule ipt_addrtype
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/modules.ipset
|
||||
# Shorewall version 5 - IP Set Modules File
|
||||
#
|
||||
# IP Set Modules File
|
||||
# /usr/share/shorewall/modules.ipset
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule xt_set
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/modules.tc
|
||||
# Shorewall version 5 - Traffic Shaping Modules File
|
||||
#
|
||||
# Traffic Shaping Modules File
|
||||
# /usr/share/shorewall/modules.tc
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule sch_sfq
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall/modules.xtables
|
||||
# Shorewall version 5 - Xtables Modules File
|
||||
#
|
||||
# Xtables Modules File
|
||||
# /usr/share/shorewall/modules.xtables
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule xt_AUDIT
|
||||
|
||||
1
Shorewall6-lite/README.txt
Normal file
1
Shorewall6-lite/README.txt
Normal file
@@ -0,0 +1 @@
|
||||
This is the Shorewall6-lite stable 4.4 branch of Git.
|
||||
@@ -47,19 +47,6 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>blacklist</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6-lite</command>
|
||||
|
||||
@@ -683,25 +670,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis>
|
||||
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
|
||||
... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8 and requires
|
||||
DYNAMIC_BLACKLIST=ipset.. in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
Causes packets from the given host or network
|
||||
<replaceable>address</replaceable> to be dropped, based on the
|
||||
setting of BLACKLIST in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
The <replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">call <replaceable>function</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</emphasis></term>
|
||||
@@ -1547,35 +1515,6 @@
|
||||
started.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>ENVIRONMENT</title>
|
||||
|
||||
<para>Two environmental variables are recognized by
|
||||
Shorewall6-lite:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>SHOREWALL_INIT_SCRIPT</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to 1, causes Std out to be redirected to the file
|
||||
specified in the STARTUP_LOG option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SW_LOGGERTAG</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When set to a non-empty value, that
|
||||
value is passed to the logger utility in its -t (--tag)
|
||||
option.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
|
||||
1
Shorewall6/README.txt
Normal file
1
Shorewall6/README.txt
Normal file
@@ -0,0 +1 @@
|
||||
This is the Shorewall6 stable 4.4 branch of Git.
|
||||
@@ -1,11 +1,13 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
|
||||
# Shorewall6 version 5 - Audited AllowICMPs Action
|
||||
#
|
||||
# This action A_ACCEPTs needed ICMP types
|
||||
# /usr/share/shorewall6/action.A_AllowICMPs
|
||||
#
|
||||
# This action A_ACCEPTs needed ICMP types
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
#TARGET SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
?comment Needed ICMP types (RFC4890)
|
||||
|
||||
A_ACCEPT - - ipv6-icmp destination-unreachable
|
||||
|
||||
52
Shorewall6/action.A_Drop
Normal file
52
Shorewall6/action.A_Drop
Normal file
@@ -0,0 +1,52 @@
|
||||
#
|
||||
# Shorewall6 version 5 - Audited Drop Action
|
||||
#
|
||||
# /usr/share/shorewall6/action.ADrop
|
||||
#
|
||||
# The Audited default DROP common rules
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is
|
||||
# DROP. Otherwise, you may experience problems establishing
|
||||
# connections with servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
Auth(A_REJECT)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
A_AllowICMPs - - ipv6-icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast(audit)
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid(audit)
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(A_DROP)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn(audit) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
A_DropDNSrep
|
||||
50
Shorewall6/action.A_Reject
Normal file
50
Shorewall6/action.A_Reject
Normal file
@@ -0,0 +1,50 @@
|
||||
#
|
||||
# Shorewall6 version 5 - Audited Reject Action
|
||||
#
|
||||
# /usr/share/shorewall6/action.A_Reject
|
||||
#
|
||||
# The audited default REJECT action common rules
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
Auth(A_REJECT)
|
||||
#
|
||||
# Drop Multicasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
A_AllowICMPs - - ipv6-icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast(audit)
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
#
|
||||
dropInvalid(audit)
|
||||
#
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(A_REJECT)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn(audit) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
A_DropDNSrep
|
||||
@@ -1,10 +1,13 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
|
||||
# Shorewall6 version 5 - AllowICMPs Action
|
||||
#
|
||||
# This action ACCEPTs needed ICMP types
|
||||
# /usr/share/shorewall6/action.AllowICMPs
|
||||
#
|
||||
# This action ACCEPTs needed ICMP types
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
#TARGET SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
|
||||
DEFAULTS ACCEPT
|
||||
|
||||
|
||||
@@ -1,32 +1,32 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
|
||||
# Shorewall 4 - Multicast/Anycast Action
|
||||
#
|
||||
# Multicast/Anycast IPv6 Action
|
||||
# /usr/share/shorewall/action.Broadcast
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Broadcast[([<action>|-[,{audit|-}])]
|
||||
# Broadcast[([<action>|-[,{audit|-}])]
|
||||
#
|
||||
# Default action is DROP
|
||||
# Default action is DROP
|
||||
#
|
||||
###############################################################################
|
||||
##########################################################################################
|
||||
|
||||
DEFAULTS DROP,-
|
||||
|
||||
|
||||
91
Shorewall6/action.Drop
Normal file
91
Shorewall6/action.Drop
Normal file
@@ -0,0 +1,91 @@
|
||||
#
|
||||
# Shorewall6 version 5 - Drop Action
|
||||
#
|
||||
# /usr/share/shorewall6/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is
|
||||
# DROP. Otherwise, you may experience problems establishing
|
||||
# connections with servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# The action accepts five optional parameters:
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_DROP') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
DEFAULTS -,REJECT,DROP,ACCEPT,DROP
|
||||
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
Auth($2)
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs($4) - - ipv6-icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
Broadcast(DROP,$1)
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
Invalid(DROP,$1)
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB($3)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
NotSyn(DROP,$1) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
DropDNSrep($5)
|
||||
89
Shorewall6/action.Reject
Normal file
89
Shorewall6/action.Reject
Normal file
@@ -0,0 +1,89 @@
|
||||
#
|
||||
# Shorewall6 version 5 - Reject Action
|
||||
#
|
||||
# /usr/share/shorewall6/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# The action accepts five optional parameters:
