forked from extern/shorewall_code
Compare commits
49 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
37dd46df3c | ||
|
246039a809 | ||
|
185c990267 | ||
|
4871eea602 | ||
|
9c43d388bd | ||
|
1ad06e7dcf | ||
|
fbc9962747 | ||
|
baafa10711 | ||
|
9ecddfd1ce | ||
|
dd51d9ab97 | ||
|
508cf25a70 | ||
|
463e22bdb6 | ||
|
27fdefc73a | ||
|
3ba0715dad | ||
|
192a8967ce | ||
|
224f1798af | ||
|
096ede3d2a | ||
|
5b0dc4e495 | ||
|
5ade0cc714 | ||
|
7d4463587a | ||
|
014cb46f06 | ||
|
030de1762c | ||
|
af5533c6eb | ||
|
f4fb099047 | ||
|
31e95f0667 | ||
|
9b1b6bf87a | ||
|
e61cf043eb | ||
|
30f4e98fce | ||
|
e16b8768f2 | ||
|
b5589351c8 | ||
|
c21aa7a588 | ||
|
fc5d80dba7 | ||
|
0b9213bc6d | ||
|
3adb8c29c5 | ||
|
245d3d5574 | ||
|
1eb80541a5 | ||
|
96e2f38062 | ||
|
3aebdbfc63 | ||
|
5413c55718 | ||
|
201476ce98 | ||
|
c1bfe7d5b8 | ||
|
486bb73c02 | ||
|
afbb93ca8a | ||
|
b591110fef | ||
|
a77abaf694 | ||
|
0d101799ec | ||
|
4a2f08edef | ||
|
2578b2c7cb | ||
|
a8e3b2ea7c |
@ -205,6 +205,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=Yes
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -205,6 +205,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=Yes
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -212,6 +212,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=Yes
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -153,6 +153,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=Yes
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -153,6 +153,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=Yes
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -153,6 +153,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=Yes
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -23,7 +23,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -285,7 +285,12 @@ fi
|
|||||||
if [ -z "$DESTDIR" ]; then
|
if [ -z "$DESTDIR" ]; then
|
||||||
if [ -n "$first_install" ]; then
|
if [ -n "$first_install" ]; then
|
||||||
if [ -n "$DEBIAN" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
|
if [ -x /sbin/insserv ]; then
|
||||||
|
insserv /etc/init.d/shorewall-init
|
||||||
|
else
|
||||||
ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
|
ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Shorewall Init will start automatically at boot"
|
echo "Shorewall Init will start automatically at boot"
|
||||||
else
|
else
|
||||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-init
|
%define name shorewall-init
|
||||||
%define version 4.4.10
|
%define version 4.4.10
|
||||||
%define release 0base
|
%define release 3
|
||||||
|
|
||||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -99,8 +99,16 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
|
* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-3
|
||||||
|
* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-2
|
||||||
|
* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-1
|
||||||
|
* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0base
|
- Updated to 4.4.10-0base
|
||||||
|
* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-0RC3
|
||||||
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0RC2
|
- Updated to 4.4.10-0RC2
|
||||||
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -354,7 +354,13 @@ if [ -z "$DESTDIR" ]; then
|
|||||||
if [ -n "$first_install" ]; then
|
if [ -n "$first_install" ]; then
|
||||||
if [ -n "$DEBIAN" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
|
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
|
||||||
|
|
||||||
|
if [ -x /sbin/insserv ]; then
|
||||||
|
insserv /etc/init.d/shorewall-lite
|
||||||
|
else
|
||||||
ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
|
ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Shorewall Lite will start automatically at boot"
|
echo "Shorewall Lite will start automatically at boot"
|
||||||
else
|
else
|
||||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||||
|
@ -777,14 +777,9 @@ case "$COMMAND" in
|
|||||||
g_restorepath=${VARDIR}/$RESTOREFILE
|
g_restorepath=${VARDIR}/$RESTOREFILE
|
||||||
|
|
||||||
if [ -x $g_restorepath ]; then
|
if [ -x $g_restorepath ]; then
|
||||||
|
|
||||||
if [ -x ${g_restorepath}-ipsets ]; then
|
|
||||||
rm -f ${g_restorepath}-ipsets
|
|
||||||
echo " ${g_restorepath}-ipsets removed"
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f $g_restorepath
|
rm -f $g_restorepath
|
||||||
rm -f ${g_restorepath}-iptables
|
rm -f ${g_restorepath}-iptables
|
||||||
|
rm -f ${g_restorepath}-ipsets
|
||||||
echo " $g_restorepath removed"
|
echo " $g_restorepath removed"
|
||||||
elif [ -f $g_restorepath ]; then
|
elif [ -f $g_restorepath ]; then
|
||||||
echo " $g_restorepath exists and is not a saved Shorewall configuration"
|
echo " $g_restorepath exists and is not a saved Shorewall configuration"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-lite
|
%define name shorewall-lite
|
||||||
%define version 4.4.10
|
%define version 4.4.10
|
||||||
%define release 0base
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -102,8 +102,16 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
|
* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-3
|
||||||
|
* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-2
|
||||||
|
* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-1
|
||||||
|
* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0base
|
