forked from extern/shorewall_code
Compare commits
16 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
4e19c193a1 | ||
|
5fc72fc727 | ||
|
cdf78dfecf | ||
|
edf614bf4b | ||
|
1a3794e7b0 | ||
|
cfcc59c731 | ||
|
0de4208fef | ||
|
3b6e7c3698 | ||
|
9ffab23f9a | ||
|
2f938a5647 | ||
|
7a522dd213 | ||
|
c10ea7befd | ||
|
295799d4d1 | ||
|
dd83a0e726 | ||
|
ce599945c7 | ||
|
7302b785fd |
1
.gitattributes
vendored
1
.gitattributes
vendored
@ -1 +0,0 @@
|
|||||||
*targetname export-ignore
|
|
@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
|
|||||||
that what they have is not the original version, so that the original
|
that what they have is not the original version, so that the original
|
||||||
author's reputation will not be affected by problems that might be
|
author's reputation will not be affected by problems that might be
|
||||||
introduced by others.
|
introduced by others.
|
||||||
|
|
||||||
Finally, software patents pose a constant threat to the existence of
|
Finally, software patents pose a constant threat to the existence of
|
||||||
any free program. We wish to make sure that a company cannot
|
any free program. We wish to make sure that a company cannot
|
||||||
effectively restrict the users of a free program by obtaining a
|
effectively restrict the users of a free program by obtaining a
|
||||||
@ -111,7 +111,7 @@ modification follow. Pay close attention to the difference between a
|
|||||||
"work based on the library" and a "work that uses the library". The
|
"work based on the library" and a "work that uses the library". The
|
||||||
former contains code derived from the library, whereas the latter must
|
former contains code derived from the library, whereas the latter must
|
||||||
be combined with the library in order to run.
|
be combined with the library in order to run.
|
||||||
|
|
||||||
GNU LESSER GENERAL PUBLIC LICENSE
|
GNU LESSER GENERAL PUBLIC LICENSE
|
||||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
|
|||||||
on the Library (independent of the use of the Library in a tool for
|
on the Library (independent of the use of the Library in a tool for
|
||||||
writing it). Whether that is true depends on what the Library does
|
writing it). Whether that is true depends on what the Library does
|
||||||
and what the program that uses the Library does.
|
and what the program that uses the Library does.
|
||||||
|
|
||||||
1. You may copy and distribute verbatim copies of the Library's
|
1. You may copy and distribute verbatim copies of the Library's
|
||||||
complete source code as you receive it, in any medium, provided that
|
complete source code as you receive it, in any medium, provided that
|
||||||
you conspicuously and appropriately publish on each copy an
|
you conspicuously and appropriately publish on each copy an
|
||||||
@ -158,7 +158,7 @@ Library.
|
|||||||
You may charge a fee for the physical act of transferring a copy,
|
You may charge a fee for the physical act of transferring a copy,
|
||||||
and you may at your option offer warranty protection in exchange for a
|
and you may at your option offer warranty protection in exchange for a
|
||||||
fee.
|
fee.
|
||||||
|
|
||||||
2. You may modify your copy or copies of the Library or any portion
|
2. You may modify your copy or copies of the Library or any portion
|
||||||
of it, thus forming a work based on the Library, and copy and
|
of it, thus forming a work based on the Library, and copy and
|
||||||
distribute such modifications or work under the terms of Section 1
|
distribute such modifications or work under the terms of Section 1
|
||||||
@ -216,7 +216,7 @@ instead of to this License. (If a newer version than version 2 of the
|
|||||||
ordinary GNU General Public License has appeared, then you can specify
|
ordinary GNU General Public License has appeared, then you can specify
|
||||||
that version instead if you wish.) Do not make any other change in
|
that version instead if you wish.) Do not make any other change in
|
||||||
these notices.
|
these notices.
|
||||||
|
|
||||||
Once this change is made in a given copy, it is irreversible for
|
Once this change is made in a given copy, it is irreversible for
|
||||||
that copy, so the ordinary GNU General Public License applies to all
|
that copy, so the ordinary GNU General Public License applies to all
|
||||||
subsequent copies and derivative works made from that copy.
|
subsequent copies and derivative works made from that copy.
|
||||||
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
|
|||||||
distribute the object code for the work under the terms of Section 6.
|
distribute the object code for the work under the terms of Section 6.
|
||||||
Any executables containing that work also fall under Section 6,
|
Any executables containing that work also fall under Section 6,
|
||||||
whether or not they are linked directly with the Library itself.
|
whether or not they are linked directly with the Library itself.
|
||||||
|
|
||||||
6. As an exception to the Sections above, you may also combine or
|
6. As an exception to the Sections above, you may also combine or
|
||||||
link a "work that uses the Library" with the Library to produce a
|
link a "work that uses the Library" with the Library to produce a
|
||||||
work containing portions of the Library, and distribute that work
|
work containing portions of the Library, and distribute that work
|
||||||
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
|
|||||||
accompany the operating system. Such a contradiction means you cannot
|
accompany the operating system. Such a contradiction means you cannot
|
||||||
use both them and the Library together in an executable that you
|
use both them and the Library together in an executable that you
|
||||||
distribute.
|
distribute.
|
||||||
|
|
||||||
7. You may place library facilities that are a work based on the
|
7. You may place library facilities that are a work based on the
|
||||||
Library side-by-side in a single library together with other library
|
Library side-by-side in a single library together with other library
|
||||||
facilities not covered by this License, and distribute such a combined
|
facilities not covered by this License, and distribute such a combined
|
||||||
@ -370,7 +370,7 @@ subject to these terms and conditions. You may not impose any further
|
|||||||
restrictions on the recipients' exercise of the rights granted herein.
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
You are not responsible for enforcing compliance by third parties with
|
You are not responsible for enforcing compliance by third parties with
|
||||||
this License.
|
this License.
|
||||||
|
|
||||||
11. If, as a consequence of a court judgment or allegation of patent
|
11. If, as a consequence of a court judgment or allegation of patent
|
||||||
infringement or for any other reason (not limited to patent issues),
|
infringement or for any other reason (not limited to patent issues),
|
||||||
conditions are imposed on you (whether by court order, agreement or
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
|
|||||||
the Free Software Foundation. If the Library does not specify a
|
the Free Software Foundation. If the Library does not specify a
|
||||||
license version number, you may choose any version ever published by
|
license version number, you may choose any version ever published by
|
||||||
the Free Software Foundation.
|
the Free Software Foundation.
|
||||||
|
|
||||||
14. If you wish to incorporate parts of the Library into other free
|
14. If you wish to incorporate parts of the Library into other free
|
||||||
programs whose distribution conditions are incompatible with these,
|
programs whose distribution conditions are incompatible with these,
|
||||||
write to the author to ask for permission. For software which is
|
write to the author to ask for permission. For software which is
|
||||||
@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
|
|||||||
DAMAGES.
|
DAMAGES.
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
How to Apply These Terms to Your New Libraries
|
How to Apply These Terms to Your New Libraries
|
||||||
|
|
||||||
If you develop a new library, and you want it to be of the greatest
|
If you develop a new library, and you want it to be of the greatest
|
@ -1,9 +1,9 @@
|
|||||||
For instructions on using these sample configurations, please see
|
For instructions on using these sample configurations, please see
|
||||||
|
|
||||||
https://shorewall.org/three-interface.htm
|
http://www.shorewall.net/shorewall_quickstart_guide.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006-2015 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
||||||
Thomas M. Eastep
|
Thomas M. Eastep
|
||||||
Paul D. Gear
|
Paul D. Gear
|
||||||
Cristian Rodriguez
|
Cristian Rodriguez
|
@ -4,11 +4,9 @@
|
|||||||
# For information about entries in this file, type "man shorewall-interfaces"
|
# For information about entries in this file, type "man shorewall-interfaces"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-interfaces.html
|
# http://www.shorewall.net/manpages/shorewall-interfaces.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
?FORMAT 2
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
###############################################################################
|
- lo - ignore
|
||||||
#ZONE INTERFACE OPTIONS
|
net all - dhcp,physical=+,routeback,optional
|
||||||
- lo ignore
|
|
||||||
net all dhcp,physical=+,routeback
|
|
@ -4,9 +4,10 @@
|
|||||||
# For information about entries in this file, type "man shorewall-policy"
|
# For information about entries in this file, type "man shorewall-policy"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-policy.html
|
# http://www.shorewall.net/manpages/shorewall-policy.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
|
||||||
|
# LEVEL BURST MASK
|
||||||
$FW net ACCEPT
|
$FW net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP
|
@ -4,18 +4,14 @@
|
|||||||
# For information on the settings in this file, type "man shorewall-rules"
|
# For information on the settings in this file, type "man shorewall-rules"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-rules.html
|
# http://www.shorewall.net/manpages/shorewall-rules.html
|
||||||
#
|
#
|
||||||
######################################################################################################################################################################################################
|
####################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
#SECTION ESTABLISHED
|
||||||
?SECTION ESTABLISHED
|
#SECTION RELATED
|
||||||
?SECTION RELATED
|
SECTION NEW
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
Invalid(DROP) net $FW tcp
|
|
||||||
SSH(ACCEPT) net $FW
|
SSH(ACCEPT) net $FW
|
||||||
Ping(ACCEPT) net $FW
|
Ping(ACCEPT) net $FW
|
@ -1,10 +1,10 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall Version 5 -- /etc/shorewall/shorewall.conf
|
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
|
||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall.conf"
|
# For information about the settings in this file, type "man shorewall.conf"
|
||||||
#
|
#
|
||||||
# Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
|
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -18,250 +18,181 @@ STARTUP_ENABLED=Yes
|
|||||||
VERBOSITY=1
|
VERBOSITY=1
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A G E R
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
PAGER=
|
LOGFILE=
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# F I R E W A L L
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
FIREWALL=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# L O G G I N G
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
LOG_LEVEL="info"
|
|
||||||
|
|
||||||
BLACKLIST_LOG_LEVEL=
|
|
||||||
|
|
||||||
INVALID_LOG_LEVEL=
|
|
||||||
|
|
||||||
LOG_BACKEND=
|
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
|
||||||
|
|
||||||
LOG_ZONE=Both
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
LOGFILE=/var/log/messages
|
|
||||||
|
|
||||||
LOGFORMAT="%s %s "
|
|
||||||
|
|
||||||
LOGTAGONLY=No
|
|
||||||
|
|
||||||
LOGLIMIT="s:1/sec:10"
|
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
RELATED_LOG_LEVEL=
|
|
||||||
|
|
||||||
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
SFILTER_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
SMURF_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
STARTUP_LOG=/var/log/shorewall-init.log
|
STARTUP_LOG=/var/log/shorewall-init.log
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
UNTRACKED_LOG_LEVEL=
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
|
LOGTAGONLY=No
|
||||||
|
|
||||||
|
LOGLIMIT=
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
MACLIST_LOG_LEVEL=info
|
||||||
|
|
||||||
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ARPTABLES=
|
|
||||||
|
|
||||||
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
|
|
||||||
|
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
|
||||||
|
|
||||||
IPTABLES=
|
IPTABLES=
|
||||||
|
|
||||||
IP=
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
IPSET=
|
IPSET=
|
||||||
|
|
||||||
LOCKFILE=
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
NFACCT=
|
|
||||||
|
|
||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
RESTOREFILE=restore
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
|
|
||||||
TC=
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
IPSECFILE=zones
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# D E F A U L T A C T I O N S / M A C R O S
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
ACCEPT_DEFAULT="none"
|
ACCEPT_DEFAULT="none"
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
|
||||||
NFQUEUE_DEFAULT="none"
|
|
||||||
QUEUE_DEFAULT="none"
|
QUEUE_DEFAULT="none"
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
|
||||||
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCOUNTING=Yes
|
IP_FORWARDING=On
|
||||||
|
|
||||||
ACCOUNTING_TABLE=filter
|
|
||||||
|
|
||||||
ADD_IP_ALIASES=No
|
ADD_IP_ALIASES=No
|
||||||
|
|
||||||
ADD_SNAT_ALIASES=No
|
ADD_SNAT_ALIASES=No
|
||||||
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
AUTOCOMMENT=Yes
|
|
||||||
|
|
||||||
AUTOHELPERS=Yes
|
|
||||||
|
|
||||||
AUTOMAKE=Yes
|
|
||||||
|
|
||||||
BALANCE_PROVIDERS=No
|
|
||||||
|
|
||||||
BASIC_FILTERS=No
|
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