|
||||
#
|
||||
# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
|
||||
# actions.
|
||||
# 2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
|
||||
# depending on the setting of the first parameter.
|
||||
# 4 - Action to take with required ICMP packets. Default is ACCEPT or
|
||||
# A_ACCEPT depending on the first parameter.
|
||||
# 5 - Action to take with late UDP replies (UDP source port 53). Default
|
||||
# is DROP or A_DROP depending on the first parameter.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#
|
||||
# The following magic provides different defaults for $2 thru $5, when $1 is
|
||||
# 'audit'.
|
||||
#
|
||||
?begin perl;
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
|
||||
|
||||
if ( defined $p1 ) {
|
||||
if ( $p1 eq 'audit' ) {
|
||||
set_action_param( 2, 'A_REJECT') unless supplied $p2;
|
||||
set_action_param( 3, 'A_REJECT') unless supplied $p3;
|
||||
set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
|
||||
set_action_param( 5, 'A_DROP' ) unless supplied $p5;
|
||||
} else {
|
||||
fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
?end perl;
|
||||
|
||||
DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
|
||||
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
Auth($2)
|
||||
#
|
||||
# Drop Multicasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
AllowICMPs($4) - - ipv6-icmp
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
Broadcast(DROP,$1)
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
#
|
||||
Invalid(DROP,$1)
|
||||
#
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB($3)
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
NotSyn(DROP,$1) - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
DropDNSrep($5)
|
||||
@@ -1,19 +0,0 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined with the mangle option in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
|
||||
# 2. Copy this file to /etc/shorewall6/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall6/mangle.
|
||||
#
|
||||
############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
|
||||
@@ -1,21 +1,25 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/action.template
|
||||
# Shorewall version 5 - Action Template
|
||||
#
|
||||
# Action Template
|
||||
# /etc/shorewall6/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined in /etc/shorewall/actions.
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall/actions
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
# 1. Add the <action name> to /etc/shorewall/actions
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Please see http://shorewall.net/Actions.html for additional information.
|
||||
# Please see http://shorewall.net/Actions.html for additional
|
||||
# information.
|
||||
#
|
||||
# Columns are the same as in /etc/shorewall6/rules.
|
||||
#
|
||||
##############################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
#######################################################################################################
|
||||
# DO NOT REMOVE THE FOLLOWING LINE
|
||||
#####################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
@@ -8,12 +8,11 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
?if 0
|
||||
allowBcasts # Accept multicast and anycast packets
|
||||
dropBcasts # Silently Drop multicast and anycast packets
|
||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
?endif
|
||||
# allowBcasts # Accept multicast and anycast packets
|
||||
# dropBcasts # Silently Drop multicast and anycast packets
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn # Silently Reject Non-syn TCP packets
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION
|
||||
A_Drop # Audited Default Action for DROP policy
|
||||
@@ -27,19 +26,15 @@ Broadcast noinline # Handles Broadcast/Multicast/Anycast
|
||||
Drop # Default Action for DROP policy
|
||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||
DropSmurfs noinline # Handles packets with a broadcast source address
|
||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||
state=ESTABLISHED
|
||||
Established inline # Handles packets in the ESTABLISHED state
|
||||
IfEvent noinline # Perform an action based on an event
|
||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||
state=INVALID
|
||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||
Invalid inline # Handles packets in the INVALID conntrack state
|
||||
New inline # Handles packets in the NEW conntrack state
|
||||
NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||
Reject # Default Action for REJECT policy
|
||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||
state=RELATED
|
||||
Related inline # Handles packets in the RELATED conntrack state
|
||||
ResetEvent inline # Reset an Event
|
||||
RST inline # Handle packets with RST set
|
||||
SetEvent inline # Initialize an event
|
||||
TCPFlags # Handles bad flags combinations
|
||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||
state=UNTRACKED
|
||||
Untracked inline # Handles packets in the UNTRACKED conntrack state
|
||||
|
||||
@@ -1,24 +1,24 @@
|
||||
#
|
||||
# Shorewall -- /usr/share/shorewall6/lib.base
|
||||
# Shorewall 4.4 -- /usr/share/shorewall6/lib.base
|
||||
#
|
||||
# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is part of Shorewall.