- Updated to 4.4.10-0base
|
||||||
|
* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-0RC3
|
||||||
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0RC2
|
- Updated to 4.4.10-0RC2
|
||||||
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
|
|||||||
$macro_commands
|
$macro_commands
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.4_9';
|
our $VERSION = '4.4_10';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||||
@ -834,7 +834,7 @@ sub allowBcast( $$$ ) {
|
|||||||
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
|
||||||
} else {
|
} else {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
|
||||||
add_rule $chainref, '-d ff00:/10 -j ACCEPT';
|
add_rule $chainref, '-d ff00::/10 -j ACCEPT';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -868,7 +868,8 @@ sub allowInvalid ( $$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub forwardUPnP ( $$$ ) {
|
sub forwardUPnP ( $$$ ) {
|
||||||
dont_optimize 'forwardUPnP';
|
my $chainref = dont_optimize 'forwardUPnP';
|
||||||
|
add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowinUPnP ( $$$ ) {
|
sub allowinUPnP ( $$$ ) {
|
||||||
|
@ -161,6 +161,8 @@ our %EXPORT_TAGS = (
|
|||||||
get_interface_mac
|
get_interface_mac
|
||||||
have_global_variables
|
have_global_variables
|
||||||
set_global_variables
|
set_global_variables
|
||||||
|
save_dynamic_chains
|
||||||
|
load_ipsets
|
||||||
create_netfilter_load
|
create_netfilter_load
|
||||||
preview_netfilter_load
|
preview_netfilter_load
|
||||||
create_chainlist_reload
|
create_chainlist_reload
|
||||||
@ -3591,6 +3593,128 @@ sub emitr1( $$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Emit code to save the dynamic chains to hidden files in ${VARDIR}
|
||||||
|
#
|
||||||
|
|
||||||
|
sub save_dynamic_chains() {
|
||||||
|
|
||||||
|
my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
|
||||||
|
|
||||||
|
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
|
||||||
|
push_indent;
|
||||||
|
|
||||||
|
emit <<"EOF";
|
||||||
|
if chain_exists 'UPnP -t nat'; then
|
||||||
|
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
||||||
|
else
|
||||||
|
rm -f \${VARDIR}/.UPnP
|
||||||
|
fi
|
||||||
|
|
||||||
|
if chain_exists forwardUPnP; then
|
||||||
|
$tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
|
||||||
|
else
|
||||||
|
rm -f \${VARDIR}/.forwardUPnP
|
||||||
|
fi
|
||||||
|
|
||||||
|
if chain_exists dynamic; then
|
||||||
|
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
||||||
|
else
|
||||||
|
rm -f \${VARDIR}/.dynamic
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
pop_indent;
|
||||||
|
emit ( 'else' );
|
||||||
|
push_indent;
|
||||||
|
|
||||||
|
emit <<"EOF";
|
||||||
|
rm -f \${VARDIR}/.UPnP
|
||||||
|
rm -f \${VARDIR}/.forwardUPnP
|
||||||
|
|
||||||
|
if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
|
||||||
|
if chain_exists dynamic; then
|
||||||
|
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
pop_indent;
|
||||||
|
|
||||||
|
emit ( 'fi' ,
|
||||||
|
'' );
|
||||||
|
}
|
||||||
|
|
||||||
|
sub load_ipsets() {
|
||||||
|
|
||||||
|
my @ipsets = all_ipsets;
|
||||||
|
|
||||||
|
if ( @ipsets || $config{SAVE_IPSETS} ) {
|
||||||
|
emit ( '',
|
||||||
|
'local hack',
|
||||||
|
'',
|
||||||
|
'case $IPSET in',
|
||||||
|
' */*)',
|
||||||
|
' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
|
||||||
|
' ;;',
|
||||||
|
' *)',
|
||||||
|
' IPSET="$(mywhich $IPSET)"',
|
||||||
|
' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
|
||||||
|
' ;;',
|
||||||
|
'esac',
|
||||||
|
'',
|
||||||
|
'if [ "$COMMAND" = start ]; then' ,
|
||||||
|
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||||
|
' $IPSET -F' ,
|
||||||
|
' $IPSET -X' ,
|
||||||
|
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
||||||
|
' fi' ,
|
||||||
|
'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
|
||||||
|
' if [ -f $(my_pathname)-ipsets ]; then' ,
|
||||||
|
' if chain_exists shorewall; then' ,
|
||||||
|
' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
|
||||||
|
' else' ,
|
||||||
|
' $IPSET -F' ,
|
||||||
|
' $IPSET -X' ,
|
||||||
|
' $IPSET -R < $(my_pathname)-ipsets' ,
|
||||||
|
' fi' ,
|
||||||
|
' fi' ,
|
||||||
|
);
|
||||||
|
|
||||||
|
if ( @ipsets ) {
|
||||||
|
emit '';
|
||||||
|
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
|
emit ( '' ,
|
||||||
|
'elif [ "$COMMAND" = restart ]; then' ,
|
||||||
|
'' );
|
||||||
|
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
|
emit ( '' ,
|
||||||
|
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
|
||||||
|
' #',
|
||||||
|
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
|
||||||
|
' #',
|
||||||
|
' hack=\'| grep -v /31\'' ,
|
||||||
|
' else' ,
|
||||||
|
' hack=' ,
|
||||||
|
' fi' ,
|
||||||
|
'',
|
||||||
|
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
|
||||||
|
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
||||||
|
' fi',
|
||||||
|
'elif [ "$COMMAND" = refresh ]; then' );
|
||||||
|
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
}
|
||||||
|
|
||||||
|
emit ( 'fi' ,
|
||||||
|
'' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
#
|
#
|
||||||
# Generate the netfilter input
|
# Generate the netfilter input
|
||||||
#
|
#
|
||||||
|
@ -303,7 +303,6 @@ sub generate_script_2() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Final stage of script generation.