COMPLETE=Yes
|
|
||||||
|
|
||||||
DEFER_DNS_RESOLUTION=Yes
|
|
||||||
|
|
||||||
DISABLE_IPV6=No
|
|
||||||
|
|
||||||
DOCKER=No
|
|
||||||
|
|
||||||
DOCKER_BRIDGE=docker0
|
|
||||||
|
|
||||||
DELETE_THEN_ADD=Yes
|
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
|
||||||
|
|
||||||
DONT_LOAD=
|
|
||||||
|
|
||||||
DYNAMIC_BLACKLIST=Yes
|
|
||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
|
||||||
|
|
||||||
EXPORTMODULES=Yes
|
|
||||||
|
|
||||||
FASTACCEPT=Yes
|
|
||||||
|
|
||||||
FORWARD_CLEAR_MARK=
|
|
||||||
|
|
||||||
HELPERS=
|
|
||||||
|
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
|
||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
|
||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
|
||||||
|
|
||||||
IP_FORWARDING=On
|
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
|
||||||
|
|
||||||
MACLIST_TABLE=filter
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
|
||||||
|
|
||||||
MINIUPNPD=No
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
MULTICAST=No
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
NULL_ROUTE_RFC1918=No
|
|
||||||
|
|
||||||
OPTIMIZE=All
|
|
||||||
|
|
||||||
OPTIMIZE_ACCOUNTING=No
|
|
||||||
|
|
||||||
PERL_HASH_SEED=0
|
|
||||||
|
|
||||||
REJECT_ACTION=
|
|
||||||
|
|
||||||
RENAME_COMBINED=Yes
|
|
||||||
|
|
||||||
REQUIRE_INTERFACE=Yes
|
|
||||||
|
|
||||||
RESTART=restart
|
|
||||||
|
|
||||||
RESTORE_DEFAULT_ROUTE=Yes
|
|
||||||
|
|
||||||
RESTORE_ROUTEMARKS=Yes
|
|
||||||
|
|
||||||
RETAIN_ALIASES=No
|
RETAIN_ALIASES=No
|
||||||
|
|
||||||
ROUTE_FILTER=No
|
|
||||||
|
|
||||||
SAVE_ARPTABLES=No
|
|
||||||
|
|
||||||
SAVE_IPSETS=No
|
|
||||||
|
|
||||||
TC_ENABLED=Internal
|
TC_ENABLED=Internal
|
||||||
|
|
||||||
TC_EXPERT=No
|
TC_EXPERT=No
|
||||||
|
|
||||||
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=No
|
||||||
|
|
||||||
|
ROUTE_FILTER=No
|
||||||
|
|
||||||
|
DETECT_DNAT_IPADDRS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
DISABLE_IPV6=No
|
||||||
|
|
||||||
|
DYNAMIC_ZONES=No
|
||||||
|
|
||||||
|
NULL_ROUTE_RFC1918=No
|
||||||
|
|
||||||
|
MACLIST_TABLE=filter
|
||||||
|
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
|
SAVE_IPSETS=No
|
||||||
|
|
||||||
|
MAPOLDACTIONS=No
|
||||||
|
|
||||||
|
FASTACCEPT=Yes
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
USE_ACTIONS=Yes
|
||||||
|
|
||||||
|
OPTIMIZE=15
|
||||||
|
|
||||||
|
EXPORTPARAMS=Yes
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=No
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
MULTICAST=No
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
|
RESTORE_DEFAULT_ROUTE=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
TRACK_RULES=No
|
ZONE2ZONE=2
|
||||||
|
|
||||||
USE_DEFAULT_RT=Yes
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
USE_NFLOG_SIZE=No
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
USE_RT_NAMES=No
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
VERBOSE_MESSAGES=Yes
|
REQUIRE_INTERFACE=Yes
|
||||||
|
|
||||||
WARNOLDCAPVERSION=Yes
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
WORKAROUNDS=No
|
COMPLETE=Yes
|
||||||
|
|
||||||
ZERO_MARKS=No
|
|
||||||
|
|
||||||
ZONE2ZONE=-
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
@ -269,32 +200,8 @@ ZONE2ZONE=-
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
INVALID_DISPOSITION=CONTINUE
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
|
||||||
|
|
||||||
RPFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SMURF_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
UNTRACKED_DISPOSITION=CONTINUE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T M A R K L A Y O U T
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
TC_BITS=
|
|
||||||
|
|
||||||
PROVIDER_BITS=
|
|
||||||
|
|
||||||
PROVIDER_OFFSET=
|
|
||||||
|
|
||||||
MASK_BITS=
|
|
||||||
|
|
||||||
ZONE_BITS=0
|
|
@ -4,7 +4,7 @@
|
|||||||
# For information about this file, type "man shorewall-zones"
|
# For information about this file, type "man shorewall-zones"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-zones.html
|
# http://www.shorewall.net/manpages/shorewall-zones.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ZONE TYPE OPTIONS IN OUT
|
#ZONE TYPE OPTIONS IN OUT
|
@ -1,9 +1,9 @@
|
|||||||
For instructions on using this sample configuration, please see
|
For instructions on using this sample configuration, please see
|
||||||
|
|
||||||
https://shorewall.org/standalone.htm
|
http://www.shorewall.net/standalone.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006-2015 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
||||||
Thomas M. Eastep
|
Thomas M. Eastep
|
||||||
Paul D. Gear
|
Paul D. Gear
|
||||||
Cristian Rodriguez
|
Cristian Rodriguez
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Stoppedrules File for two-interface configuration.
|
# Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
|
||||||
# Copyright (C) 2012-2017 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -9,9 +9,7 @@
|
|||||||
#
|
#
|
||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-stoppedrules"
|
# For information about entries in this file, type "man shorewall-interfaces"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
# PORT(S) PORT(S)
|
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs
|
||||||
ACCEPT LOC_IF -
|
|
||||||
ACCEPT - LOC_IF
|
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Policy File for one-interface configuration.
|
# Shorewall version 4.0 - Sample Policy File for one-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,8 +11,8 @@
|
|||||||
#-----------------------------------------------------------------------------
|
#-----------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-policy"
|
# For information about entries in this file, type "man shorewall-policy"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
$FW net ACCEPT
|
$FW net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP info
|
||||||
# The FOLLOWING POLICY MUST BE LAST
|
# The FOLLOWING POLICY MUST BE LAST
|
||||||
all all REJECT $LOG_LEVEL
|
all all REJECT info
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Rules File for one-interface configuration.
|
# Shorewall version 4.0 - Sample Rules File for one-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -10,19 +10,9 @@
|
|||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------------------------------------
|
||||||
# For information on entries in this file, type "man shorewall-rules"
|
# For information on entries in this file, type "man shorewall-rules"
|
||||||
######################################################################################################################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
|
||||||
?SECTION ESTABLISHED
|
|
||||||
?SECTION RELATED
|
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
# Drop packets in the INVALID state
|
|
||||||
|
|
||||||
Invalid(DROP) net $FW tcp
|
|
||||||
|
|
||||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall - Sample shorewall.conf for one-interface
|
# Shorewall version 4.0 - Sample shorewall.conf for one-interface
|
||||||
# configuration.
|
# configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -13,8 +13,8 @@
|
|||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall.conf"
|
# For information about the settings in this file, type "man shorewall.conf"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall.conf.html
|
# http://shorewall.net/manpages/shorewall.conf.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
@ -29,250 +29,181 @@ STARTUP_ENABLED=No
|
|||||||
VERBOSITY=1
|
VERBOSITY=1
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A G E R
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
PAGER=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# F I R E W A L L
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
FIREWALL=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# L O G G I N G
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
LOG_LEVEL=info
|
|
||||||
|
|
||||||
BLACKLIST_LOG_LEVEL=
|
|
||||||
|
|
||||||
INVALID_LOG_LEVEL=
|
|
||||||
|
|
||||||
LOG_BACKEND=
|
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
|
||||||
|
|
||||||
LOG_ZONE=Both
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
LOGFILE=/var/log/messages
|
LOGFILE=/var/log/messages
|
||||||
|
|
||||||
LOGFORMAT="%s %s "
|
STARTUP_LOG=/var/log/shorewall-init.log
|
||||||
|
|
||||||
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
LOGTAGONLY=No
|
LOGTAGONLY=No
|
||||||
|
|
||||||
LOGLIMIT="s:1/sec:10"
|
LOGLIMIT=
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
LOGALLNEW=
|
||||||
|
|
||||||
RELATED_LOG_LEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
|
MACLIST_LOG_LEVEL=info
|
||||||
|
|
||||||
SFILTER_LOG_LEVEL="$LOG_LEVEL"
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
SMURF_LOG_LEVEL="$LOG_LEVEL"
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
STARTUP_LOG=/var/log/shorewall-init.log
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
UNTRACKED_LOG_LEVEL=
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ARPTABLES=
|
|
||||||
|
|
||||||
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
|
|
||||||
|
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
|
||||||
|
|
||||||
IPTABLES=
|
IPTABLES=
|
||||||
|
|
||||||
IP=
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
IPSET=
|
IPSET=
|
||||||
|
|
||||||
LOCKFILE=
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
NFACCT=
|
|
||||||
|
|
||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
RESTOREFILE=restore
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
|
|
||||||
TC=
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
IPSECFILE=zones
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# D E F A U L T A C T I O N S / M A C R O S
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
ACCEPT_DEFAULT="none"
|
ACCEPT_DEFAULT="none"
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
|
||||||
NFQUEUE_DEFAULT="none"
|
|
||||||
QUEUE_DEFAULT="none"
|
QUEUE_DEFAULT="none"
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
|
||||||
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCOUNTING=Yes
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
ACCOUNTING_TABLE=filter
|
|
||||||
|
|
||||||
ADD_IP_ALIASES=No
|
ADD_IP_ALIASES=No
|
||||||
|
|
||||||
ADD_SNAT_ALIASES=No
|
ADD_SNAT_ALIASES=No
|
||||||
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
AUTOCOMMENT=Yes
|
|
||||||
|
|
||||||
AUTOHELPERS=Yes
|
|
||||||
|
|
||||||
AUTOMAKE=Yes
|
|
||||||
|
|
||||||
BALANCE_PROVIDERS=No
|
|
||||||
|
|
||||||
BASIC_FILTERS=No
|
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
COMPLETE=No
|
|
||||||
|
|
||||||
DEFER_DNS_RESOLUTION=Yes
|
|
||||||
|
|
||||||
DISABLE_IPV6=No
|
|
||||||
|
|
||||||
DOCKER=No
|
|
||||||
|
|
||||||
DOCKER_BRIDGE=docker0
|
|
||||||
|
|
||||||
DELETE_THEN_ADD=Yes
|
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
|
||||||
|
|
||||||
DONT_LOAD=
|
|
||||||
|
|
||||||
DYNAMIC_BLACKLIST=Yes
|
|
||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
|
||||||
|
|
||||||
EXPORTMODULES=Yes
|
|
||||||
|
|
||||||
FASTACCEPT=No
|
|
||||||
|
|
||||||
FORWARD_CLEAR_MARK=
|
|
||||||
|
|
||||||
HELPERS=
|
|
||||||
|
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
|
||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
|
||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
|
||||||
|
|
||||||
MACLIST_TABLE=filter
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
|
||||||
|
|
||||||
MINIUPNPD=No
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
MULTICAST=No
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
NULL_ROUTE_RFC1918=No
|
|
||||||
|
|
||||||
OPTIMIZE=All
|
|
||||||
|
|
||||||
OPTIMIZE_ACCOUNTING=No
|
|
||||||
|
|
||||||
PERL_HASH_SEED=0
|
|
||||||
|
|
||||||
REJECT_ACTION=
|
|
||||||
|
|
||||||
RENAME_COMBINED=Yes
|
|
||||||
|
|
||||||
REQUIRE_INTERFACE=No
|
|
||||||
|
|
||||||
RESTART=restart
|
|
||||||
|
|
||||||
RESTORE_DEFAULT_ROUTE=Yes
|
|
||||||
|
|
||||||
RESTORE_ROUTEMARKS=Yes
|
|
||||||
|
|
||||||
RETAIN_ALIASES=No
|
RETAIN_ALIASES=No
|
||||||
|
|
||||||
ROUTE_FILTER=No
|
|
||||||
|
|
||||||
SAVE_ARPTABLES=No
|
|
||||||
|
|
||||||
SAVE_IPSETS=No
|
|
||||||
|
|
||||||
TC_ENABLED=Internal
|
TC_ENABLED=Internal
|
||||||
|
|
||||||
TC_EXPERT=No
|
TC_EXPERT=No
|
||||||
|
|
||||||
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=No
|
||||||
|
|
||||||
|
ROUTE_FILTER=No
|
||||||
|
|
||||||
|
DETECT_DNAT_IPADDRS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
DISABLE_IPV6=No
|
||||||
|
|
||||||
|
DYNAMIC_ZONES=No
|
||||||
|
|
||||||
|
PKTTYPE=Yes
|
||||||
|
|
||||||
|
NULL_ROUTE_RFC1918=No
|
||||||
|
|
||||||
|
MACLIST_TABLE=filter
|
||||||
|
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
|
SAVE_IPSETS=No
|
||||||
|
|
||||||
|
MAPOLDACTIONS=No
|
||||||
|
|
||||||
|
FASTACCEPT=No
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=1
|
||||||
|
|
||||||
|
EXPORTPARAMS=No
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=No
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
MULTICAST=No
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
|
RESTORE_DEFAULT_ROUTE=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
TRACK_RULES=No
|
ZONE2ZONE=2
|
||||||
|
|
||||||
USE_DEFAULT_RT=Yes
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
USE_NFLOG_SIZE=No
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
USE_RT_NAMES=No
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
VERBOSE_MESSAGES=Yes
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
WARNOLDCAPVERSION=Yes
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
WORKAROUNDS=No
|
COMPLETE=No
|
||||||
|
|
||||||
ZERO_MARKS=No
|
|
||||||
|
|
||||||
ZONE2ZONE=-
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
@ -280,32 +211,8 @@ ZONE2ZONE=-
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
INVALID_DISPOSITION=CONTINUE
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
|
||||||
|
|
||||||
RPFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SMURF_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
UNTRACKED_DISPOSITION=CONTINUE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T M A R K L A Y O U T
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
TC_BITS=
|
|
||||||
|
|
||||||
PROVIDER_BITS=
|
|
||||||
|
|
||||||
PROVIDER_OFFSET=
|
|
||||||
|
|
||||||
MASK_BITS=
|
|
||||||
|
|
||||||
ZONE_BITS=0
|
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Zones File for one-interface configuration.