|
||||
# This program is part of Shorewall.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation, either version 2 of the license or, at your
|
||||
# option, any later version.
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation, either version 2 of the license or, at your
|
||||
# option, any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# This library contains the code common to all Shorewall components.
|
||||
|
||||
|
||||
@@ -53,18 +53,6 @@
|
||||
<para>Added in Shorewall 4.5.10. Available options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>audit</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. When this option is specified,
|
||||
the action is expected to have at least two parameters; the
|
||||
first is a target and the second is either 'audit' or omitted.
|
||||
If the second is 'audit', then the first must be an auditable
|
||||
target (ACCEPT, DROP or REJECT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>builtin</term>
|
||||
|
||||
@@ -99,7 +87,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>inline</option></term>
|
||||
<term>inline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes the action body (defined in
|
||||
@@ -115,9 +103,9 @@
|
||||
way:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>DropSmurfs</member>
|
||||
<member>Broadcast</member>
|
||||
|
||||
<member>IfEvent</member>
|
||||
<member>DropSmurfs</member>
|
||||
|
||||
<member>Invalid (Prior to Shorewall 4.5.13)</member>
|
||||
|
||||
@@ -132,19 +120,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>mangle</option></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Specifies that this action is
|
||||
to be used in <ulink
|
||||
url="shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
|
||||
rather than <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>noinline</option></term>
|
||||
<term>noinline</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes any later <option>inline</option> option for the
|
||||
@@ -153,7 +129,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>nolog</option></term>
|
||||
<term>nolog</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.11. When this option is
|
||||
@@ -167,16 +143,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
|
||||
in <filename>actions.std</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>terminating</option></term>
|
||||
<term>terminating</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.4. When used with
|
||||
|
||||
@@ -365,15 +365,6 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nodbl</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When specified, dynamic
|
||||
blacklisting is disabled on the interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
|
||||
@@ -69,9 +69,8 @@
|
||||
<replaceable>command</replaceable>[(<replaceable>parameters</replaceable>)][:<replaceable>chain-designator</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The <replaceable>chain-designator</replaceable> indicates the
|
||||
Netfilter chain that the entry applies to and may be one of the
|
||||
following:</para>
|
||||
<para>The chain-specifier indicates the Netfilter chain that the
|
||||
entry applies to and may be one of the following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@@ -113,14 +112,10 @@
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>,
|
||||
and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
|
||||
|
||||
<para>A <replaceable>chain-designator</replaceable> may not be
|
||||
specified if the SOURCE or DEST columns begin with '$FW'. When the
|
||||
SOURCE is $FW, the generated rule is always placed in the OUTPUT
|
||||
chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
|
||||
Additionally, a <replaceable>chain-designator</replaceable> may not
|
||||
be specified in an action body unless the action is declared as
|
||||
<option>inline</option> in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
<para>A chain-designator may not be specified if the SOURCE or DEST
|
||||
columns begin with '$FW'. When the SOURCE is $FW, the generated rule
|
||||
is always placed in the OUTPUT chain. If DEST is '$FW', then the
|
||||
rule is placed in the INPUT chain.</para>
|
||||
|
||||
<para>Where a command takes parameters, those parameters are
|
||||
enclosed in parentheses ("(....)") and separated by commas.</para>
|
||||
@@ -129,21 +124,6 @@
|
||||
following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold"><replaceable>action</replaceable>[([<replaceable>param</replaceable>[,...])]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7.
|
||||
<replaceable>action</replaceable> must be an action declared
|
||||
with the <option>mangle</option> option in <ulink
|
||||
url="manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.
|
||||
If the action accepts paramaters, they are specified as a
|
||||
comma-separated list within parentheses following the
|
||||
<replaceable>action</replaceable> name.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||
@@ -401,7 +381,7 @@ DIVERTHA - - tcp</programlisting>
|
||||
<para>Allows you to place your own ip[6]tables matches at the
|
||||
end of the line following a semicolon (";"). If an
|
||||
<replaceable>action</replaceable> is specified, the compiler
|
||||
proceeds as if that <replaceable>action</replaceable> had been
|
||||
procedes as if that <replaceable>action</replaceable> had been
|
||||
specified in this column. If no action is specified, then you
|
||||
may include your own jump ("-j
|
||||
<replaceable>target</replaceable>
|
||||
|
||||
@@ -303,18 +303,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">CONMARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.7, CONNMARK is identical to MARK
|
||||
with the exception that the mark is assigned to connection to
|
||||
which the packet belongs is marked rather than to the packet
|
||||
itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
||||
|
||||
@@ -535,35 +523,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK({<replaceable>mark</replaceable>})</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>mark</replaceable> is a packet mark
|
||||
value.</para>
|
||||
|
||||
<para>Added in Shorewall 5.0.7, MARK requires "Mark in filter
|
||||
table" support in your kernel and iptables.</para>
|
||||
|
||||
<para>Normally will set the mark value of the current packet.