|
# Final stage of script generation.
|
||||||
#
|
#
|
||||||
# Generate code for loading the various files in /var/lib/shorewall[6][-lite]
|
# Generate code for loading the various files in /var/lib/shorewall[6][-lite]
|
||||||
@ -354,80 +353,17 @@ sub generate_script_3($) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
my @ipsets = all_ipsets;
|
load_ipsets;
|
||||||
|
|
||||||
if ( @ipsets || $config{SAVE_IPSETS} ) {
|
|
||||||
emit ( '',
|
|
||||||
'local hack',
|
|
||||||
'',
|
|
||||||
'case $IPSET in',
|
|
||||||
' */*)',
|
|
||||||
' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
|
|
||||||
' ;;',
|
|
||||||
' *)',
|
|
||||||
' IPSET="$(mywhich $IPSET)"',
|
|
||||||
' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
|
|
||||||
' ;;',
|
|
||||||
'esac',
|
|
||||||
'',
|
|
||||||
'if [ "$COMMAND" = start ]; then' ,
|
|
||||||
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
|
||||||
' $IPSET -F' ,
|
|
||||||
' $IPSET -X' ,
|
|
||||||
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
|
||||||
' fi' ,
|
|
||||||
'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
|
|
||||||
' if [ -f $(my_pathname)-ipsets ]; then' ,
|
|
||||||
' if chain_exists shorewall; then' ,
|
|
||||||
' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
|
|
||||||
' else' ,
|
|
||||||
' $IPSET -F' ,
|
|
||||||
' $IPSET -X' ,
|
|
||||||
' $IPSET -R < $(my_pathname)-ipsets' ,
|
|
||||||
' fi' ,
|
|
||||||
' fi' ,
|
|
||||||
);
|
|
||||||
|
|
||||||
if ( @ipsets ) {
|
|
||||||
emit '';
|
|
||||||
|
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
|
||||||
|
|
||||||
emit ( '' ,
|
|
||||||
'elif [ "$COMMAND" = restart ]; then' ,
|
|
||||||
'' );
|
|
||||||
|
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
|
||||||
|
|
||||||
emit ( '' ,
|
|
||||||
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
|
|
||||||
' #',
|
|
||||||
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
|
|
||||||
' #',
|
|
||||||
' hack=\'| grep -v /31\'' ,
|
|
||||||
' else' ,
|
|
||||||
' hack=' ,
|
|
||||||
' fi' ,
|
|
||||||
'',
|
|
||||||
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
|
|
||||||
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
|
||||||
' fi' );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit ( 'fi',
|
|
||||||
'' );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
||||||
' run_refresh_exit' );
|
' run_refresh_exit' ,
|
||||||
|
'else' ,
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
|
||||||
|
|
||||||
emit ( 'else' ,
|
|
||||||
' run_init_exit',
|
' run_init_exit',
|
||||||
'fi',
|
'fi',
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
|
save_dynamic_chains;
|
||||||
|
|
||||||
mark_firewall_not_started;
|
mark_firewall_not_started;
|
||||||
|
|
||||||
emit ('',
|
emit ('',
|
||||||
@ -450,6 +386,7 @@ sub generate_script_3($) {
|
|||||||
} else {
|
} else {
|
||||||
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
|
||||||
'' );
|
'' );
|
||||||
|
save_dynamic_chains;
|
||||||
mark_firewall_not_started;
|
mark_firewall_not_started;
|
||||||
emit '';
|
emit '';
|
||||||
}
|
}
|
||||||
@ -520,7 +457,6 @@ EOF
|
|||||||
set_state "Started"
|
set_state "Started"
|
||||||
else
|
else
|
||||||
setup_netfilter
|
setup_netfilter
|
||||||
restore_dynamic_rules
|
|
||||||
conditionally_flush_conntrack
|
conditionally_flush_conntrack
|
||||||
EOF
|
EOF
|
||||||
setup_forwarding( $family , 0 );
|
setup_forwarding( $family , 0 );
|
||||||
|
@ -341,7 +341,7 @@ sub initialize( $ ) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.10",
|
VERSION => "4.4.10.3",
|
||||||
CAPVERSION => 40408 ,
|
CAPVERSION => 40408 ,
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -1899,9 +1899,11 @@ sub default ( $$ ) {
|
|||||||
sub default_yes_no ( $$ ) {
|
sub default_yes_no ( $$ ) {
|
||||||
my ( $var, $val ) = @_;
|
my ( $var, $val ) = @_;
|
||||||
|
|
||||||
my $curval = "\L$config{$var}";
|
my $curval = $config{$var};
|
||||||
|
|
||||||
if ( defined $curval && $curval ne '' ) {
|
if ( defined $curval && $curval ne '' ) {
|
||||||
|
$curval = lc $curval;
|
||||||
|
|
||||||
if ( $curval eq 'no' ) {
|
if ( $curval eq 'no' ) {
|
||||||
$config{$var} = '';
|
$config{$var} = '';
|
||||||
} else {
|
} else {
|
||||||
@ -2351,7 +2353,7 @@ sub IPSet_Match() {
|
|||||||
my $ipset = $config{IPSET} || 'ipset';
|
my $ipset = $config{IPSET} || 'ipset';
|
||||||
my $result = 0;
|