|
# Shorewall version 4.0 - Sample Zones File for one-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
@ -1,6 +1,6 @@
|
|||||||
For instructions on using these sample configurations, please see
|
For instructions on using these sample configurations, please see
|
||||||
|
|
||||||
https://shorewall.org/shorewall_quickstart_guide.htm
|
http://www.shorewall.net/three-interface.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Interfaces File for two-interface configuration.
|
# Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2017 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,8 +11,7 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-interfaces"
|
# For information about entries in this file, type "man shorewall-interfaces"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
?FORMAT 2
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
###############################################################################
|
net eth0 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians
|
||||||
#ZONE INTERFACE OPTIONS
|
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
|
||||||
net NET_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
|
dmz eth2 detect tcpflags,nosmurfs,routefilter,logmartians
|
||||||
loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
|
|
18
Samples/three-interfaces/masq
Normal file
18
Samples/three-interfaces/masq
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.4 - Sample Masq file for three-interface configuration.
|
||||||
|
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall-masq"
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||||
|
eth0 10.0.0.0/8,\
|
||||||
|
169.254.0.0/16,\
|
||||||
|
172.16.0.0/12,\
|
||||||
|
192.168.0.0/16
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Policy File for three-interface configuration.
|
# Shorewall version 3.4 - Sample Policy File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,9 +11,9 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-policy"
|
# For information about entries in this file, type "man shorewall-policy"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP info
|
||||||
# THE FOLLOWING POLICY MUST BE LAST
|
# THE FOLLOWING POLICY MUST BE LAST
|
||||||
all all REJECT $LOG_LEVEL
|
all all REJECT info
|
16
Samples/three-interfaces/routestopped
Normal file
16
Samples/three-interfaces/routestopped
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4.0 - Sample Routestopped File for three-interface configuration.
|
||||||
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall-routestopped"
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE HOST(S)
|
||||||
|
eth1 -
|
||||||
|
eth2 -
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Rules File for three-interface configuration.
|
# Shorewall version 4.0 - Sample Rules File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -10,19 +10,9 @@
|
|||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-rules"
|
# For information about entries in this file, type "man shorewall-rules"
|
||||||
######################################################################################################################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
|
||||||
?SECTION ESTABLISHED
|
|
||||||
?SECTION RELATED
|
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
|
||||||
#
|
|
||||||
Invalid(DROP) net all tcp
|
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the Internet
|
# Accept DNS connections from the firewall to the Internet
|
||||||
#
|
#
|
@ -1,8 +1,8 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall - Sample shorewall.conf for two-interface
|
# Shorewall version 4.0 - Sample shorewall.conf for three-interface
|
||||||
# configuration.
|
# configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -13,8 +13,8 @@
|
|||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall.conf"
|
# For information about the settings in this file, type "man shorewall.conf"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall.conf.html
|
# http://shorewall.net/manpages/shorewall.conf.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
@ -29,250 +29,181 @@ STARTUP_ENABLED=No
|
|||||||
VERBOSITY=1
|
VERBOSITY=1
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A G E R
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
PAGER=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# F I R E W A L L
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
FIREWALL=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# L O G G I N G
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
LOG_LEVEL="info"
|
|
||||||
|
|
||||||
BLACKLIST_LOG_LEVEL=
|
|
||||||
|
|
||||||
INVALID_LOG_LEVEL=
|
|
||||||
|
|
||||||
LOG_BACKEND=
|
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
|
||||||
|
|
||||||
LOG_ZONE=Both
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
LOGFILE=/var/log/messages
|
LOGFILE=/var/log/messages
|
||||||
|
|
||||||
LOGFORMAT="%s %s "
|
STARTUP_LOG=/var/log/shorewall-init.log
|
||||||
|
|
||||||
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
LOGTAGONLY=No
|
LOGTAGONLY=No
|
||||||
|
|
||||||
LOGLIMIT="s:1/sec:10"
|
LOGLIMIT=
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
LOGALLNEW=
|
||||||
|
|
||||||
RELATED_LOG_LEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
|
MACLIST_LOG_LEVEL=info
|
||||||
|
|
||||||
SFILTER_LOG_LEVEL="$LOG_LEVEL"
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
SMURF_LOG_LEVEL="$LOG_LEVEL"
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
STARTUP_LOG=/var/log/shorewall-init.log
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
UNTRACKED_LOG_LEVEL=
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ARPTABLES=
|
|
||||||
|
|
||||||
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
|
|
||||||
|
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
|
||||||
|
|
||||||
IPTABLES=
|
IPTABLES=
|
||||||
|
|
||||||
IP=
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
IPSET=
|
IPSET=
|
||||||
|
|
||||||
LOCKFILE=
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
NFACCT=
|
|
||||||
|
|
||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
RESTOREFILE=restore
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
|
|
||||||
TC=
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
IPSECFILE=zones
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# D E F A U L T A C T I O N S / M A C R O S
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
ACCEPT_DEFAULT="none"
|
ACCEPT_DEFAULT="none"
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
|
||||||
NFQUEUE_DEFAULT="none"
|
|
||||||
QUEUE_DEFAULT="none"
|
QUEUE_DEFAULT="none"
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
|
||||||
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCOUNTING=Yes
|
IP_FORWARDING=On
|
||||||
|
|
||||||
ACCOUNTING_TABLE=filter
|
|
||||||
|
|
||||||
ADD_IP_ALIASES=No
|
ADD_IP_ALIASES=No
|
||||||
|
|
||||||
ADD_SNAT_ALIASES=No
|
ADD_SNAT_ALIASES=No
|
||||||
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
AUTOCOMMENT=Yes
|
|
||||||
|
|
||||||
AUTOHELPERS=Yes
|
|
||||||
|
|
||||||
AUTOMAKE=Yes
|
|
||||||
|
|
||||||
BALANCE_PROVIDERS=No
|
|
||||||
|
|
||||||
BASIC_FILTERS=No
|
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
|
||||||
|
|
||||||
CLAMPMSS=Yes
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
COMPLETE=No
|
|
||||||
|
|
||||||
DEFER_DNS_RESOLUTION=Yes
|
|
||||||
|
|
||||||
DISABLE_IPV6=No
|
|
||||||
|
|
||||||
DOCKER=No
|
|
||||||
|
|
||||||
DOCKER_BRIDGE=docker0
|
|
||||||
|
|
||||||
DELETE_THEN_ADD=Yes
|
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
|
||||||
|
|
||||||
DONT_LOAD=
|
|
||||||
|
|
||||||
DYNAMIC_BLACKLIST=Yes
|
|
||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
|
||||||
|
|
||||||
EXPORTMODULES=Yes
|
|
||||||
|
|
||||||
FASTACCEPT=No
|
|
||||||
|
|
||||||
FORWARD_CLEAR_MARK=
|
|
||||||
|
|
||||||
HELPERS=
|
|
||||||
|
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
|
||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
|
||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
|
||||||
|
|
||||||
IP_FORWARDING=On
|
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
|
||||||
|
|
||||||
MACLIST_TABLE=filter
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
|
||||||
|
|
||||||
MINIUPNPD=No
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
MULTICAST=No
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
NULL_ROUTE_RFC1918=No
|
|
||||||
|
|
||||||
OPTIMIZE=All
|
|
||||||
|
|
||||||
OPTIMIZE_ACCOUNTING=No
|
|
||||||
|
|
||||||
PERL_HASH_SEED=0
|
|
||||||
|
|
||||||
REJECT_ACTION=
|
|
||||||
|
|
||||||
RENAME_COMBINED=Yes
|
|
||||||
|
|
||||||
REQUIRE_INTERFACE=No
|
|
||||||
|
|
||||||
RESTART=restart
|
|
||||||
|
|
||||||
RESTORE_DEFAULT_ROUTE=Yes
|
|
||||||
|
|
||||||
RESTORE_ROUTEMARKS=Yes
|
|
||||||
|
|
||||||
RETAIN_ALIASES=No
|
RETAIN_ALIASES=No
|
||||||
|
|
||||||
ROUTE_FILTER=No
|
|
||||||
|
|
||||||
SAVE_ARPTABLES=No
|
|
||||||
|
|
||||||
SAVE_IPSETS=No
|
|
||||||
|
|
||||||
TC_ENABLED=Internal
|
TC_ENABLED=Internal
|
||||||
|
|
||||||
TC_EXPERT=No
|
TC_EXPERT=No
|
||||||
|
|
||||||
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=Yes
|
||||||
|
|
||||||
|
ROUTE_FILTER=No
|
||||||
|
|
||||||
|
DETECT_DNAT_IPADDRS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
DISABLE_IPV6=No
|
||||||
|
|
||||||
|
DYNAMIC_ZONES=No
|
||||||
|
|
||||||
|
PKTTYPE=Yes
|
||||||
|
|
||||||
|
NULL_ROUTE_RFC1918=No
|
||||||
|
|
||||||
|
MACLIST_TABLE=filter
|
||||||
|
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
|
SAVE_IPSETS=No
|
||||||
|
|
||||||
|
MAPOLDACTIONS=No
|
||||||
|
|
||||||
|
FASTACCEPT=No
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=1
|
||||||
|
|
||||||
|
EXPORTPARAMS=No
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=No
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
MULTICAST=No
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
|
RESTORE_DEFAULT_ROUTE=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
TRACK_RULES=No
|
ZONE2ZONE=2
|
||||||
|
|
||||||
USE_DEFAULT_RT=Yes
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
USE_NFLOG_SIZE=No
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
USE_RT_NAMES=No
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
VERBOSE_MESSAGES=Yes
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
WARNOLDCAPVERSION=Yes
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
WORKAROUNDS=No
|
COMPLETE=No
|
||||||
|
|
||||||
ZERO_MARKS=No
|
|
||||||
|
|
||||||
ZONE2ZONE=-
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
@ -280,32 +211,8 @@ ZONE2ZONE=-
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
INVALID_DISPOSITION=CONTINUE
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
|
||||||
|
|
||||||
RPFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SMURF_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
UNTRACKED_DISPOSITION=CONTINUE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T M A R K L A Y O U T
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
TC_BITS=
|
|
||||||
|
|
||||||
PROVIDER_BITS=
|
|
||||||
|
|
||||||
PROVIDER_OFFSET=
|
|
||||||
|
|
||||||
MASK_BITS=
|
|
||||||
|
|
||||||
ZONE_BITS=0
|
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Zones File for three-interface configuration.
|
# Shorewall version 4.0 - Sample Zones File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
@ -1,6 +1,6 @@
|
|||||||
For instructions on using these sample configurations, please see
|
For instructions on using these sample configurations, please see
|
||||||
|
|
||||||
https://shorewall.org/shorewall_quickstart_guide.htm
|
http://www.shorewall.net/two-interface.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Interfaces File for one-interface configuration.
|
# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2017 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,7 +11,6 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-interfaces"
|
# For information about entries in this file, type "man shorewall-interfaces"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
?FORMAT 2
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
###############################################################################
|
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
|
||||||
#ZONE INTERFACE OPTIONS
|
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
|
||||||
net NET_IF dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=eth0
|
|
18
Samples/two-interfaces/masq
Normal file
18
Samples/two-interfaces/masq
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4.0 - Sample Masq file for two-interface configuration.
|
||||||
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall-masq"
|
||||||
|
###############################################################################
|
||||||
|
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||||
|
eth0 10.0.0.0/8,\
|
||||||
|
169.254.0.0/16,\
|
||||||
|
172.16.0.0/12,\
|
||||||
|
192.168.0.0/16
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Policy File for two-interface configuration.
|
# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,10 +11,10 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-policy"
|
# For information about entries in this file, type "man shorewall-policy"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP info
|
||||||
# THE FOLOWING POLICY MUST BE LAST
|
# THE FOLLOWING POLICY MUST BE LAST
|
||||||
all all REJECT $LOG_LEVEL
|
all all REJECT info
|
||||||
|
|
15
Samples/two-interfaces/routestopped
Normal file
15
Samples/two-interfaces/routestopped
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
|
||||||
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall-routestopped"
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE HOST(S) OPTIONS
|
||||||
|
eth1 -
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Rules File for two-interface configuration.