|
||||
If preceded by a vertical bar ("|"), the mark value will be
|
||||
logically ORed with the current mark value to produce a new
|
||||
mark value. If preceded by an ampersand ("&"), will be
|
||||
logically ANDed with the current mark value to produce a new
|
||||
mark value.</para>
|
||||
|
||||
<para>Both "|" and "&" require Extended MARK Target
|
||||
support in your kernel and iptables.</para>
|
||||
|
||||
<para>The mark value may be optionally followed by "/" and a
|
||||
mask value (used to determine those bits of the connection
|
||||
mark to actually be set). When a mask is specified, the result
|
||||
of logically ANDing the mark value with the mask must be the
|
||||
same as the mark value.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
@@ -673,37 +632,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>
|
||||
<term><emphasis role="bold">REJECT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>disallow the request and return an icmp-unreachable or
|
||||
an RST packet. If no option is passed, Shorewall selects the
|
||||
appropriate option based on the protocol of the packet.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.8, the type of reject may
|
||||
be specified in the <replaceable>option</replaceable>
|
||||
paramater. Valid <replaceable>option</replaceable> values
|
||||
are:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><option>icmp6-no-route</option></member>
|
||||
|
||||
<member><option>no-route</option></member>
|
||||
|
||||
<member><option>i</option><option>cmp6-adm-prohibited</option></member>
|
||||
|
||||
<member><option>adm-prohibited</option></member>
|
||||
|
||||
<member><option>icmp6-addr-unreachable</option></member>
|
||||
|
||||
<member><option>addr-unreach</option></member>
|
||||
|
||||
<member><option>icmp6-port-unreachable</option></member>
|
||||
|
||||
<member><option>tcp-reset</option> (the PROTO column must
|
||||
specify TCP)</member>
|
||||
</simplelist>
|
||||
an RST packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1332,7 +1265,7 @@
|
||||
<para>When <option>s:</option> or <option>d:</option> is specified,
|
||||
the rate applies per source IP address or per destination IP address
|
||||
respectively. The <replaceable>name</replaceable>s may be chosen by
|
||||
the user and specify a hash table to be used to count matching
|
||||
the user and specifiy a hash table to be used to count matching
|
||||
connections. If not given, the name <emphasis
|
||||
role="bold">shorewallN</emphasis> (where N is a unique integer) is
|
||||
assumed. Where more than one rule or POLICY specifies the same name,
|
||||
|
||||
@@ -152,23 +152,20 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> -
|
||||
{-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
|
||||
{-|<emphasis>value</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
|
||||
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
|
||||
file, marking the traffic you want to fit in the classes defined in
|
||||
here. You can use the same marks for different interfaces.</para>
|
||||
here. Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||
and you are running Shorewall 4.5 5 or earlier.</para>
|
||||
|
||||
<para>The <replaceable>priority</replaceable>, if specified, is an
|
||||
integer in the range 1-65535 and determines the relative order in
|
||||
which the tc mark classification filter for this class is to be
|
||||
applied to packets being sent on the
|
||||
<replaceable>interface</replaceable>. Filters are applied in
|
||||
ascending numerical order. If not supplied, the value is derived
|
||||
from the class priority (PRIORITY column value below):
|
||||
(<replaceable>class priority</replaceable> << 8) | 20.</para>
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -317,7 +314,7 @@
|
||||
priority determines the order in which filter rules are
|
||||
processed during packet classification. If not specified, the
|
||||
value (<replaceable>class priority</replaceable> << 8) |
|
||||
15) is used.</para>
|
||||
10) is used.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -369,7 +366,7 @@
|
||||
(":") and a <replaceable>priority</replaceable>. This priority
|
||||
determines the order in which filter rules are processed
|
||||
during packet classification. If not specified, the value
|
||||
(<replaceable>class priority</replaceable> << 8) | 10)
|
||||
(<replaceable>class priority</replaceable> << 8) | 20)
|
||||
is used.</para>
|
||||
|
||||
<note>
|
||||
|
||||
@@ -623,38 +623,15 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>||<emphasis
|
||||
role="bold">ipset</emphasis>[<emphasis
|
||||
role="bold">-only</emphasis>][,<emphasis
|
||||
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
chain-based dynamic blacklisting using the <command>shorewall6
|
||||
drop</command>, <command>shorewall6 reject</command>,
|
||||
<command>shorewall6 logdrop</command> and <command>shorewall6
|
||||
logreject</command> is disabled. Default is <emphasis
|
||||
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
|
||||
ipset-based dynamic blacklisting is also supported. The name of the
|
||||
set (<replaceable>setname</replaceable>) and the level
|
||||
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
||||
traffic is to be logged may also be specified. The default set name
|
||||
is SW_DBL6 and the default log level is <option>none</option> (no
|
||||
logging). if <option>ipset-only</option> is given, then chain-based
|
||||
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
||||
had been specified. Normally, only packets whose source address
|
||||
matches an entry in the ipsec are dropped. If
|
||||
<option>src-dst</option> is included, then packets whose destination
|
||||