my $result = 0;
|
||||||
|
|
||||||
$ipset = which $ipset unless $ipset =~ '//';
|
$ipset = which $ipset unless $ipset =~ '/';
|
||||||
|
|
||||||
if ( $ipset && -x $ipset ) {
|
if ( $ipset && -x $ipset ) {
|
||||||
qt( "$ipset -X $sillyname" );
|
qt( "$ipset -X $sillyname" );
|
||||||
|
@ -905,7 +905,7 @@ sub handle_optional_interfaces( $ ) {
|
|||||||
|
|
||||||
emit( ' fatal_error "No network interface available"',
|
emit( ' fatal_error "No network interface available"',
|
||||||
' else',
|
' else',
|
||||||
' startup_error "No network interface available',
|
' startup_error "No network interface available"',
|
||||||
' fi',
|
' fi',
|
||||||
' ;;',
|
' ;;',
|
||||||
' esac',
|
' esac',
|
||||||
|
@ -443,6 +443,7 @@ sub add_common_rules() {
|
|||||||
add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
|
add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
|
||||||
$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
|
$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
|
||||||
add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
|
add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
|
||||||
|
add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
|
||||||
}
|
}
|
||||||
|
|
||||||
setup_mss;
|
setup_mss;
|
||||||
@ -647,7 +648,9 @@ sub add_common_rules() {
|
|||||||
if ( @$list ) {
|
if ( @$list ) {
|
||||||
progress_message2 "$doing UPnP";
|
progress_message2 "$doing UPnP";
|
||||||
|
|
||||||
dont_optimize new_nat_chain( 'UPnP' );
|
$chainref = dont_optimize new_nat_chain( 'UPnP' );
|
||||||
|
|
||||||
|
add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
|
||||||
|
|
||||||
$announced = 1;
|
$announced = 1;
|
||||||
|
|
||||||
|
@ -633,7 +633,9 @@ sub add_group_to_zone($$$$$)
|
|||||||
my $allip = 0;
|
my $allip = 0;
|
||||||
|
|
||||||
for my $host ( @$networks ) {
|
for my $host ( @$networks ) {
|
||||||
$interfaces{$interface}{nets}++;
|
$interfaceref = $interfaces{$interface};
|
||||||
|
|
||||||
|
$interfaceref->{nets}++;
|
||||||
|
|
||||||
fatal_error "Invalid Host List" unless defined $host and $host ne '';
|
fatal_error "Invalid Host List" unless defined $host and $host ne '';
|
||||||
|
|
||||||
@ -650,6 +652,13 @@ sub add_group_to_zone($$$$$)
|
|||||||
if ( $host eq ALLIP ) {
|
if ( $host eq ALLIP ) {
|
||||||
fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
|
fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
|
||||||
$interfaces{$interface}{zone} = $zone;
|
$interfaces{$interface}{zone} = $zone;
|
||||||
|
#
|
||||||
|
# Make 'find_hosts_by_option()' work correctly for this zone
|
||||||
|
#
|
||||||
|
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
|
||||||
|
$options->{$_} = 1 if $interfaceref->{options}{$_};
|
||||||
|
}
|
||||||
|
|
||||||
$allip = 1;
|
$allip = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1186,6 +1195,7 @@ sub find_interfaces_by_option1( $ ) {
|
|||||||
for my $interface ( keys %interfaces ) {
|
for my $interface ( keys %interfaces ) {
|
||||||
my $interfaceref = $interfaces{$interface};
|
my $interfaceref = $interfaces{$interface};
|
||||||
|
|
||||||
|
next unless defined $interfaceref->{physical};
|
||||||
next if $interfaceref->{physical} =~ /\+/;
|
next if $interfaceref->{physical} =~ /\+/;
|
||||||
|
|
||||||
my $optionsref = $interfaceref->{options};
|
my $optionsref = $interfaceref->{options};
|
||||||
|
@ -218,6 +218,7 @@ case "$COMMAND" in
|
|||||||
else
|
else
|
||||||
error_message "$g_product is not running"
|
error_message "$g_product is not running"
|
||||||
progress_message3 "Starting $g_product...."
|
progress_message3 "Starting $g_product...."
|
||||||
|
COMMAND=start
|
||||||
fi
|
fi
|
||||||
|
|
||||||
detect_configuration
|
detect_configuration
|
||||||
|
@ -219,6 +219,7 @@ else
|
|||||||
else
|
else
|
||||||
error_message "$g_product is not running"
|
error_message "$g_product is not running"
|
||||||
progress_message3 "Starting $g_product...."
|
progress_message3 "Starting $g_product...."
|
||||||
|
COMMAND=start
|
||||||
fi
|
fi
|
||||||
|
|
||||||
detect_configuration
|
detect_configuration
|
||||||
|
@ -774,34 +774,6 @@ run_tc() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Restore the rules generated by 'drop','reject','logdrop', etc.
|
|
||||||
#
|
|
||||||
restore_dynamic_rules() {
|
|
||||||
if [ -f ${VARDIR}/save ]; then
|
|
||||||
progress_message2 "Setting up dynamic rules..."