|
# Shorewall version 4.0 - Sample Rules File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -10,19 +10,9 @@
|
|||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall-rules"
|
# For information about entries in this file, type "man shorewall-rules"
|
||||||
######################################################################################################################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
|
||||||
?SECTION ESTABLISHED
|
|
||||||
?SECTION RELATED
|
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
|
||||||
#
|
|
||||||
Invalid(DROP) net all tcp
|
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the network
|
# Accept DNS connections from the firewall to the network
|
||||||
#
|
#
|
@ -1,8 +1,8 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall - Sample shorewall.conf for three-interface
|
# Shorewall version 4.0 - Sample shorewall.conf for two-interface
|
||||||
# configuration.
|
# configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -13,10 +13,13 @@
|
|||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall.conf"
|
# For information about the settings in this file, type "man shorewall.conf"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall.conf.html
|
# http://shorewall.net/manpages/shorewall.conf.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
# S T A R T U P E N A B L E D
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
STARTUP_ENABLED=No
|
STARTUP_ENABLED=No
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -26,250 +29,188 @@ STARTUP_ENABLED=No
|
|||||||
VERBOSITY=1
|
VERBOSITY=1
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A G E R
|
# C O M P I L E R
|
||||||
|
# (setting this to 'perl' requires installation of Shorewall-perl)
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
PAGER=
|
SHOREWALL_COMPILER=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
FIREWALL=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# L O G G I N G
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
LOG_LEVEL="info"
|
|
||||||
|
|
||||||
BLACKLIST_LOG_LEVEL=
|
|
||||||
|
|
||||||
INVALID_LOG_LEVEL=
|
|
||||||
|
|
||||||
LOG_BACKEND=
|
|
||||||
|
|
||||||
LOG_MARTIANS=Yes
|
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
|
||||||
|
|
||||||
LOG_ZONE=Both
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
LOGFILE=/var/log/messages
|
LOGFILE=/var/log/messages
|
||||||
|
|
||||||
LOGFORMAT="%s %s "
|
STARTUP_LOG=/var/log/shorewall-init.log
|
||||||
|
|
||||||
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
LOGTAGONLY=No
|
LOGTAGONLY=No
|
||||||
|
|
||||||
LOGLIMIT="s:1/sec:10"
|
LOGLIMIT=
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
LOGALLNEW=
|
||||||
|
|
||||||
RELATED_LOG_LEVEL=
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
|
MACLIST_LOG_LEVEL=info
|
||||||
|
|
||||||
SFILTER_LOG_LEVEL="$LOG_LEVEL"
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
SMURF_LOG_LEVEL="$LOG_LEVEL"
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
STARTUP_LOG=/var/log/shorewall-init.log
|
LOG_MARTIANS=Yes
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
UNTRACKED_LOG_LEVEL=
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ARPTABLES=
|
|
||||||
|
|
||||||
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
|
|
||||||
|
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
|
||||||
|
|
||||||
IPTABLES=
|
IPTABLES=
|
||||||
|
|
||||||
IP=
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
IPSET=
|
IPSET=
|
||||||
|
|
||||||
LOCKFILE=
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
NFACCT=
|
|
||||||
|
|
||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
RESTOREFILE=restore
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
|
|
||||||
TC=
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
IPSECFILE=zones
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# D E F A U L T A C T I O N S / M A C R O S
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
ACCEPT_DEFAULT="none"
|
ACCEPT_DEFAULT="none"
|
||||||
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
|
||||||
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
|
||||||
NFQUEUE_DEFAULT="none"
|
|
||||||
QUEUE_DEFAULT="none"
|
QUEUE_DEFAULT="none"
|
||||||
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
|
||||||
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCOUNTING=Yes
|
IP_FORWARDING=On
|
||||||
|
|
||||||
ACCOUNTING_TABLE=filter
|
|
||||||
|
|
||||||
ADD_IP_ALIASES=No
|
ADD_IP_ALIASES=No
|
||||||
|
|
||||||
ADD_SNAT_ALIASES=No
|
ADD_SNAT_ALIASES=No
|
||||||
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
AUTOCOMMENT=Yes
|
|
||||||
|
|
||||||
AUTOHELPERS=Yes
|
|
||||||
|
|
||||||
AUTOMAKE=Yes
|
|
||||||
|
|
||||||
BALANCE_PROVIDERS=No
|
|
||||||
|
|
||||||
BASIC_FILTERS=No
|
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
|
||||||
|
|
||||||
CLAMPMSS=Yes
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
COMPLETE=No
|
|
||||||
|
|
||||||
DEFER_DNS_RESOLUTION=Yes
|
|
||||||
|
|
||||||
DISABLE_IPV6=No
|
|
||||||
|
|
||||||
DOCKER=No
|
|
||||||
|
|
||||||
DOCKER_BRIDGE=docker0
|
|
||||||
|
|
||||||
DELETE_THEN_ADD=Yes
|
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
|
||||||
|
|
||||||
DONT_LOAD=
|
|
||||||
|
|
||||||
DYNAMIC_BLACKLIST=Yes
|
|
||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
|
||||||
|
|
||||||
EXPORTMODULES=Yes
|
|
||||||
|
|
||||||
FASTACCEPT=No
|
|
||||||
|
|
||||||
FORWARD_CLEAR_MARK=
|
|
||||||
|
|
||||||
HELPERS=
|
|
||||||
|
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
|
||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
|
||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
|
||||||
|
|
||||||
IP_FORWARDING=On
|
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
|
||||||
|
|
||||||
MACLIST_TABLE=filter
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
|
||||||
|
|
||||||
MINIUPNPD=No
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
MULTICAST=No
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
NULL_ROUTE_RFC1918=No
|
|
||||||
|
|
||||||
OPTIMIZE=All
|
|
||||||
|
|
||||||
OPTIMIZE_ACCOUNTING=No
|
|
||||||
|
|
||||||
PERL_HASH_SEED=0
|
|
||||||
|
|
||||||
REJECT_ACTION=
|
|
||||||
|
|
||||||
RENAME_COMBINED=Yes
|
|
||||||
|
|
||||||
REQUIRE_INTERFACE=No
|
|
||||||
|
|
||||||
RESTART=restart
|
|
||||||
|
|
||||||
RESTORE_DEFAULT_ROUTE=Yes
|
|
||||||
|
|
||||||
RESTORE_ROUTEMARKS=Yes
|
|
||||||
|
|
||||||
RETAIN_ALIASES=No
|
RETAIN_ALIASES=No
|
||||||
|
|
||||||
ROUTE_FILTER=No
|
|
||||||
|
|
||||||
SAVE_ARPTABLES=No
|
|
||||||
|
|
||||||
SAVE_IPSETS=No
|
|
||||||
|
|
||||||
TC_ENABLED=Internal
|
TC_ENABLED=Internal
|
||||||
|
|
||||||
TC_EXPERT=No
|
TC_EXPERT=No
|
||||||
|
|
||||||
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=Yes
|
||||||
|
|
||||||
|
ROUTE_FILTER=No
|
||||||
|
|
||||||
|
DETECT_DNAT_IPADDRS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
DISABLE_IPV6=No
|
||||||
|
|
||||||
|
DYNAMIC_ZONES=No
|
||||||
|
|
||||||
|
PKTTYPE=Yes
|
||||||
|
|
||||||
|
NULL_ROUTE_RFC1918=No
|
||||||
|
|
||||||
|
MACLIST_TABLE=filter
|
||||||
|
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
|
SAVE_IPSETS=No
|
||||||
|
|
||||||
|
MAPOLDACTIONS=No
|
||||||
|
|
||||||
|
FASTACCEPT=No
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=1
|
||||||
|
|
||||||
|
EXPORTPARAMS=No
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=No
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
MULTICAST=No
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
USE_DEFAULT_RT=No
|
||||||
|
|
||||||
|
RESTORE_DEFAULT_ROUTE=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
TRACK_RULES=No
|
ZONE2ZONE=2
|
||||||
|
|
||||||
USE_DEFAULT_RT=Yes
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
USE_NFLOG_SIZE=No
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
USE_RT_NAMES=No
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
VERBOSE_MESSAGES=Yes
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
WARNOLDCAPVERSION=Yes
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
WORKAROUNDS=No
|
COMPLETE=No
|
||||||
|
|
||||||
ZERO_MARKS=No
|
|
||||||
|
|
||||||
ZONE2ZONE=-
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
@ -277,32 +218,8 @@ ZONE2ZONE=-
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
INVALID_DISPOSITION=CONTINUE
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
|
||||||
|
|
||||||
RPFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SMURF_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
UNTRACKED_DISPOSITION=CONTINUE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T M A R K L A Y O U T
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
TC_BITS=
|
|
||||||
|
|
||||||
PROVIDER_BITS=
|
|
||||||
|
|
||||||
PROVIDER_OFFSET=
|
|
||||||
|
|
||||||
MASK_BITS=
|
|
||||||
|
|
||||||
ZONE_BITS=0
|
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall - Sample Zones File for two-interface configuration.
|
# Shorewall version 4.0 - Sample Zones File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
|
|||||||
that what they have is not the original version, so that the original
|
that what they have is not the original version, so that the original
|
||||||
author's reputation will not be affected by problems that might be
|
author's reputation will not be affected by problems that might be
|
||||||
introduced by others.
|
introduced by others.
|
||||||
|
|
||||||
Finally, software patents pose a constant threat to the existence of
|
Finally, software patents pose a constant threat to the existence of
|
||||||
any free program. We wish to make sure that a company cannot
|
any free program. We wish to make sure that a company cannot
|
||||||
effectively restrict the users of a free program by obtaining a
|
effectively restrict the users of a free program by obtaining a
|
||||||
@ -111,7 +111,7 @@ modification follow. Pay close attention to the difference between a
|
|||||||
"work based on the library" and a "work that uses the library". The
|
"work based on the library" and a "work that uses the library". The
|
||||||
former contains code derived from the library, whereas the latter must
|
former contains code derived from the library, whereas the latter must
|
||||||
be combined with the library in order to run.
|
be combined with the library in order to run.
|
||||||
|
|
||||||
GNU LESSER GENERAL PUBLIC LICENSE
|
GNU LESSER GENERAL PUBLIC LICENSE
|
||||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
|
|||||||
on the Library (independent of the use of the Library in a tool for
|
on the Library (independent of the use of the Library in a tool for
|
||||||
writing it). Whether that is true depends on what the Library does
|
writing it). Whether that is true depends on what the Library does
|
||||||
and what the program that uses the Library does.
|
and what the program that uses the Library does.
|
||||||
|
|
||||||
1. You may copy and distribute verbatim copies of the Library's
|
1. You may copy and distribute verbatim copies of the Library's
|
||||||
complete source code as you receive it, in any medium, provided that
|
complete source code as you receive it, in any medium, provided that
|
||||||
you conspicuously and appropriately publish on each copy an
|
you conspicuously and appropriately publish on each copy an
|
||||||
@ -158,7 +158,7 @@ Library.
|
|||||||
You may charge a fee for the physical act of transferring a copy,
|
You may charge a fee for the physical act of transferring a copy,
|
||||||
and you may at your option offer warranty protection in exchange for a
|
and you may at your option offer warranty protection in exchange for a
|
||||||
fee.
|
fee.
|
||||||
|
|
||||||
2. You may modify your copy or copies of the Library or any portion
|
2. You may modify your copy or copies of the Library or any portion
|
||||||
of it, thus forming a work based on the Library, and copy and
|
of it, thus forming a work based on the Library, and copy and
|
||||||
distribute such modifications or work under the terms of Section 1
|
distribute such modifications or work under the terms of Section 1
|
||||||
@ -216,7 +216,7 @@ instead of to this License. (If a newer version than version 2 of the
|
|||||||
ordinary GNU General Public License has appeared, then you can specify
|
ordinary GNU General Public License has appeared, then you can specify
|
||||||
that version instead if you wish.) Do not make any other change in
|
that version instead if you wish.) Do not make any other change in
|
||||||
these notices.
|
these notices.
|
||||||
|
|
||||||
Once this change is made in a given copy, it is irreversible for
|
Once this change is made in a given copy, it is irreversible for
|
||||||
that copy, so the ordinary GNU General Public License applies to all
|
that copy, so the ordinary GNU General Public License applies to all
|
||||||
subsequent copies and derivative works made from that copy.
|
subsequent copies and derivative works made from that copy.
|
||||||
@ -267,7 +267,7 @@ Library will still fall under Section 6.)
|
|||||||
distribute the object code for the work under the terms of Section 6.
|
distribute the object code for the work under the terms of Section 6.
|
||||||
Any executables containing that work also fall under Section 6,
|
Any executables containing that work also fall under Section 6,
|
||||||
whether or not they are linked directly with the Library itself.
|
whether or not they are linked directly with the Library itself.
|
||||||
|
|
||||||
6. As an exception to the Sections above, you may also combine or
|
6. As an exception to the Sections above, you may also combine or
|
||||||
link a "work that uses the Library" with the Library to produce a
|
link a "work that uses the Library" with the Library to produce a
|
||||||
work containing portions of the Library, and distribute that work
|
work containing portions of the Library, and distribute that work
|
||||||
@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
|
|||||||
accompany the operating system. Such a contradiction means you cannot
|
accompany the operating system. Such a contradiction means you cannot
|
||||||
use both them and the Library together in an executable that you
|
use both them and the Library together in an executable that you
|
||||||
distribute.
|
distribute.
|
||||||
|
|
||||||
7. You may place library facilities that are a work based on the
|
7. You may place library facilities that are a work based on the
|
||||||
Library side-by-side in a single library together with other library
|
Library side-by-side in a single library together with other library
|
||||||
facilities not covered by this License, and distribute such a combined
|
facilities not covered by this License, and distribute such a combined
|
||||||
@ -370,7 +370,7 @@ subject to these terms and conditions. You may not impose any further
|
|||||||
restrictions on the recipients' exercise of the rights granted herein.
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
You are not responsible for enforcing compliance by third parties with
|
You are not responsible for enforcing compliance by third parties with
|
||||||
this License.
|
this License.
|
||||||
|
|
||||||
11. If, as a consequence of a court judgment or allegation of patent
|
11. If, as a consequence of a court judgment or allegation of patent
|
||||||
infringement or for any other reason (not limited to patent issues),
|
infringement or for any other reason (not limited to patent issues),
|
||||||
conditions are imposed on you (whether by court order, agreement or
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
|
|||||||
the Free Software Foundation. If the Library does not specify a
|
the Free Software Foundation. If the Library does not specify a
|
||||||
license version number, you may choose any version ever published by
|
license version number, you may choose any version ever published by
|
||||||
the Free Software Foundation.
|
the Free Software Foundation.
|
||||||
|
|
||||||
14. If you wish to incorporate parts of the Library into other free
|
14. If you wish to incorporate parts of the Library into other free
|
||||||
programs whose distribution conditions are incompatible with these,
|
programs whose distribution conditions are incompatible with these,
|
||||||
write to the author to ask for permission. For software which is
|
write to the author to ask for permission. For software which is
|
||||||
@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
|
|||||||
DAMAGES.
|
DAMAGES.