address matches an entry in the ipset are also dropped.</para>
|
||||
|
||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||
of the blacklist will be preserved over
|
||||
<command>stop</command>/<command>reboot</command>/<command>start</command>
|
||||
sequences if SAVE_IPSETS=Yes or if
|
||||
<replaceable>setname</replaceable> is included in the list of sets
|
||||
to be saved in SAVE_IPSETS.</para>
|
||||
dynamic blacklisting using the <command>shorewall6 drop</command>,
|
||||
<command>shorewall6 reject</command>, <command>shorewall6
|
||||
logdrop</command> and <command>shorewall6 logreject</command> is
|
||||
disabled. Default is <emphasis role="bold">Yes</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -709,8 +686,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
packets until these packets reach the chain in which the original
|
||||
connection was accepted. So for packets going from the 'loc' zone to
|
||||
the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
|
||||
'loc-net' or 'loc2net' chain, depending on the setting of ZONE2ZONE
|
||||
(see below).</para>
|
||||
'loc2net' chain.</para>
|
||||
|
||||
<para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets
|
||||
are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
|
||||
@@ -870,7 +846,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
iptables text in a rule. You may simply preface that text with a
|
||||
pair of semicolons (";;"). If alternate input is also specified in
|
||||
the rule, it should appear before the semicolons and may be
|
||||
separated from normal column input by a single semicolon.</para>
|
||||
seperated from normal column input by a single semicolon.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -1460,7 +1436,7 @@ LOG:info:,bar net fw</programlisting>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
|
||||
role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
@@ -1471,10 +1447,6 @@ LOG:info:,bar net fw</programlisting>
|
||||
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||
'<command>uname -r</command>' and <emphasis
|
||||
role="bold">g_family</emphasis> holds '6'.</para>
|
||||
|
||||
<para>The option plus sign ('+') was added in Shorewall 5.0.3 and
|
||||
causes the listed pathnames to be appended to the default list
|
||||
above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -2139,13 +2111,11 @@ INLINE - - - ; -j REJECT
|
||||
role="bold">STARTUP_LOG=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, determines where Shorewall will log the details
|
||||
<para>If specified, determines where Shorewall6 will log the details
|
||||
of each <emphasis role="bold">start</emphasis>, <emphasis
|
||||
role="bold">reload</emphasis>, <emphasis
|
||||
role="bold">restart</emphasis>, <emphasis
|
||||
role="bold">refresh</emphasis>, <emphasis
|
||||
role="bold">try</emphasis>, and <emphasis
|
||||
role="bold">safe-</emphasis>* command. Logging verbosity is
|
||||
role="bold">restart</emphasis> and <emphasis
|
||||
role="bold">refresh</emphasis> command. Logging verbosity is
|
||||
determined by the setting of LOG_VERBOSITY above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@@ -48,19 +48,6 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>blacklist</option></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@@ -936,25 +923,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis>
|
||||
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
|
||||
... ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8 and requires
|
||||
DYNAMIC_BLACKLIST=ipset.. in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
Causes packets from the given host or network
|
||||
<replaceable>address</replaceable> to be dropped, based on the
|
||||
setting of BLACKLIST in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
The <replaceable>address</replaceable> along with any
|
||||
<replaceable>option</replaceable>s are passed to the <command>ipset
|
||||
add</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">call <replaceable>function</replaceable> [
|
||||
<replaceable>parameter</replaceable> ... ]</emphasis></term>
|
||||
@@ -2501,34 +2469,6 @@
|
||||
started.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>ENVIRONMENT</title>
|
||||
|
||||
<para>Two environmental variables are recognized by Shorewall6:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>SHOREWALL_INIT_SCRIPT</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to 1, causes Std out to be redirected to the file
|
||||
specified in the STARTUP_LOG option in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SW_LOGGERTAG</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.8. When set to a non-empty value, that
|
||||
value is passed to the logger utility in its -t (--tag)
|
||||
option.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/modules.essential
|
||||
# Shorewall6 version 5 - Essential Modules File
|
||||
#
|
||||
# Essential Modules File
|
||||
# /usr/share/shorewall6/modules.essential
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule nfnetlink
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/modules.extension
|
||||
# Shorewall6 version 5 - Extensions Modules File
|
||||
#
|
||||
# Extensions Modules File
|
||||
# /usr/share/shorewall6/modules.extension
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule ip6_queue
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/modules.ipset
|
||||
# Shorewall version 5 - IP Set Modules File
|
||||
#
|
||||
# IP Set Modules File
|
||||
# /usr/share/shorewall6/modules.ipset
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall6 and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall6 and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule xt_set