|
|
||||||
rangematch='source IP range'
|
|
||||||
while read target ignore1 ignore2 address ignore3 rest; do
|
|
||||||
case $target in
|
|
||||||
DROP|reject|logdrop|logreject)
|
|
||||||
case $rest in
|
|
||||||
$rangematch*)
|
|
||||||
run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -z "$rest" ]; then
|
|
||||||
run_iptables -A dynamic -s $address -j $target
|
|
||||||
else
|
|
||||||
error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < ${VARDIR}/save
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Get a list of all configured broadcast addresses on the system
|
# Get a list of all configured broadcast addresses on the system
|
||||||
#
|
#
|
||||||
|
@ -728,34 +728,6 @@ run_tc() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Restore the rules generated by 'drop','reject','logdrop', etc.
|
|
||||||
#
|
|
||||||
restore_dynamic_rules() {
|
|
||||||
if [ -f ${VARDIR}/save ]; then
|
|
||||||
progress_message2 "Setting up dynamic rules..."
|
|
||||||
rangematch='source IP range'
|
|
||||||
while read target ignore1 ignore2 address ignore3 rest; do
|
|
||||||
case $target in
|
|
||||||
DROP|reject|logdrop|logreject)
|
|
||||||
case $rest in
|
|
||||||
$rangematch*)
|
|
||||||
run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -z "$rest" ]; then
|
|
||||||
run_iptables -A dynamic -s $address -j $target
|
|
||||||
else
|
|
||||||
error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < ${VARDIR}/save
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
# Run the .iptables_restore_input as a set of discrete iptables commands
|
||||||
#
|
#
|
||||||
|
@ -1,3 +1,29 @@
|
|||||||
|
Changes in Shorewall 4.4.10.3
|
||||||
|
|
||||||
|
1) Fix 'debug' and 'trace' handling.
|
||||||
|
|
||||||
|
2) Make find_hosts_by_option() work correctly where ALL_IP appears in
|
||||||
|
hosts file.
|
||||||
|
|
||||||
|
3) Correct syntax error in the generated script when REQUIRE_INTERFACE=Yes.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.10.2
|
||||||
|
|
||||||
|
1) Make IPv6 log and connections output readable.
|
||||||
|
|
||||||
|
2) Add REQUIRE_INTERFACE to shorewall*.conf
|
||||||
|
|
||||||
|
3) Avoid run-time diagnostic when options are omitted from
|
||||||
|
shorewall*.conf.
|
||||||
|
|
||||||
|
4) On Debian, run insserv when it is installed.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.10.1
|
||||||
|
|
||||||
|
1) Apply patch from Gabriel.
|
||||||
|
|
||||||
|
2) Fix IPSET match detection when a pathname is specified for IPSET.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.10
|
Changes in Shorewall 4.4.10
|
||||||
|
|
||||||
1) Fix regression with scripts.
|
1) Fix regression with scripts.
|
||||||
|
@ -194,6 +194,8 @@ OPTIMIZE_ACCOUNTING=No
|
|||||||
|
|
||||||
LOAD_HELPERS_ONLY=No
|
LOAD_HELPERS_ONLY=No
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -867,7 +867,13 @@ fi
|
|||||||
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||||
if [ -n "$DEBIAN" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
install_file default.debian /etc/default/shorewall 0644
|
install_file default.debian /etc/default/shorewall 0644
|
||||||
|
|
||||||
|
if [ -x /sbin/insserv ]; then
|
||||||
|
insserv /etc/init.d/shorewall
|
||||||
|
else
|
||||||
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
|
||||||
|
fi
|
||||||
|
|
||||||
echo "shorewall will start automatically at boot"
|
echo "shorewall will start automatically at boot"
|
||||||
echo "Set startup=1 in /etc/default/shorewall to enable"
|
echo "Set startup=1 in /etc/default/shorewall to enable"
|
||||||
touch /var/log/shorewall-init.log
|
touch /var/log/shorewall-init.log
|
||||||
|
@ -1 +1,99 @@
|
|||||||
There are no known problems in Shorewall 4.4.10
|
1) The IPv6 allowBcast built-in action generates an invalid ip6tables
|
||||||
|
rule. This defect is present in all versions of Shorewall that
|
||||||
|
support IPv6.
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.1.
|
||||||
|
|
||||||
|
2) If IPSET=<pathname> is specified in shorewall.conf, then when an
|
||||||
|
ipset is used in a configuration file entry, the following fatal
|
||||||
|
compilation error occurs:
|
||||||
|
|
||||||
|
ERROR: ipset names in Shorewall configuration files require Ipset
|
||||||
|
Match in your kernel and iptables : /etc/shorewall/rules (line nn)
|
||||||
|
|
||||||
|
You can work around this problem by executing the following at a
|
||||||
|
root shell prompt:
|
||||||
|
|
||||||
|
shorewall show -f capabilities > /etc/shorewall/capabilities
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.1. After installing this fix, if you
|
||||||
|
executed the above command to work around the problem, we recommend
|
||||||
|
that you remove /etc/shorewall/capabilities.
|
||||||
|
|
||||||
|
3) The new REQUIRE_INTERFACE option was not added to shorewall.conf
|
||||||
|
and shorewall6.conf.
|
||||||
|
|
||||||
|
You can simply add it if you need it.
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.2.
|
||||||
|
|
||||||
|
4) Under Perl 5.12.1, a harmless Perl run-time diagnostic is
|
||||||
|
produced when options are omitted from shorewall.conf or
|
||||||
|
shorewall6.conf.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
Use of uninitialized value
|
||||||
|
$Shorewall::Config::config{"REQUIRE_INTERFACE"} in lc at
|
||||||
|
/usr/share/shorewall/Shorewall/Config.pm line 1902.