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
How to Apply These Terms to Your New Libraries
|
How to Apply These Terms to Your New Libraries
|
||||||
|
|
||||||
If you develop a new library, and you want it to be of the greatest
|
If you develop a new library, and you want it to be of the greatest
|
30
Samples6/README.txt
Normal file
30
Samples6/README.txt
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
For instructions on using these sample configurations, please see
|
||||||
|
|
||||||
|
http://www.shorewall.net/shorewall_quickstart_guide.htm
|
||||||
|
|
||||||
|
Shorewall Samples
|
||||||
|
Copyright (C) 2006 by the following authors:
|
||||||
|
Thomas M. Eastep
|
||||||
|
Paul D. Gear
|
||||||
|
Cristian Rodriguez
|
||||||
|
Francesca Smith
|
||||||
|
|
||||||
|
This library is free software; you can redistribute it and/or
|
||||||
|
modify it under the terms of the GNU Lesser General Public
|
||||||
|
License as published by the Free Software Foundation; either
|
||||||
|
version 2.1 of the License, or (at your option) any later version.
|
||||||
|
|
||||||
|
This library is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
Lesser General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Lesser General Public
|
||||||
|
License along with this library; if not, write to the Free Software
|
||||||
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
||||||
|
02110-1301 USA
|
||||||
|
|
||||||
|
|
||||||
|
Sample files are licensed under the LGPL, please see the LICENSE file or
|
||||||
|
http://www.gnu.org/licenses/lgpl.html for more details.
|
||||||
|
|
@ -4,12 +4,10 @@
|
|||||||
# For information about entries in this file, type "man shorewall-interfaces"
|
# For information about entries in this file, type "man shorewall-interfaces"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-interfaces.html
|
# http://www.shorewall.net/manpages/shorewall-interfaces.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
?FORMAT 2
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
###############################################################################
|
- lo - ignore
|
||||||
#ZONE INTERFACE OPTIONS
|
net all - dhcp,physical=+,routeback
|
||||||
- lo ignore
|
|
||||||
net all dhcp,physical=+,routeback
|
|
||||||
|
|
@ -4,10 +4,11 @@
|
|||||||
# For information about entries in this file, type "man shorewall-policy"
|
# For information about entries in this file, type "man shorewall-policy"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-policy.html
|
# http://www.shorewall.net/manpages/shorewall-policy.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
|
||||||
|
# LEVEL BURST MASK
|
||||||
fw net ACCEPT
|
fw net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP
|
||||||
|
|
@ -4,17 +4,14 @@
|
|||||||
# For information on the settings in this file, type "man shorewall-rules"
|
# For information on the settings in this file, type "man shorewall-rules"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-rules.html
|
# http://www.shorewall.net/manpages/shorewall-rules.html
|
||||||
#
|
#
|
||||||
######################################################################################################################################################################################################
|
####################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
#SECTION ESTABLISHED
|
||||||
?SECTION ESTABLISHED
|
#SECTION RELATED
|
||||||
?SECTION RELATED
|
SECTION NEW
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
Invalid(DROP) net $FW tcp
|
|
||||||
SSH(ACCEPT) net $FW
|
SSH(ACCEPT) net $FW
|
||||||
Ping(ACCEPT) net $FW
|
Ping(ACCEPT) net $FW
|
@ -1,11 +1,11 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
|
# Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
|
||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall6.conf"
|
# For information about the settings in this file, type "man shorewall6.conf"
|
||||||
#
|
#
|
||||||
# Manpage also online at
|
# Manpage also online at
|
||||||
# https://shorewall.org/manpages/shorewall.conf.html
|
# http://www.shorewall.net/manpages6/shorewall6.conf.html
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -18,225 +18,144 @@ STARTUP_ENABLED=Yes
|
|||||||
|
|
||||||
VERBOSITY=1
|
VERBOSITY=1
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# P A G E R
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
PAGER=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# F I R E W A L L
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
FIREWALL=
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O G G I N G
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
LOG_LEVEL="info"
|
|
||||||
|
|
||||||
BLACKLIST_LOG_LEVEL=
|
|
||||||
|
|
||||||
INVALID_LOG_LEVEL=
|
|
||||||
|
|
||||||
LOG_BACKEND=
|
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
|
||||||
|
|
||||||
LOG_ZONE=Both
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
LOGFILE=
|
LOGFILE=
|
||||||
|
|
||||||
LOGFORMAT="%s %s "
|
|
||||||
|
|
||||||
LOGLIMIT="s:1/sec:10"
|
|
||||||
|
|
||||||
LOGTAGONLY=No
|
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
RELATED_LOG_LEVEL=
|
|
||||||
|
|
||||||
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
SFILTER_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
SMURF_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
STARTUP_LOG=/var/log/shorewall6-init.log
|
STARTUP_LOG=/var/log/shorewall6-init.log
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
UNTRACKED_LOG_LEVEL=
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
|
LOGTAGONLY=No
|
||||||
|
|
||||||
|
LOGLIMIT=
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
|
|
||||||
|
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
|
||||||
|
|
||||||
IP6TABLES=
|
IP6TABLES=
|
||||||
|
|
||||||
IP=
|
IP=
|
||||||
|
|
||||||
|
TC=
|
||||||
|
|
||||||
IPSET=
|
IPSET=
|
||||||
|
|
||||||
LOCKFILE=
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
NFACCT=
|
|
||||||
|
|
||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
RESTOREFILE=restore
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
|
|
||||||
TC=
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# D E F A U L T A C T I O N S / M A C R O S
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
ACCEPT_DEFAULT="none"
|
ACCEPT_DEFAULT="none"
|
||||||
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
|
||||||
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
|
|
||||||
NFQUEUE_DEFAULT="none"
|
|
||||||
QUEUE_DEFAULT="none"
|
QUEUE_DEFAULT="none"
|
||||||
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
|
||||||
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCOUNTING=Yes
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
ACCOUNTING_TABLE=filter
|
TC_ENABLED=No
|
||||||
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
AUTOCOMMENT=Yes
|
|
||||||
|
|
||||||
AUTOHELPERS=Yes
|
|
||||||
|
|
||||||
AUTOMAKE=Yes
|
|
||||||
|
|
||||||
BALANCE_PROVIDERS=No
|
|
||||||
|
|
||||||
BASIC_FILTERS=No
|
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
|
||||||
|
|
||||||
CLEAR_TC=No
|
|
||||||
|
|
||||||
COMPLETE=Yes
|
|
||||||
|
|
||||||
DEFER_DNS_RESOLUTION=Yes
|
|
||||||
|
|
||||||
DELETE_THEN_ADD=Yes
|
|
||||||
|
|
||||||
DONT_LOAD=
|
|
||||||
|
|
||||||
DYNAMIC_BLACKLIST=Yes
|
|
||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
|
||||||
|
|
||||||
EXPORTMODULES=Yes
|
|
||||||
|
|
||||||
FASTACCEPT=Yes
|
|
||||||
|
|
||||||
FORWARD_CLEAR_MARK=
|
|
||||||
|
|
||||||
HELPERS=
|
|
||||||
|
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
|
||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
|
||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
|
||||||
|
|
||||||
IP_FORWARDING=Keep
|
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
|
||||||
|
|
||||||
MACLIST_TABLE=filter
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
MINIUPNPD=No
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
OPTIMIZE=All
|
|
||||||
|
|
||||||
OPTIMIZE_ACCOUNTING=No
|
|
||||||
|
|
||||||
PERL_HASH_SEED=0
|
|
||||||
|
|
||||||
REJECT_ACTION=
|
|
||||||
|
|
||||||
RENAME_COMBINED=Yes
|
|
||||||
|
|
||||||
REQUIRE_INTERFACE=Yes
|
|
||||||
|
|
||||||
RESTART=restart
|
|
||||||
|
|
||||||
RESTORE_DEFAULT_ROUTE=Yes
|
|
||||||
|
|
||||||
RESTORE_ROUTEMARKS=Yes
|
|
||||||
|
|
||||||
SAVE_IPSETS=No
|
|
||||||
|
|
||||||
TC_ENABLED=Shared
|
|
||||||
|
|
||||||
TC_EXPERT=No
|
TC_EXPERT=No
|
||||||
|
|
||||||
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
FASTACCEPT=Yes
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=15
|
||||||
|
|
||||||
|
EXPORTPARAMS=Yes
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
TRACK_RULES=No
|
ZONE2ZONE=2
|
||||||
|
|
||||||
USE_DEFAULT_RT=Yes
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
USE_NFLOG_SIZE=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
USE_RT_NAMES=No
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
VERBOSE_MESSAGES=Yes
|
REQUIRE_INTERFACE=Yes
|
||||||
|
|
||||||
WARNOLDCAPVERSION=Yes
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
WORKAROUNDS=No
|
COMPLETE=Yes
|
||||||
|
|
||||||
ZERO_MARKS=No
|
|
||||||
|
|
||||||
ZONE2ZONE=-
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
@ -244,32 +163,6 @@ ZONE2ZONE=-
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
INVALID_DISPOSITION=CONTINUE
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
|
||||||
|
|
||||||
SFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
RPFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SMURF_DISPOSITION=DROP
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
UNTRACKED_DISPOSITION=CONTINUE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T M A R K L A Y O U T
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
TC_BITS=
|
|
||||||
|
|
||||||
PROVIDER_BITS=
|
|
||||||
|
|
||||||
PROVIDER_OFFSET=
|
|
||||||
|
|
||||||
MASK_BITS=
|
|
||||||
|
|
||||||
ZONE_BITS=0
|
|
@ -4,7 +4,7 @@
|
|||||||
# For information about this file, type "man shorewall-zones"
|
# For information about this file, type "man shorewall-zones"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# https://shorewall.org/manpages/shorewall-zones.html
|
# http://www.shorewall.net/manpages/shorewall-zones.html
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ZONE TYPE OPTIONS IN OUT
|
#ZONE TYPE OPTIONS IN OUT
|
@ -1,9 +1,9 @@
|
|||||||
For instructions on using this sample configuration, please see
|
For instructions on using this sample configuration, please see
|
||||||
|
|
||||||
https://shorewall.org/standalone.htm
|
http://www.shorewall.net/standalone.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006-2015 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
||||||
Thomas M. Eastep
|
Thomas M. Eastep
|
||||||
Paul D. Gear
|
Paul D. Gear
|
||||||
Cristian Rodriguez
|
Cristian Rodriguez
|
15
Samples6/one-interface/interfaces
Normal file
15
Samples6/one-interface/interfaces
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
#
|
||||||
|
# Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
|
||||||
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall6-interfaces"
|
||||||
|
###############################################################################
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect tcpflags
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5 - Sample Policy File for one-interface configuration.
|
# Shorewall6 version 4 - Sample Policy File for one-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,9 +11,10 @@
|
|||||||
#-----------------------------------------------------------------------------
|
#-----------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall6-policy"
|
# For information about entries in this file, type "man shorewall6-policy"
|
||||||
#
|
#
|
||||||
##############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
$FW net ACCEPT
|
$FW net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net $FW DROP info
|
||||||
|
net all DROP info
|
||||||
# The FOLLOWING POLICY MUST BE LAST
|
# The FOLLOWING POLICY MUST BE LAST
|
||||||
all all REJECT $LOG_LEVEL
|
all all REJECT info
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5 - Sample Rules File for one-interface configuration.
|
# Shorewall6 version 4 - Sample Rules File for one-interface configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -10,19 +10,9 @@
|
|||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------------------------------------
|
||||||
# For information on entries in this file, type "man shorewall6-rules"
|
# For information on entries in this file, type "man shorewall6-rules"
|
||||||
######################################################################################################################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
|
||||||
?SECTION ESTABLISHED
|
|
||||||
?SECTION RELATED
|
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
# Drop packets in the INVALID state
|
|
||||||
|
|
||||||
Invalid(DROP) net $FW tcp
|
|
||||||
|
|
||||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||||
|
|
170
Samples6/one-interface/shorewall6.conf
Normal file
170
Samples6/one-interface/shorewall6.conf
Normal file
@ -0,0 +1,170 @@
|
|||||||
|
###############################################################################
|
||||||
|
#
|
||||||
|
# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
|
||||||
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#
|
||||||
|
# For information about the settings in this file, type "man shorewall6.conf"
|
||||||
|
#
|
||||||
|
# The manpage is also online at
|
||||||
|
# http://shorewall.net/manpages6/shorewall6.conf.html
|
||||||
|
###############################################################################
|
||||||
|
# S T A R T U P E N A B L E D
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
STARTUP_ENABLED=No
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# V E R B O S I T Y
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
VERBOSITY=1
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# L O G G I N G
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
LOGFILE=/var/log/messages
|
||||||
|
|
||||||
|
STARTUP_LOG=/var/log/shorewall6-init.log
|
||||||
|
|
||||||
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
|
LOGTAGONLY=No
|
||||||
|
|
||||||
|
LOGLIMIT=
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
IP6TABLES=
|
||||||
|
|
||||||
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
|
SUBSYSLOCK=
|
||||||
|
|
||||||
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
|
ACCEPT_DEFAULT="none"
|
||||||
|
QUEUE_DEFAULT="none"
|
||||||
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# R S H / R C P C O M M A N D S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# F I R E W A L L O P T I O N S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
|
TC_ENABLED=No
|
||||||
|
|
||||||
|
TC_EXPERT=No
|
||||||
|
|
||||||
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
FASTACCEPT=No
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=1
|
||||||
|
|
||||||
|
EXPORTPARAMS=No
|
||||||
|
|
||||||
|
EXPAND_POLICIES=No
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
ZONE2ZONE=2
|
||||||
|
|
||||||
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
|
COMPLETE=No
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# P A C K E T D I S P O S I T I O N
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
|
#LAST LINE -- DO NOT REMOVE
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5 - Sample Zones File for one-interface IPv6 configuration.