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/modules.tc
|
||||
# Shorewall6 version 5 - Traffic Shaping Modules File
|
||||
#
|
||||
# Traffic Shaping Modules File
|
||||
# /usr/share/shorewall6/modules.tc
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule sch_sfq
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
#
|
||||
# Shorewall6 -- /usr/share/shorewall6/modules.xtables
|
||||
# Shorewall6 version 5 - Xtables Modules File
|
||||
#
|
||||
# Xtables Modules File
|
||||
# /usr/share/shorewall6/modules.xtables
|
||||
#
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
# This file loads the modules that may be needed by the firewall.
|
||||
#
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||
# dependency order. i.e., if M2 depends on M1 then you must load M1
|
||||
# before you load M2.
|
||||
#
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
# If you need to modify this file, copy it to /etc/shorewall and modify the
|
||||
# copy.
|
||||
#
|
||||
###############################################################################
|
||||
loadmodule xt_AUDIT
|
||||
|
||||
@@ -32,8 +32,6 @@
|
||||
|
||||
<year>2013</year>
|
||||
|
||||
<year>2015-2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@@ -399,27 +397,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
url="configuration_file_basics.htm#ActionVariables">Action Variables
|
||||
section</ulink> of the Configuration Basics article.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Mangle Actions</title>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
|
||||
url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
|
||||
<ulink
|
||||
url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
|
||||
Because the rules and mangle files have different column layouts,
|
||||
actions can be defined to be used in one file or the other but not in
|
||||
both. To designate an action to be used in the mangle file, specify the
|
||||
<option>mangle</option> option in the action's entry in <ulink
|
||||
url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
<ulink
|
||||
url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
|
||||
<para>To create a mangle action, follow the steps in the preceding
|
||||
section, but use the
|
||||
<filename>/usr/share/shorewall/action.mangletemplate</filename> file.
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Logging">
|
||||
|
||||
@@ -202,6 +202,23 @@
|
||||
Shorewall with some notable exceptions:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>No NAT</term>
|
||||
|
||||
<listitem>
|
||||
<para>In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't
|
||||
support any form of NAT). Most people consider this to be a giant
|
||||
step forward.</para>
|
||||
|
||||
<para>When an ISP assigns you an IPv6 address, you are actually
|
||||
assigned an IPv6 <firstterm>prefix</firstterm> (similar to a
|
||||
subnet). A 64-bit prefix defines a subnet with 4 billion hosts
|
||||
squared (the size of the IPv4 address space squared). Regardless of
|
||||
the length of your prefix, you get to assign local addresses within
|
||||
that prefix.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Default Zone Type</term>
|
||||
|
||||
|
||||
@@ -331,7 +331,7 @@ shorewall start</programlisting>
|
||||
in /etc/shorewall6/proxyndp is required:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
2001:470:b:227::44 - eth1 Yes</programlisting>
|
||||
2001:470:b:227::44 - eth1 Yes</programlisting>
|
||||
|
||||
<para>A practical application is shown in the Linux <ulink
|
||||
url="Vserver.html#NDP">Vserver article</ulink>.</para>
|
||||
|
||||
@@ -175,23 +175,20 @@
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/init</filename> - commands that you
|
||||
wish to execute at the beginning of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote>.</para>
|
||||
wish to execute at the beginning of a <quote>shorewall start</quote>
|
||||
or <quote>shorewall restart</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/start</filename> - commands that you
|
||||
wish to execute near the completion of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
start</quote> or <quote>shorewall restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/started</filename> - commands that
|
||||
you wish to execute after the completion of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
start</quote> or <quote>shorewall restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -1739,7 +1736,7 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink>
|
||||
url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
@@ -1747,12 +1744,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
|
||||
@@ -1762,6 +1753,17 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>They may also appear in the ORIGDEST column of:</para>
|
||||
@@ -1777,10 +1779,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Actions.html">Action</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
@@ -1825,7 +1823,7 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink>
|
||||
url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
@@ -1833,12 +1831,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<para><ulink url="Macros.html">Macro</ulink> files</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
|
||||
@@ -1847,13 +1839,18 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-routes.html">shorewall-routes</ulink>
|
||||
(5)</para>
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
|
||||
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
|
||||
(5)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -1988,33 +1985,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
@disposition are used to generated the --log-prefix in logging rules. When
|
||||
either is empty, the historical value is used to generate the
|
||||
--log-prefix.</para>
|
||||
|
||||
<para>Within an action body, if a parameter is omitted in a DEFAULTS
|
||||
statement, then the value of the corresponding action and Shorewall
|
||||
variables is '-', while if the parameter is specified as '-' in the
|
||||
parameter list, the value of the action/Shorewall variable is '', if it is
|
||||
expanded before the DEFAULTS statement.</para>
|
||||
|
||||
<para>Additionally, when an expression is evaluated, the value 0 evaluates
|
||||
as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed
|
||||
with value zero. To make testing of the presense of parameters more
|
||||
efficient and uniform, an new function has been added in Shorewall 5.0.7
|
||||
for use in ?IF and ?ELSEIF:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>?IF [!] passed(<variable>)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>where <variable> is an action or Shorewall variable.</para>
|
||||
|
||||
<para>'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
|
||||
is not empty and its contents are other than '-'. If '!' is present, the
|
||||
result is inverted.</para>
|
||||
|
||||
<para>In this simple form, the expression is evaluated by the compiler
|
||||
without having to invoke the (expensive) Perl exec() function. The
|
||||
'passed' function may also be used in more complex expressions, but exec()
|
||||
will be invoked to evaluate those expressions.</para>
|
||||
</section>
|
||||
|
||||
<section id="Conditional">
|
||||
@@ -2198,45 +2168,6 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
<lines to be included if all three expressions evaluate to false.