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.2.
|
||||||
|
|
||||||
|
5) On Debian and Debian-based systems, the start/stop priorities of
|
||||||
|
Shorewall products may be incorrect when the insserv package is
|
||||||
|
installed.
|
||||||
|
|
||||||
|
You may correct this problem by running insserv (as root).
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.2.
|
||||||
|
|
||||||
|
6) If 'trace' or 'debug' is specified on a command that runs the
|
||||||
|
compiled script, an invalid command line is passed to that script
|
||||||
|
resulting in a failure:
|
||||||
|
|
||||||
|
Shorewall configuration compiled to /var/lib/shorewall/.start
|
||||||
|
Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset|
|
||||||
|
refresh|restart|status|up|version ]
|
||||||
|
|
||||||
|
Options are:
|
||||||
|
|
||||||
|
-v and -q Standard Shorewall verbosity controls
|
||||||
|
-n Don't unpdate routing configuration
|
||||||
|
-p Purge Conntrack Table
|
||||||
|
-t Timestamp progress Messages
|
||||||
|
-V <verbosity> Set verbosity explicitly
|
||||||
|
-R <file> Override RESTOREFILE setting
|
||||||
|
|
||||||
|
This issue affects Shorewall and Shorewall6 4.4.8 and later.
|
||||||
|
|
||||||
|
To work around the problem (IPv4 'debug restart' command):
|
||||||
|
|
||||||
|
shorewall compile /var/lib/shorewall/.restart
|
||||||
|
/var/lib/shorewall/.restart debug restart
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.3.
|
||||||
|
|
||||||
|
7) If the following options are specified in /etc/shorewall/interfaces
|
||||||
|
for an interface with '-' in the ZONE column, then these options
|
||||||
|
will be ignored if there is an entry in the hosts file for the
|
||||||
|
interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
|
||||||
|
implied when the host list begins with '!').
|
||||||
|
|
||||||
|
blacklist
|
||||||
|
maclist
|
||||||
|
nosmurfs
|
||||||
|
tcpflags
|
||||||
|
|
||||||
|
You can work around this issue by specifying these options in the
|
||||||
|
hosts file entry rather than in the interfaces file.
|
||||||
|
|
||||||
|
Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.3.
|
||||||
|
|
||||||
|
8) When REQUIRE_INTERFACE=Yes, the generated script is missing a
|
||||||
|
closing quote.
|
||||||
|
|
||||||
|
Fixed in Shorewall 4.4.10.3.
|
||||||
|
|
||||||
|
|
||||||
|
@ -362,17 +362,7 @@ save_config() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
validate_restorefile RESTOREFILE
|
validate_restorefile RESTOREFILE
|
||||||
|
|
||||||
if chain_exists dynamic; then
|
|
||||||
if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
|
|
||||||
echo " Dynamic Rules Saved"
|
|
||||||
do_save
|
|
||||||
else
|
|
||||||
echo "Error Saving the Dynamic Rules" >&2
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
do_save && rm -f ${VARDIR}/save
|
do_save && rm -f ${VARDIR}/save
|
||||||
fi
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
@ -94,7 +94,12 @@ run_it() {
|
|||||||
#
|
#
|
||||||
# 4.4.8 or later -- no additional exports required
|
# 4.4.8 or later -- no additional exports required
|
||||||
#
|
#
|
||||||
|
if [ x$1 = xtrace -o x$1 = xdebug ]; then
|
||||||
|
options="$1 -"
|
||||||
|
shift;
|
||||||
|
else
|
||||||
options='-'
|
options='-'
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$g_noroutes" ] && options=${options}n
|
[ -n "$g_noroutes" ] && options=${options}n
|
||||||
[ -n "$g_timestamp" ] && options=${options}t
|
[ -n "$g_timestamp" ] && options=${options}t
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
S H O R E W A L L 4 . 4 . 10
|
S H O R E W A L L 4 . 4 . 1 0 . 3
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
I. RELEASE 4.4 HIGHLIGHTS
|
I. RELEASE 4.4 HIGHLIGHTS
|
||||||
@ -218,6 +218,78 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|||||||
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
4.4.10.3
|
||||||
|
|
||||||
|
1) If 'trace' or 'debug' was specified on a command that ran the
|
||||||
|
compiled script, an invalid command line was passed to that script
|
||||||
|
resulting in a failure:
|
||||||
|
|
||||||
|
Shorewall configuration compiled to /var/lib/shorewall/.start
|
||||||
|
Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset|
|
||||||
|
refresh|restart|status|up|version ]
|
||||||
|
|
||||||
|
Options are:
|
||||||
|
|
||||||
|
-v and -q Standard Shorewall verbosity controls
|
||||||
|
-n Don't unpdate routing configuration
|
||||||
|
-p Purge Conntrack Table
|
||||||
|
-t Timestamp progress Messages
|
||||||
|
-V <verbosity> Set verbosity explicitly
|
||||||
|
-R <file> Override RESTOREFILE setting
|
||||||
|
|
||||||
|
2) If the following options were specified in /etc/shorewall/interfaces
|
||||||
|
for an interface with '-' in the ZONE column, then these options
|
||||||
|
would be ignored if there was an entry in the hosts file for the
|
||||||
|
interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
|
||||||
|
implied when the host list begins with '!').