|
# Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
|
||||||
# Copyright (C) 2006-2015 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
@ -1,9 +1,9 @@
|
|||||||
For instructions on using these sample configurations, please see
|
For instructions on using these sample configurations, please see
|
||||||
|
|
||||||
https://shorewall.org/two-interface.htm
|
http://www.shorewall.net/three-interface.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006-2014 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
||||||
Thomas M. Eastep
|
Thomas M. Eastep
|
||||||
Paul D. Gear
|
Paul D. Gear
|
||||||
Cristian Rodriguez
|
Cristian Rodriguez
|
17
Samples6/three-interfaces/interfaces
Normal file
17
Samples6/three-interfaces/interfaces
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
#
|
||||||
|
# Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
|
||||||
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall6-interfaces"
|
||||||
|
###############################################################################
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect tcpflags,forward=1
|
||||||
|
loc eth1 detect tcpflags,forward=1
|
||||||
|
dmz eth2 detect tcpflags,forward=1
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
|
# Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,9 +11,9 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall6-policy"
|
# For information about entries in this file, type "man shorewall6-policy"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP info
|
||||||
all all REJECT $LOG_LEVEL
|
all all REJECT info
|
||||||
|
|
20
Samples6/three-interfaces/routestopped
Normal file
20
Samples6/three-interfaces/routestopped
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
#
|
||||||
|
# Shorewall6 version 4 - Sample Routestopped File for three-interface configuration.
|
||||||
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall6-routestopped"
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE HOST(S)
|
||||||
|
eth1 -
|
||||||
|
eth2 -
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5.2 - Sample Rules File for three-interface configuration.
|
# Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006,2007,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -10,19 +10,9 @@
|
|||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall6-rules"
|
# For information about entries in this file, type "man shorewall6-rules"
|
||||||
######################################################################################################################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
|
||||||
?SECTION ESTABLISHED
|
|
||||||
?SECTION RELATED
|
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
|
||||||
#
|
|
||||||
Invalid(DROP) net all tcp
|
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the Internet
|
# Accept DNS connections from the firewall to the Internet
|
||||||
#
|
#
|
@ -1,11 +1,19 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
|
# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
|
||||||
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# For information about the settings in this file, type "man shorewall6.conf"
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
#
|
#
|
||||||
# Manpage also online at
|
# See the file README.txt for further details.
|
||||||
# https://shorewall.org/manpages/shorewall.conf.html
|
#
|
||||||
|
# For information about the settings in this file, type "man shorewall6.conf"
|
||||||
|
#
|
||||||
|
# The manpage is also online at
|
||||||
|
# http://shorewall.net/manpages6/shorewall6.conf.html
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# S T A R T U P E N A B L E D
|
# S T A R T U P E N A B L E D
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -18,225 +26,138 @@ STARTUP_ENABLED=No
|
|||||||
|
|
||||||
VERBOSITY=1
|
VERBOSITY=1
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# P A G E R
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
PAGER=
|
|
||||||
|
|
||||||
###############################################################################
|
|
||||||
# F I R E W A L L
|
|
||||||
###############################################################################
|
|
||||||
|
|
||||||
FIREWALL=
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O G G I N G
|
# L O G G I N G
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
LOG_LEVEL="info"
|
|
||||||
|
|
||||||
BLACKLIST_LOG_LEVEL=
|
|
||||||
|
|
||||||
INVALID_LOG_LEVEL=
|
|
||||||
|
|
||||||
LOG_BACKEND=
|
|
||||||
|
|
||||||
LOG_VERBOSITY=2
|
|
||||||
|
|
||||||
LOG_ZONE=Both
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
LOGFILE=/var/log/messages
|
LOGFILE=/var/log/messages
|
||||||
|
|
||||||
LOGFORMAT="%s %s "
|
|
||||||
|
|
||||||
LOGLIMIT="s:1/sec:10"
|
|
||||||
|
|
||||||
LOGTAGONLY=No
|
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
RELATED_LOG_LEVEL=
|
|
||||||
|
|
||||||
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
SFILTER_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
SMURF_LOG_LEVEL="$LOG_LEVEL"
|
|
||||||
|
|
||||||
STARTUP_LOG=/var/log/shorewall6-init.log
|
STARTUP_LOG=/var/log/shorewall6-init.log
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
UNTRACKED_LOG_LEVEL=
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
|
LOGTAGONLY=No
|
||||||
|
|
||||||
|
LOGLIMIT=
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
CONFIG_PATH=":${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall"
|
|
||||||
|
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
|
||||||
|
|
||||||
IP6TABLES=
|
IP6TABLES=
|
||||||
|
|
||||||
IP=
|
|
||||||
|
|
||||||
IPSET=
|
|
||||||
|
|
||||||
LOCKFILE=
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
NFACCT=
|
|
||||||
|
|
||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
RESTOREFILE=restore
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
|
|
||||||
TC=
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# D E F A U L T A C T I O N S / M A C R O S
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
ACCEPT_DEFAULT="none"
|
ACCEPT_DEFAULT="none"
|
||||||
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
|
|
||||||
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
|
|
||||||
NFQUEUE_DEFAULT="none"
|
|
||||||
QUEUE_DEFAULT="none"
|
QUEUE_DEFAULT="none"
|
||||||
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# R S H / R C P C O M M A N D S
|
# R S H / R C P C O M M A N D S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
|
||||||
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# F I R E W A L L O P T I O N S
|
# F I R E W A L L O P T I O N S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
ACCOUNTING=Yes
|
IP_FORWARDING=On
|
||||||
|
|
||||||
ACCOUNTING_TABLE=filter
|
TC_ENABLED=No
|
||||||
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
AUTOCOMMENT=Yes
|
|
||||||
|
|
||||||
AUTOHELPERS=Yes
|
|
||||||
|
|
||||||
AUTOMAKE=Yes
|
|
||||||
|
|
||||||
BALANCE_PROVIDERS=No
|
|
||||||
|
|
||||||
BASIC_FILTERS=No
|
|
||||||
|
|
||||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
|
||||||
|
|
||||||
CLAMPMSS=No
|
|
||||||
|
|
||||||
CLEAR_TC=No
|
|
||||||
|
|
||||||
COMPLETE=No
|
|
||||||
|
|
||||||
DEFER_DNS_RESOLUTION=Yes
|
|
||||||
|
|
||||||
DELETE_THEN_ADD=Yes
|
|
||||||
|
|
||||||
DONT_LOAD=
|
|
||||||
|
|
||||||
DYNAMIC_BLACKLIST=Yes
|
|
||||||
|
|
||||||
EXPAND_POLICIES=Yes
|
|
||||||
|
|
||||||
EXPORTMODULES=Yes
|
|
||||||
|
|
||||||
FASTACCEPT=No
|
|
||||||
|
|
||||||
FORWARD_CLEAR_MARK=
|
|
||||||
|
|
||||||
HELPERS=
|
|
||||||
|
|
||||||
IGNOREUNKNOWNVARIABLES=No
|
|
||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
|
||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
|
||||||
|
|
||||||
IP_FORWARDING=Keep
|
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
|
||||||
|
|
||||||
MACLIST_TABLE=filter
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
MANGLE_ENABLED=Yes
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
MINIUPNPD=No
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
OPTIMIZE=All
|
|
||||||
|
|
||||||
OPTIMIZE_ACCOUNTING=No
|
|
||||||
|
|
||||||
PERL_HASH_SEED=0
|
|
||||||
|
|
||||||
REJECT_ACTION=
|
|
||||||
|
|
||||||
RENAME_COMBINED=Yes
|
|
||||||
|
|
||||||
REQUIRE_INTERFACE=No
|
|
||||||
|
|
||||||
RESTART=restart
|
|
||||||
|
|
||||||
RESTORE_DEFAULT_ROUTE=Yes
|
|
||||||
|
|
||||||
RESTORE_ROUTEMARKS=Yes
|
|
||||||
|
|
||||||
SAVE_IPSETS=No
|
|
||||||
|
|
||||||
TC_ENABLED=Shared
|
|
||||||
|
|
||||||
TC_EXPERT=No
|
TC_EXPERT=No
|
||||||
|
|
||||||
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
FASTACCEPT=No
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=1
|
||||||
|
|
||||||
|
EXPORTPARAMS=No
|
||||||
|
|
||||||
|
EXPAND_POLICIES=Yes
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
TRACK_PROVIDERS=Yes
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
TRACK_RULES=No
|
ZONE2ZONE=2
|
||||||
|
|
||||||
USE_DEFAULT_RT=Yes
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
USE_NFLOG_SIZE=No
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
USE_PHYSICAL_NAMES=No
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
USE_RT_NAMES=No
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
VERBOSE_MESSAGES=Yes
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
WARNOLDCAPVERSION=Yes
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
WORKAROUNDS=No
|
COMPLETE=No
|
||||||
|
|
||||||
ZERO_MARKS=No
|
|
||||||
|
|
||||||
ZONE2ZONE=-
|
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
@ -244,32 +165,6 @@ ZONE2ZONE=-
|
|||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
INVALID_DISPOSITION=CONTINUE
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
|
||||||
|
|
||||||
RELATED_DISPOSITION=ACCEPT
|
|
||||||
|
|
||||||
SFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
RPFILTER_DISPOSITION=DROP
|
|
||||||
|
|
||||||
SMURF_DISPOSITION=DROP
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
UNTRACKED_DISPOSITION=CONTINUE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T M A R K L A Y O U T
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
TC_BITS=
|
|
||||||
|
|
||||||
PROVIDER_BITS=
|
|
||||||
|
|
||||||
PROVIDER_OFFSET=
|
|
||||||
|
|
||||||
MASK_BITS=
|
|
||||||
|
|
||||||
ZONE_BITS=0
|
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5.2 - Sample Zones File for three-interface configuration.
|
# Shorewall6 version 4 - Sample Zones File for three-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -15,6 +15,6 @@
|
|||||||
#ZONE TYPE OPTIONS IN OUT
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
# OPTIONS OPTIONS
|
# OPTIONS OPTIONS
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv6
|
net ipv4
|
||||||
loc ipv6
|
loc ipv4
|
||||||
dmz ipv6
|
dmz ipv4
|
@ -1,9 +1,9 @@
|
|||||||
For instructions on using these sample configurations, please see
|
For instructions on using these sample configurations, please see
|
||||||
|
|
||||||
https://shorewall.org/two-interface.htm
|
http://www.shorewall.net/two-interface.htm
|
||||||
|
|
||||||
Shorewall Samples
|
Shorewall Samples
|
||||||
Copyright (C) 2006-2015 by the following authors:
|
Copyright (C) 2006 by the following authors:
|
||||||
Thomas M. Eastep
|
Thomas M. Eastep
|
||||||
Paul D. Gear
|
Paul D. Gear
|
||||||
Cristian Rodriguez
|
Cristian Rodriguez
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 - Sample Interfaces File for one-interface configuration.
|
# Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2017 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,7 +11,6 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall6-interfaces"
|
# For information about entries in this file, type "man shorewall6-interfaces"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
?FORMAT 2
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
###############################################################################
|
net eth0 detect tcpflags,forward=1
|
||||||
#ZONE INTERFACE OPTIONS
|
loc eth1 detect tcpflags,forward=1
|
||||||
net NET_IF tcpflags,physical=eth0
|
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 4 - Sample Policy File for two-interface configuration.
|
# Shorewall6 version 4 - Sample Policy File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -11,9 +11,9 @@
|
|||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall6-policy"
|
# For information about entries in this file, type "man shorewall6-policy"
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP $LOG_LEVEL
|
net all DROP info
|
||||||
all all REJECT $LOG_LEVEL
|
all all REJECT info
|
||||||
|
|
19
Samples6/two-interfaces/routestopped
Normal file
19
Samples6/two-interfaces/routestopped
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
#
|
||||||
|
# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
|
||||||
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# For information about entries in this file, type "man shorewall6-routestopped"
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE HOST(S) OPTIONS
|
||||||
|
eth1 -
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5.2 - Sample Rules File for two-interface configuration.