|
||||
|
||||
?ENDIF</programlisting>
|
||||
|
||||
<para>Beginning in Shorewall 5.0.7, an error can be raised using the
|
||||
?ERROR directive:</para>
|
||||
|
||||
<programlisting>?ERROR <replaceable>message</replaceable></programlisting>
|
||||
|
||||
<para>Variables in the message are evaluated and the result appears in a
|
||||
standard Shorewall ERROR: message.</para>
|
||||
|
||||
<para>Example from the 5.0.7 action.GlusterFS:</para>
|
||||
|
||||
<programlisting>?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
|
||||
?error Invalid value for Bricks (@1)
|
||||
?elsif @2 !~ /^[01]$/
|
||||
?error Invalid value for IB (@2)
|
||||
?endif
|
||||
</programlisting>
|
||||
|
||||
<para>The above code insures that the first action paramater is a non-zero
|
||||
number <= 1024 and that the second parameter is either 0 or 1. If 2000
|
||||
is passed for the first parameter, the following error message is
|
||||
generated:</para>
|
||||
|
||||
<programlisting> ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15)
|
||||
from /etc/shorewall/rules (line 45)</programlisting>
|
||||
|
||||
<para>In Shorewall 5.0.8, ?WARNING and ?INFO directives were added.</para>
|
||||
|
||||
<programlisting>?WARNING <replaceable>message</replaceable>
|
||||
?INFO <replaceable>message</replaceable></programlisting>
|
||||
|
||||
<para>?WARNING message produces a standard Shorewall WARNING: message,
|
||||
while ?INFO produces a similar message which is prefaced by INFO: rather
|
||||
than WARNING:. Both write the message to STDERR. The message is also
|
||||
written to the STARTUP_LOG, if any, provided that the command is
|
||||
<command>start</command>, <command>try</command>,
|
||||
<command>restart</command>, <command>reload</command>,
|
||||
<command>refresh</command>, or one of the <command>safe</command>-*
|
||||
commands.</para>
|
||||
</section>
|
||||
|
||||
<section id="Embedded">
|
||||
@@ -2587,44 +2518,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
|
||||
"!tcp").</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you want
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
comma-separated list of ports or port ranges may also be entered.
|
||||
Shorewall requires the Netfilter <emphasis
|
||||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||||
(see the output of "<emphasis role="bold">shorewall show
|
||||
capabilities</emphasis>").</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||||
|
||||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||||
list count as two ports each.</para>
|
||||
</section>
|
||||
|
||||
<section id="ICMP">
|
||||
<title>ICMP and ICMP6 Types and Codes</title>
|
||||
|
||||
@@ -2701,6 +2594,44 @@ redirect => 137</programlisting>
|
||||
Shorewall 4.4.19.</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you want
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
comma-separated list of ports or port ranges may also be entered.