|
||||||
|
|
||||||
|
blacklist
|
||||||
|
maclist
|
||||||
|
nosmurfs
|
||||||
|
tcpflags
|
||||||
|
|
||||||
|
Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
|
||||||
|
|
||||||
|
3) When REQUIRE_INTERFACE=Yes, the generated script was missing a
|
||||||
|
closing quote.
|
||||||
|
|
||||||
|
4.4.10.2
|
||||||
|
|
||||||
|
1) The start priorities of the Shorewall products were incorrect on
|
||||||
|
Debian when the insserv package is installed. This is corrected for
|
||||||
|
new installs, but existing users who have both insserv and a
|
||||||
|
Shorewall product are urged to run insserv just be be sure.
|
||||||
|
|
||||||
|
2) The log output from IPv6 logs was almost unreadable due to display
|
||||||
|
of IPv6 addresses in uncompressed format. A similar problem
|
||||||
|
occurred with 'shorewall6 show connections'. This update makes the
|
||||||
|
displays much clearer at the expense of opening the slight
|
||||||
|
possibility of two '::' sequences being incorrectly shown in the
|
||||||
|
same address.
|
||||||
|
|
||||||
|
3) The new REQUIRE_INTERFACE was inadvertently omitted from
|
||||||
|
shorewall.conf and shorewall6.conf. It has been added.
|
||||||
|
|
||||||
|
4) Under Perl 5.12.1, a Perl run-time diagnostic was produced
|
||||||
|
when options were omitted from shorewall.conf or shorewall6.conf.
|
||||||
|
|
||||||
|
4.4.10.1
|
||||||
|
|
||||||
|
1) The IPv6 allowBcast action generated an invalid rule.
|
||||||
|
|
||||||
|
2) If IPSET=<pathname> was specified in shorewall.conf, then when an
|
||||||
|
ipset was used in a configuration file entry, the following
|
||||||
|
fatal compilation error occurred:
|
||||||
|
|
||||||
|
ERROR: ipset names in Shorewall configuration files require Ipset
|
||||||
|
Match in your kernel and iptables : /etc/shorewall/rules (line nn)
|
||||||
|
|
||||||
|
If you applied the workaround given in the "Known Problems", then
|
||||||
|
you should remove /etc/shorewall/capabilities after installing
|
||||||
|
this fix.
|
||||||
|
|
||||||
|
4.4.10
|
||||||
|
|
||||||
1) Startup Errors (those that are detected before the state of the
|
1) Startup Errors (those that are detected before the state of the
|
||||||
system has been altered), were previously not sent to the
|
system has been altered), were previously not sent to the
|
||||||
STARTUP_LOG.
|
STARTUP_LOG.
|
||||||
@ -263,6 +335,8 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
|||||||
|
|
||||||
This configuration now works correctly.
|
This configuration now works correctly.
|
||||||
|
|
||||||
|
5) The 'forget' command now correctly removes saved ipsets.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
I V. K N O W N P R O B L E M S R E M A I N I N G
|
I V. K N O W N P R O B L E M S R E M A I N I N G
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -410,6 +484,11 @@ None.
|
|||||||
shorewall-init: 4.4.10-RC1
|
shorewall-init: 4.4.10-RC1
|
||||||
gateway:~#
|
gateway:~#
|
||||||
|
|
||||||
|
3) Beginning with this release, the 'restart' and 'refresh' commands
|
||||||
|
now retain the contents of the dynamic blacklist as well as the
|
||||||
|
current UPnP rules. The dynamic blacklist is also preserved over
|
||||||
|
stop/start.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||||
I N P R I O R R E L E A S E S
|
I N P R I O R R E L E A S E S
|
||||||
|
@ -1829,6 +1829,7 @@ case "$COMMAND" in
|
|||||||
if [ -x $g_restorepath ]; then
|
if [ -x $g_restorepath ]; then
|
||||||
rm -f $g_restorepath
|
rm -f $g_restorepath
|
||||||
rm -f ${g_restorepath}-iptables
|
rm -f ${g_restorepath}-iptables
|
||||||
|
rm -f ${g_restorepath}-ipsets
|
||||||
echo " $g_restorepath removed"
|
echo " $g_restorepath removed"
|
||||||
elif [ -f $g_restorepath ]; then
|
elif [ -f $g_restorepath ]; then
|
||||||
echo " $g_restorepath exists and is not a saved Shorewall configuration"
|
echo " $g_restorepath exists and is not a saved Shorewall configuration"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 4.4.10
|
%define version 4.4.10
|
||||||
%define release 0base
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -108,8 +108,16 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
|
* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-3
|
||||||
|
* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-2
|
||||||
|
* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-1
|
||||||
|
* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0base
|
- Updated to 4.4.10-0base
|
||||||
|
* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-0RC3
|
||||||
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0RC2
|
- Updated to 4.4.10-0RC2
|
||||||
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -350,7 +350,13 @@ if [ -z "$DESTDIR" ]; then
|
|||||||
if [ -n "$first_install" ]; then
|
if [ -n "$first_install" ]; then
|
||||||
if [ -n "$DEBIAN" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
|
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
|
||||||
|
|
||||||
|
if [ -x /sbin/insserv ]; then
|
||||||
|
insserv /etc/init.d/shorewall6-lite
|
||||||
|
else
|
||||||
ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
|
ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Shorewall6 Lite will start automatically at boot"
|
echo "Shorewall6 Lite will start automatically at boot"
|
||||||
else
|
else
|
||||||
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall6-lite
|
%define name shorewall6-lite
|
||||||
%define version 4.4.10
|
%define version 4.4.10
|
||||||
%define release 0base
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -93,8 +93,16 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
|
* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-3
|
||||||
|
* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-2
|
||||||
|
* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-1
|
||||||
|
* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0base
|
- Updated to 4.4.10-0base
|
||||||
|
* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-0RC3
|
||||||
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0RC2
|
- Updated to 4.4.10-0RC2
|
||||||
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -718,7 +718,13 @@ fi