|
# Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006-2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
@ -10,19 +10,9 @@
|
|||||||
# See the file README.txt for further details.
|
# See the file README.txt for further details.
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
# For information about entries in this file, type "man shorewall6-rules"
|
# For information about entries in this file, type "man shorewall6-rules"
|
||||||
######################################################################################################################################################################################################
|
#############################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
?SECTION ALL
|
|
||||||
?SECTION ESTABLISHED
|
|
||||||
?SECTION RELATED
|
|
||||||
?SECTION INVALID
|
|
||||||
?SECTION UNTRACKED
|
|
||||||
?SECTION NEW
|
|
||||||
|
|
||||||
# Don't allow connection pickup from the net
|
|
||||||
#
|
|
||||||
Invalid(DROP) net all tcp
|
|
||||||
#
|
#
|
||||||
# Accept DNS connections from the firewall to the network
|
# Accept DNS connections from the firewall to the network
|
||||||
#
|
#
|
170
Samples6/two-interfaces/shorewall6.conf
Normal file
170
Samples6/two-interfaces/shorewall6.conf
Normal file
@ -0,0 +1,170 @@
|
|||||||
|
###############################################################################
|
||||||
|
#
|
||||||
|
# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
|
||||||
|
# Copyright (C) 2006 by the Shorewall Team
|
||||||
|
#
|
||||||
|
# This library is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU Lesser General Public
|
||||||
|
# License as published by the Free Software Foundation; either
|
||||||
|
# version 2.1 of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# See the file README.txt for further details.
|
||||||
|
#
|
||||||
|
# For information about the settings in this file, type "man shorewall6.conf"
|
||||||
|
#
|
||||||
|
# The manpage is also online at
|
||||||
|
# http://shorewall.net/manpages6/shorewall6.conf.html
|
||||||
|
###############################################################################
|
||||||
|
# S T A R T U P E N A B L E D
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
STARTUP_ENABLED=No
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# V E R B O S I T Y
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
VERBOSITY=1
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# L O G G I N G
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
LOGFILE=/var/log/messages
|
||||||
|
|
||||||
|
STARTUP_LOG=/var/log/shorewall6-init.log
|
||||||
|
|
||||||
|
LOG_VERBOSITY=2
|
||||||
|
|
||||||
|
LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
|
||||||
|
LOGTAGONLY=No
|
||||||
|
|
||||||
|
LOGLIMIT=
|
||||||
|
|
||||||
|
LOGALLNEW=
|
||||||
|
|
||||||
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
SMURF_LOG_LEVEL=info
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
IP6TABLES=
|
||||||
|
|
||||||
|
PERL=/usr/bin/perl
|
||||||
|
|
||||||
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
SHOREWALL_SHELL=/bin/sh
|
||||||
|
|
||||||
|
SUBSYSLOCK=
|
||||||
|
|
||||||
|
MODULESDIR=
|
||||||
|
|
||||||
|
CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
|
||||||
|
|
||||||
|
RESTOREFILE=
|
||||||
|
|
||||||
|
LOCKFILE=
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# D E F A U L T A C T I O N S / M A C R O S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
DROP_DEFAULT="Drop"
|
||||||
|
REJECT_DEFAULT="Reject"
|
||||||
|
ACCEPT_DEFAULT="none"
|
||||||
|
QUEUE_DEFAULT="none"
|
||||||
|
NFQUEUE_DEFAULT="none"
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# R S H / R C P C O M M A N D S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
RSH_COMMAND='ssh ${root}@${system} ${command}'
|
||||||
|
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# F I R E W A L L O P T I O N S
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
IP_FORWARDING=On
|
||||||
|
|
||||||
|
TC_ENABLED=No
|
||||||
|
|
||||||
|
TC_EXPERT=No
|
||||||
|
|
||||||
|
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
|
CLAMPMSS=No
|
||||||
|
|
||||||
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
|
ADMINISABSENTMINDED=Yes
|
||||||
|
|
||||||
|
BLACKLISTNEWONLY=Yes
|
||||||
|
|
||||||
|
MODULE_SUFFIX=ko
|
||||||
|
|
||||||
|
FASTACCEPT=No
|
||||||
|
|
||||||
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
HIGH_ROUTE_MARKS=No
|
||||||
|
|
||||||
|
OPTIMIZE=1
|
||||||
|
|
||||||
|
EXPORTPARAMS=No
|
||||||
|
|
||||||
|
EXPAND_POLICIES=No
|
||||||
|
|
||||||
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
DELETE_THEN_ADD=Yes
|
||||||
|
|
||||||
|
DONT_LOAD=
|
||||||
|
|
||||||
|
AUTO_COMMENT=Yes
|
||||||
|
|
||||||
|
MANGLE_ENABLED=Yes
|
||||||
|
|
||||||
|
AUTOMAKE=No
|
||||||
|
|
||||||
|
WIDE_TC_MARKS=Yes
|
||||||
|
|
||||||
|
TRACK_PROVIDERS=Yes
|
||||||
|
|
||||||
|
ZONE2ZONE=2
|
||||||
|
|
||||||
|
ACCOUNTING=Yes
|
||||||
|
|
||||||
|
DYNAMIC_BLACKLIST=Yes
|
||||||
|
|
||||||
|
OPTIMIZE_ACCOUNTING=No
|
||||||
|
|
||||||
|
LOAD_HELPERS_ONLY=Yes
|
||||||
|
|
||||||
|
REQUIRE_INTERFACE=No
|
||||||
|
|
||||||
|
FORWARD_CLEAR_MARK=
|
||||||
|
|
||||||
|
COMPLETE=No
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# P A C K E T D I S P O S I T I O N
|
||||||
|
###############################################################################
|
||||||
|
|
||||||
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
|
#LAST LINE -- DO NOT REMOVE
|
@ -1,6 +1,6 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 5.2 - Sample Zones File for two-interface configuration.
|
# Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
|
||||||
# Copyright (C) 2006-2014 by the Shorewall Team
|
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||||
#
|
#
|
||||||
# This library is free software; you can redistribute it and/or
|
# This library is free software; you can redistribute it and/or
|
||||||
# modify it under the terms of the GNU Lesser General Public
|
# modify it under the terms of the GNU Lesser General Public
|
@ -1,341 +0,0 @@
|
|||||||
GNU GENERAL PUBLIC LICENSE
|
|
||||||
Version 2, June 1991
|
|
||||||
|
|
||||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
|
||||||
51 Franklin Street, Fifth Floor,
|
|
||||||
Boston, MA 02110-1301 USA
|
|
||||||
Everyone is permitted to copy and distribute verbatim copies
|
|
||||||
of this license document, but changing it is not allowed.
|
|
||||||
|
|
||||||
Preamble
|
|
||||||
|
|
||||||
The licenses for most software are designed to take away your
|
|
||||||
freedom to share and change it. By contrast, the GNU General Public
|
|
||||||
License is intended to guarantee your freedom to share and change free
|
|
||||||
software--to make sure the software is free for all its users. This
|
|
||||||
General Public License applies to most of the Free Software
|
|
||||||
Foundation's software and to any other program whose authors commit to
|
|
||||||
using it. (Some other Free Software Foundation software is covered by
|
|
||||||
the GNU Library General Public License instead.) You can apply it to
|
|
||||||
your programs, too.
|
|
||||||
|
|
||||||
When we speak of free software, we are referring to freedom, not
|
|
||||||
price. Our General Public Licenses are designed to make sure that you
|
|
||||||
have the freedom to distribute copies of free software (and charge for
|
|
||||||
this service if you wish), that you receive source code or can get it
|
|
||||||
if you want it, that you can change the software or use pieces of it
|
|
||||||
in new free programs; and that you know you can do these things.
|
|
||||||
|
|
||||||
To protect your rights, we need to make restrictions that forbid
|
|
||||||
anyone to deny you these rights or to ask you to surrender the rights.
|
|
||||||
These restrictions translate to certain responsibilities for you if you
|
|
||||||
distribute copies of the software, or if you modify it.
|
|
||||||
|
|
||||||
For example, if you distribute copies of such a program, whether
|
|
||||||
gratis or for a fee, you must give the recipients all the rights that
|
|
||||||
you have. You must make sure that they, too, receive or can get the
|
|
||||||
source code. And you must show them these terms so they know their
|
|
||||||
rights.
|
|
||||||
|
|
||||||
We protect your rights with two steps: (1) copyright the software, and
|
|
||||||
(2) offer you this license which gives you legal permission to copy,
|
|
||||||
distribute and/or modify the software.
|
|
||||||
|
|
||||||
Also, for each author's protection and ours, we want to make certain
|
|
||||||
that everyone understands that there is no warranty for this free
|
|
||||||
software. If the software is modified by someone else and passed on, we
|
|
||||||
want its recipients to know that what they have is not the original, so
|
|
||||||
that any problems introduced by others will not reflect on the original
|
|
||||||
authors' reputations.
|
|
||||||
|
|
||||||
Finally, any free program is threatened constantly by software
|
|
||||||
patents. We wish to avoid the danger that redistributors of a free
|
|
||||||
program will individually obtain patent licenses, in effect making the
|
|
||||||
program proprietary. To prevent this, we have made it clear that any
|
|
||||||
patent must be licensed for everyone's free use or not licensed at all.
|
|
||||||
|
|
||||||
The precise terms and conditions for copying, distribution and
|
|
||||||
modification follow.
|
|
||||||
|
|
||||||
GNU GENERAL PUBLIC LICENSE
|
|
||||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
|
||||||
|
|
||||||
0. This License applies to any program or other work which contains
|
|
||||||
a notice placed by the copyright holder saying it may be distributed
|
|
||||||
under the terms of this General Public License. The "Program", below,
|
|
||||||
refers to any such program or work, and a "work based on the Program"
|
|
||||||
means either the Program or any derivative work under copyright law:
|
|
||||||
that is to say, a work containing the Program or a portion of it,
|
|
||||||
either verbatim or with modifications and/or translated into another
|
|
||||||
language. (Hereinafter, translation is included without limitation in
|
|
||||||
the term "modification".) Each licensee is addressed as "you".
|
|
||||||
|
|
||||||
Activities other than copying, distribution and modification are not
|
|
||||||
covered by this License; they are outside its scope. The act of
|
|
||||||
running the Program is not restricted, and the output from the Program
|
|
||||||
is covered only if its contents constitute a work based on the
|
|
||||||
Program (independent of having been made by running the Program).
|
|
||||||
Whether that is true depends on what the Program does.
|
|
||||||
|
|
||||||
1. You may copy and distribute verbatim copies of the Program's
|
|
||||||
source code as you receive it, in any medium, provided that you
|
|
||||||
conspicuously and appropriately publish on each copy an appropriate
|
|
||||||
copyright notice and disclaimer of warranty; keep intact all the
|
|
||||||
notices that refer to this License and to the absence of any warranty;
|
|
||||||
and give any other recipients of the Program a copy of this License
|
|
||||||
along with the Program.
|
|
||||||
|
|
||||||
You may charge a fee for the physical act of transferring a copy, and
|
|
||||||
you may at your option offer warranty protection in exchange for a fee.
|
|
||||||
|
|
||||||
2. You may modify your copy or copies of the Program or any portion
|
|
||||||
of it, thus forming a work based on the Program, and copy and
|
|
||||||
distribute such modifications or work under the terms of Section 1
|
|
||||||
above, provided that you also meet all of these conditions:
|
|
||||||
|
|
||||||
a) You must cause the modified files to carry prominent notices
|
|
||||||
stating that you changed the files and the date of any change.
|
|
||||||
|
|
||||||
b) You must cause any work that you distribute or publish, that in
|
|
||||||
whole or in part contains or is derived from the Program or any
|
|
||||||
part thereof, to be licensed as a whole at no charge to all third
|
|
||||||
parties under the terms of this License.
|
|
||||||
|
|
||||||
c) If the modified program normally reads commands interactively
|
|
||||||
when run, you must cause it, when started running for such
|
|
||||||
interactive use in the most ordinary way, to print or display an
|
|
||||||
announcement including an appropriate copyright notice and a
|
|
||||||
notice that there is no warranty (or else, saying that you provide
|
|
||||||
a warranty) and that users may redistribute the program under
|
|
||||||
these conditions, and telling the user how to view a copy of this
|
|
||||||
License. (Exception: if the Program itself is interactive but
|
|
||||||
does not normally print such an announcement, your work based on
|
|
||||||
the Program is not required to print an announcement.)
|
|
||||||
|
|
||||||
These requirements apply to the modified work as a whole. If
|
|
||||||
identifiable sections of that work are not derived from the Program,
|
|
||||||
and can be reasonably considered independent and separate works in
|
|
||||||
themselves, then this License, and its terms, do not apply to those
|
|
||||||
sections when you distribute them as separate works. But when you
|
|
||||||
distribute the same sections as part of a whole which is a work based
|
|
||||||
on the Program, the distribution of the whole must be on the terms of
|
|
||||||
this License, whose permissions for other licensees extend to the
|
|
||||||
entire whole, and thus to each and every part regardless of who wrote it.
|
|
||||||
|
|
||||||
Thus, it is not the intent of this section to claim rights or contest
|
|
||||||
your rights to work written entirely by you; rather, the intent is to
|
|
||||||
exercise the right to control the distribution of derivative or
|
|
||||||
collective works based on the Program.
|
|
||||||
|
|
||||||
In addition, mere aggregation of another work not based on the Program
|
|
||||||
with the Program (or with a work based on the Program) on a volume of
|
|
||||||
a storage or distribution medium does not bring the other work under
|
|
||||||
the scope of this License.
|
|
||||||
|
|
||||||
3. You may copy and distribute the Program (or a work based on it,
|
|
||||||
under Section 2) in object code or executable form under the terms of
|
|
||||||
Sections 1 and 2 above provided that you also do one of the following:
|
|
||||||
|
|
||||||
a) Accompany it with the complete corresponding machine-readable
|
|
||||||
source code, which must be distributed under the terms of Sections
|
|
||||||
1 and 2 above on a medium customarily used for software interchange; or,
|
|
||||||
|
|
||||||
b) Accompany it with a written offer, valid for at least three
|
|
||||||
years, to give any third party, for a charge no more than your
|
|
||||||
cost of physically performing source distribution, a complete
|
|
||||||
machine-readable copy of the corresponding source code, to be
|
|
||||||
distributed under the terms of Sections 1 and 2 above on a medium
|
|
||||||
customarily used for software interchange; or,
|
|
||||||
|
|
||||||
c) Accompany it with the information you received as to the offer
|
|
||||||
to distribute corresponding source code. (This alternative is
|
|
||||||
allowed only for noncommercial distribution and only if you
|
|
||||||
received the program in object code or executable form with such
|
|
||||||
an offer, in accord with Subsection b above.)