|
||||
Shorewall requires the Netfilter <emphasis
|
||||
role="bold">multiport</emphasis> match capability if ports lists are used
|
||||
(see the output of "<emphasis role="bold">shorewall show
|
||||
capabilities</emphasis>").</para>
|
||||
|
||||
<para>Also, unless otherwise documented, a port list can be preceded by
|
||||
'!' to specify "All ports except these" (e.g., "!80,443").</para>
|
||||
|
||||
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
|
||||
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
||||
(5) file may specify no more than 15 ports; port ranges appearing in a
|
||||
list count as two ports each.</para>
|
||||
</section>
|
||||
|
||||
<section id="MAC">
|
||||
<title>Using MAC Addresses</title>
|
||||
|
||||
@@ -2753,7 +2684,9 @@ redirect => 137</programlisting>
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
|
||||
|
||||
<simplelist>
|
||||
<member>LOGLIMIT=10/minute:5</member>
|
||||
<member>LOGRATE=10/minute</member>
|
||||
|
||||
<member>LOGBURST=5</member>
|
||||
</simplelist>
|
||||
|
||||
<para>For each logging rule, the first time the rule is reached, the
|
||||
@@ -2765,6 +2698,11 @@ redirect => 137</programlisting>
|
||||
30 seconds, the burst will be fully recharged; back where we
|
||||
started.</para>
|
||||
|
||||
<note>
|
||||
<para>The LOGRATE and LOGBURST options are deprecated in favor of
|
||||
LOGLIMIT.</para>
|
||||
</note>
|
||||
|
||||
<para>Shorewall also supports per-IP rate limiting.</para>
|
||||
|
||||
<para>Another example from <ulink
|
||||
@@ -2798,7 +2736,8 @@ redirect => 137</programlisting>
|
||||
<firstterm>Condition Match Support</firstterm> and you must be running
|
||||
Shorewall 4.4.24 or later. See the output of <command>shorewall show
|
||||
capabilities</command> and <command>shorewall version</command> to
|
||||
determine if you can use this feature.</para>
|
||||
determine if you can use this feature. As of this writing, Condition Match
|
||||
Support requires that you install xtables-addons.</para>
|
||||
|
||||
<para>The SWITCH column contains the name of a
|
||||
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis
|
||||
@@ -2962,8 +2901,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
<para>If <emphasis role="bold">detect</emphasis> is specified in the
|
||||
ADDRESS column of an entry in <ulink
|
||||
url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
|
||||
firewall still startS if the optional interface in the INTERFACE
|
||||
column does not have an IP address.</para>
|
||||
firewall still start if the optional interface in the INTERFACE column
|
||||
does not have an IP address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -2981,8 +2920,7 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
|
||||
<para>Shorewall allows you to have configuration directories other than
|
||||
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||||
<command>check</command>, <command>start</command> and
|
||||
<command>restart</command> commands allow you to specify an alternate
|
||||
check, start and restart commands allow you to specify an alternate
|
||||
configuration directory and Shorewall will use the files in the alternate
|
||||
directory rather than the corresponding files in /etc/shorewall. The
|
||||
alternate directory need not contain a complete configuration; those files
|
||||
|
||||
@@ -109,8 +109,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>In the event that the subnet address might change while
|
||||
Shorewall is started, you need to arrange for a <command>shorewall
|
||||
reload</command> command to be executed when a new dynamic IP address
|
||||
Shorewall is started, you need to arrange for a <quote>shorewall
|
||||
refresh</quote> command to be executed when a new dynamic IP address
|
||||
gets assigned to the interface. Check your DHCP client's
|
||||
documentation.</para>
|
||||
</listitem>
|
||||
|
||||
@@ -85,7 +85,7 @@
|
||||
problem reporting process. It will ensure that you provide us with the
|
||||
information we need to solve your problem as quickly as possible.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Troubleshoot.png"/>
|
||||
<graphic align="center" fileref="images/Troubleshoot.png" />
|
||||
|
||||
<orderedlist>
|
||||
<important>
|
||||
@@ -126,10 +126,12 @@
|
||||
|
||||
<para>If that didn't solve your problem, then please</para>
|
||||
|
||||
<programlisting><command>/sbin/shorewall trace start > /tmp/trace 2>&1</command></programlisting>
|
||||
<programlisting><command>/sbin/shorewall trace start 2> /tmp/trace</command></programlisting>
|
||||
|
||||
<para>Forward the <filename>/tmp/trace</filename> file as an
|
||||
attachment compressed with gzip or bzip2.</para>
|
||||
attachment compressed with gzip or bzip2 (If you are running
|
||||
Shorewall-perl, there is no need to compress the file — it will be
|
||||
very short).</para>
|
||||
|
||||
<para>If compilation succeeds but the compiled program fails, then
|
||||
please include the compiled program with your report. The compiled
|
||||
@@ -201,7 +203,7 @@
|
||||
message produced by Shorewall is "done.":</para>
|
||||
|
||||
<blockquote>
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<programlisting>…
|
||||
Activating Rules...
|
||||
|
||||
@@ -854,16 +854,22 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||
you have a dynamic IP then you must ensure that your external
|
||||
interface is up before starting Shorewall and you must code the
|
||||
rule as follows (assume that your external interface is <filename
|
||||
class="devicefile">eth0</filename>):</para>
|
||||
interface is up before starting Shorewall and you must take steps
|
||||
as follows (assume that your external interface is <filename
|
||||
class="devicefile">eth0</filename>):<orderedlist>
|
||||
<listitem>
|
||||
<para>Include the following in /etc/shorewall/params:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - &eth0</programlisting>
|
||||
<para><command>ETH0_IP=$(find_interface_address
|
||||
eth0)</command></para>
|
||||
</listitem>
|
||||
|
||||
<para>'&eth0' expands to the IP address of eth0 (see <ulink
|
||||
url="configuration_file_basics.htm#AddressVariables">this
|
||||
article</ulink>).</para>
|
||||
<listitem>
|
||||
<para>Make your <literal>loc->dmz</literal> rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||
</listitem>
|
||||
</orderedlist></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
Reference in New Issue
Block a user