|
|||||||
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||||
if [ -n "$DEBIAN" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
|
run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
|
||||||
|
|
||||||
|
if [ -x /sbin/insserv ]; then
|
||||||
|
insserv /etc/init.d/shorewall6
|
||||||
|
else
|
||||||
ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
|
ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
|
||||||
|
fi
|
||||||
|
|
||||||
echo "shorewall6 will start automatically at boot"
|
echo "shorewall6 will start automatically at boot"
|
||||||
echo "Set startup=1 in /etc/default/shorewall6 to enable"
|
echo "Set startup=1 in /etc/default/shorewall6 to enable"
|
||||||
touch /var/log/shorewall6-init.log
|
touch /var/log/shorewall6-init.log
|
||||||
|
@ -134,18 +134,18 @@ syslog_circular_buffer() {
|
|||||||
packet_log() # $1 = number of messages
|
packet_log() # $1 = number of messages
|
||||||
{
|
{
|
||||||
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
|
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
|
||||||
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
|
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
|
||||||
else
|
else
|
||||||
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
|
$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
search_log() # $1 = IP address to search for
|
search_log() # $1 = IP address to search for
|
||||||
{
|
{
|
||||||
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
|
if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
|
||||||
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
|
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
|
||||||
else
|
else
|
||||||
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
|
$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -439,7 +439,7 @@ show_command() {
|
|||||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||||
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
||||||
echo
|
echo
|
||||||
grep '^ipv6' /proc/net/nf_conntrack
|
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
|
||||||
;;
|
;;
|
||||||
tos|mangle)
|
tos|mangle)
|
||||||
[ $# -gt 1 ] && usage 1
|
[ $# -gt 1 ] && usage 1
|
||||||
|
@ -92,7 +92,12 @@ run_it() {
|
|||||||
#
|
#
|
||||||
# 4.4.8 or later -- no additional exports required
|
# 4.4.8 or later -- no additional exports required
|
||||||
#
|
#
|
||||||
|
if [ x$1 = xtrace -o x$1 = xdebug ]; then
|
||||||
|
options="$1 -"
|
||||||
|
shift;
|
||||||
|
else
|
||||||
options='-'
|
options='-'
|
||||||
|
fi
|
||||||
|
|
||||||
[ -n "$g_noroutes" ] && options=${options}n
|
[ -n "$g_noroutes" ] && options=${options}n
|
||||||
[ -n "$g_timestamp" ] && options=${options}t
|
[ -n "$g_timestamp" ] && options=${options}t
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall6
|
%define name shorewall6
|
||||||
%define version 4.4.10
|
%define version 4.4.10
|
||||||
%define release 0base
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -98,8 +98,16 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
|
* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-3
|
||||||
|
* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-2
|
||||||
|
* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-1
|
||||||
|
* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0base
|
- Updated to 4.4.10-0base
|
||||||
|
* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.10-0RC3
|
||||||
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.10-0RC2
|
- Updated to 4.4.10-0RC2
|
||||||
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
* Thu May 27 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.10
|
VERSION=4.4.10.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -109,6 +109,11 @@ forwardUPnP net loc</programlisting>
|
|||||||
this route during <command>start</command> and deletes it during
|
this route during <command>start</command> and deletes it during
|
||||||
<command>stop</command>.</para>
|
<command>stop</command>.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
|
||||||
|
added by linux-idg over a <command>shorewall restart</command>.</para>
|
||||||
|
</caution>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
@ -188,6 +188,11 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
|||||||
<para>save - save the dynamic blacklisting configuration so that it
|
<para>save - save the dynamic blacklisting configuration so that it
|
||||||
will be automatically restored the next time that the firewall is
|
will be automatically restored the next time that the firewall is
|
||||||
restarted.</para>
|
restarted.</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||||
|
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
|
||||||
|
<command>stop/start</command> sequences and over
|
||||||
|
<command>restart</command>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -48,6 +48,17 @@
|
|||||||
before you use them with Shorewall.</para>
|
before you use them with Shorewall.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title id="Intro">Introduction</title>
|
||||||
|
|
||||||
|
<para>This article offers hints about how to accomplish common tasks with
|
||||||
|
Shorewall. The <ulink url="Introduction.html">Introduction to
|
||||||
|
Shorewall</ulink> is required reading for being able to use this article
|
||||||
|
effectively. For information about setting up your first Shorewall-based
|
||||||
|
firewall, see the <ulink url="GettingStarted.html">Quickstart
|
||||||
|
Guides</ulink>.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section id="Files">
|
<section id="Files">
|
||||||
<title>Files</title>
|
<title>Files</title>
|
||||||
|
|
||||||
@ -111,8 +122,9 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>/etc/shorewall/tcrules </filename>- defines marking
|
<para><filename>/etc/shorewall/tcrules </filename>- The file has a
|
||||||
of packets for later use by traffic control/shaping or policy
|
rather unfortunate name because it is used to define marking of
|
||||||
|
packets for later use by both traffic control/shaping and policy
|
||||||
routing.</para>
|
routing.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user