|
|
||||||
|
|
||||||
The source code for a work means the preferred form of the work for
|
|
||||||
making modifications to it. For an executable work, complete source
|
|
||||||
code means all the source code for all modules it contains, plus any
|
|
||||||
associated interface definition files, plus the scripts used to
|
|
||||||
control compilation and installation of the executable. However, as a
|
|
||||||
special exception, the source code distributed need not include
|
|
||||||
anything that is normally distributed (in either source or binary
|
|
||||||
form) with the major components (compiler, kernel, and so on) of the
|
|
||||||
operating system on which the executable runs, unless that component
|
|
||||||
itself accompanies the executable.
|
|
||||||
|
|
||||||
If distribution of executable or object code is made by offering
|
|
||||||
access to copy from a designated place, then offering equivalent
|
|
||||||
access to copy the source code from the same place counts as
|
|
||||||
distribution of the source code, even though third parties are not
|
|
||||||
compelled to copy the source along with the object code.
|
|
||||||
|
|
||||||
4. You may not copy, modify, sublicense, or distribute the Program
|
|
||||||
except as expressly provided under this License. Any attempt
|
|
||||||
otherwise to copy, modify, sublicense or distribute the Program is
|
|
||||||
void, and will automatically terminate your rights under this License.
|
|
||||||
However, parties who have received copies, or rights, from you under
|
|
||||||
this License will not have their licenses terminated so long as such
|
|
||||||
parties remain in full compliance.
|
|
||||||
|
|
||||||
5. You are not required to accept this License, since you have not
|
|
||||||
signed it. However, nothing else grants you permission to modify or
|
|
||||||
distribute the Program or its derivative works. These actions are
|
|
||||||
prohibited by law if you do not accept this License. Therefore, by
|
|
||||||
modifying or distributing the Program (or any work based on the
|
|
||||||
Program), you indicate your acceptance of this License to do so, and
|
|
||||||
all its terms and conditions for copying, distributing or modifying
|
|
||||||
the Program or works based on it.
|
|
||||||
|
|
||||||
6. Each time you redistribute the Program (or any work based on the
|
|
||||||
Program), the recipient automatically receives a license from the
|
|
||||||
original licensor to copy, distribute or modify the Program subject to
|
|
||||||
these terms and conditions. You may not impose any further
|
|
||||||
restrictions on the recipients' exercise of the rights granted herein.
|
|
||||||
You are not responsible for enforcing compliance by third parties to
|
|
||||||
this License.
|
|
||||||
|
|
||||||
7. If, as a consequence of a court judgment or allegation of patent
|
|
||||||
infringement or for any other reason (not limited to patent issues),
|
|
||||||
conditions are imposed on you (whether by court order, agreement or
|
|
||||||
otherwise) that contradict the conditions of this License, they do not
|
|
||||||
excuse you from the conditions of this License. If you cannot
|
|
||||||
distribute so as to satisfy simultaneously your obligations under this
|
|
||||||
License and any other pertinent obligations, then as a consequence you
|
|
||||||
may not distribute the Program at all. For example, if a patent
|
|
||||||
license would not permit royalty-free redistribution of the Program by
|
|
||||||
all those who receive copies directly or indirectly through you, then
|
|
||||||
the only way you could satisfy both it and this License would be to
|
|
||||||
refrain entirely from distribution of the Program.
|
|
||||||
|
|
||||||
If any portion of this section is held invalid or unenforceable under
|
|
||||||
any particular circumstance, the balance of the section is intended to
|
|
||||||
apply and the section as a whole is intended to apply in other
|
|
||||||
circumstances.
|
|
||||||
|
|
||||||
It is not the purpose of this section to induce you to infringe any
|
|
||||||
patents or other property right claims or to contest validity of any
|
|
||||||
such claims; this section has the sole purpose of protecting the
|
|
||||||
integrity of the free software distribution system, which is
|
|
||||||
implemented by public license practices. Many people have made
|
|
||||||
generous contributions to the wide range of software distributed
|
|
||||||
through that system in reliance on consistent application of that
|
|
||||||
system; it is up to the author/donor to decide if he or she is willing
|
|
||||||
to distribute software through any other system and a licensee cannot
|
|
||||||
impose that choice.
|
|
||||||
|
|
||||||
This section is intended to make thoroughly clear what is believed to
|
|
||||||
be a consequence of the rest of this License.
|
|
||||||
|
|
||||||
8. If the distribution and/or use of the Program is restricted in
|
|
||||||
certain countries either by patents or by copyrighted interfaces, the
|
|
||||||
original copyright holder who places the Program under this License
|
|
||||||
may add an explicit geographical distribution limitation excluding
|
|
||||||
those countries, so that distribution is permitted only in or among
|
|
||||||
countries not thus excluded. In such case, this License incorporates
|
|
||||||
the limitation as if written in the body of this License.
|
|
||||||
|
|
||||||
9. The Free Software Foundation may publish revised and/or new versions
|
|
||||||
of the General Public License from time to time. Such new versions will
|
|
||||||
be similar in spirit to the present version, but may differ in detail to
|
|
||||||
address new problems or concerns.
|
|
||||||
|
|
||||||
Each version is given a distinguishing version number. If the Program
|
|
||||||
specifies a version number of this License which applies to it and "any
|
|
||||||
later version", you have the option of following the terms and conditions
|
|
||||||
either of that version or of any later version published by the Free
|
|
||||||
Software Foundation. If the Program does not specify a version number of
|
|
||||||
this License, you may choose any version ever published by the Free Software
|
|
||||||
Foundation.
|
|
||||||
|
|
||||||
10. If you wish to incorporate parts of the Program into other free
|
|
||||||
programs whose distribution conditions are different, write to the author
|
|
||||||
to ask for permission. For software which is copyrighted by the Free
|
|
||||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
|
||||||
make exceptions for this. Our decision will be guided by the two goals
|
|
||||||
of preserving the free status of all derivatives of our free software and
|
|
||||||
of promoting the sharing and reuse of software generally.
|
|
||||||
|
|
||||||
NO WARRANTY
|
|
||||||
|
|
||||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
|
||||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
|
||||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
|
||||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
|
||||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
||||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
|
||||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
|
||||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
|
||||||
REPAIR OR CORRECTION.
|
|
||||||
|
|
||||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
|
||||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
|
||||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
|
||||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
|
||||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
|
||||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
|
||||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
|
||||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
|
||||||
POSSIBILITY OF SUCH DAMAGES.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
How to Apply These Terms to Your New Programs
|
|
||||||
|
|
||||||
If you develop a new program, and you want it to be of the greatest
|
|
||||||
possible use to the public, the best way to achieve this is to make it
|
|
||||||
free software which everyone can redistribute and change under these terms.
|
|
||||||
|
|
||||||
To do so, attach the following notices to the program. It is safest
|
|
||||||
to attach them to the start of each source file to most effectively
|
|
||||||
convey the exclusion of warranty; and each file should have at least
|
|
||||||
the "copyright" line and a pointer to where the full notice is found.
|
|
||||||
|
|
||||||
<one line to give the program's name and a brief idea of what it does.>
|
|
||||||
Copyright (C) 19yy <name of author>
|
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
|
||||||
it under the terms of the GNU General Public License as published by
|
|
||||||
the Free Software Foundation; either version 2 of the License, or
|
|
||||||
(at your option) any later version.
|
|
||||||
|
|
||||||
This program is distributed in the hope that it will be useful,
|
|
||||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
GNU General Public License for more details.
|
|
||||||
|
|
||||||
You should have received a copy of the GNU General Public License
|
|
||||||
along with this program; if not, write to the Free Software
|
|
||||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
||||||
|
|
||||||
|
|
||||||
Also add information on how to contact you by electronic and paper mail.
|
|
||||||
|
|
||||||
If the program is interactive, make it output a short notice like this
|
|
||||||
when it starts in an interactive mode:
|
|
||||||
|
|
||||||
Gnomovision version 69, Copyright (C) 19yy name of author
|
|
||||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
|
||||||
This is free software, and you are welcome to redistribute it
|
|
||||||
under certain conditions; type `show c' for details.
|
|
||||||
|
|
||||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
|
||||||
parts of the General Public License. Of course, the commands you use may
|
|
||||||
be called something other than `show w' and `show c'; they could even be
|
|
||||||
mouse-clicks or menu items--whatever suits your program.
|
|
||||||
|
|
||||||
You should also get your employer (if you work as a programmer) or your
|
|
||||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
|
||||||
necessary. Here is a sample; alter the names:
|
|
||||||
|
|
||||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
|
||||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
|
||||||
|
|
||||||
<signature of Ty Coon>, 1 April 1989
|
|
||||||
Ty Coon, President of Vice
|
|
||||||
|
|
||||||
This General Public License does not permit incorporating your program into
|
|
||||||
proprietary programs. If your program is a subroutine library, you may
|
|
||||||
consider it more useful to permit linking proprietary applications with the
|
|
||||||
library. If this is what you want to do, use the GNU Library General
|
|
||||||
Public License instead of this License.
|
|
@ -1,24 +0,0 @@
|
|||||||
Shoreline Firewall (Shorewall) Version 5
|
|
||||||
----- ----
|
|
||||||
|
|
||||||
-----------------------------------------------------------------------------
|
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
|
||||||
it under the terms of Version 2 of the GNU General Public License
|
|
||||||
as published by the Free Software Foundation.
|
|
||||||
|
|
||||||
This program is distributed in the hope that it will be useful,
|
|
||||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
GNU General Public License for more details.
|
|
||||||
|
|
||||||
You should have received a copy of the GNU General Public License
|
|
||||||
along with this program; if not, write to the Free Software
|
|
||||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
|
|
||||||
---------------------------------------------------------------------------
|
|
||||||
|
|
||||||
Please see https://shorewall.org/Install.htm for installation
|
|
||||||
instructions.
|
|
||||||
|
|
||||||
|
|
@ -1 +0,0 @@
|
|||||||
5.2.8-RC1
|
|
248
Shorewall-core/configure
vendored
248
Shorewall-core/configure
vendored
@ -1,248 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# Shorewall Packet Filtering Firewall configuration program - V5.2
|
|
||||||
#
|
|
||||||
# (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# Usage: ./configure [ <option>=<setting> ] ...
|
|
||||||
#
|
|
||||||
#
|
|
||||||
################################################################################################
|
|
||||||
#
|
|
||||||
# Build updates this
|
|
||||||
#
|
|
||||||
VERSION=4.6.12
|
|
||||||
|
|
||||||
case "$BASH_VERSION" in
|
|
||||||
[4-9].*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "ERROR: This program requires Bash 4.0 or later" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
declare -A params
|
|
||||||
declare -A options
|
|
||||||
|
|
||||||
getfileparams() {
|
|
||||||
while read option; do
|
|
||||||
case $option in
|
|
||||||
\#*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
on=${option%=*}
|
|
||||||
ov=${option#*=}
|
|
||||||
ov=${ov%#*}
|
|
||||||
[ -n "$on" ] && options[${on}]="${ov}"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
done
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
for p in $@; do
|
|
||||||
|
|
||||||
if [ -n "${p}" ]; then
|
|
||||||
declare -u pn
|
|
||||||
|
|
||||||
pn=${p%=*}
|
|
||||||
pn=${pn#--}
|
|
||||||
pv=${p#*=}
|
|
||||||
|
|
||||||
if [ -n "${pn}" ]; then
|
|
||||||
|
|
||||||
case ${pn} in
|
|
||||||
VENDOR)
|
|
||||||
pn=HOST
|
|
||||||
;;
|
|
||||||
SHAREDSTATEDIR)
|
|
||||||
pn=VARLIB
|
|
||||||
;;
|
|
||||||
DATADIR)
|
|
||||||
pn=SHAREDIR
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
params[${pn}]="${pv}"
|
|
||||||
else
|
|
||||||
echo "ERROR: Invalid option ($p)" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
cd $(dirname $0)
|
|
||||||
|
|
||||||
vendor=${params[HOST]}
|
|
||||||
|
|
||||||
if [ -z "$vendor" ]; then
|
|
||||||
if [ -f /etc/os-release ]; then
|
|
||||||
eval $(cat /etc/os-release | grep ^ID=)
|
|
||||||
|
|
||||||
case $ID in
|
|
||||||
fedora|rhel)
|
|
||||||
vendor=redhat
|
|
||||||
;;
|
|
||||||
debian|ubuntu)
|
|
||||||
vendor=debian
|
|
||||||
;;
|
|
||||||
opensuse)
|
|
||||||
vendor=suse
|
|
||||||
;;
|
|
||||||
alt|basealt|altlinux)
|
|
||||||
vendor=alt
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
vendor="$ID"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
params[HOST]="$vendor"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$vendor" ]; then
|
|
||||||
case `uname` in
|
|
||||||
Darwin)
|
|
||||||
params[HOST]=apple
|
|
||||||
rcfile=shorewallrc.apple
|
|
||||||
;;
|
|
||||||
cygwin*|CYGWIN*)
|
|
||||||
params[HOST]=cygwin
|
|
||||||
rcfile=shorewallrc.cygwin
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -f /etc/debian_version ]; then
|
|
||||||
params[HOST]=debian
|
|
||||||
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
|
||||||
elif [ -f /etc/altlinux-release ] ; then
|
|
||||||
params[HOST]=alt
|
|
||||||
elif [ -f /etc/redhat-release ]; then
|
|
||||||
params[HOST]=redhat
|
|
||||||
rcfile=shorewallrc.redhat
|
|
||||||
elif [ -f /etc/slackware-version ] ; then
|
|
||||||
params[HOST]=slackware
|
|
||||||
rcfile=shorewallrc.slackware
|
|
||||||
elif [ -f /etc/SuSE-release ]; then
|
|
||||||
params[HOST]=suse
|
|
||||||
rcfile=shorewallrc.suse
|
|
||||||
elif [ -f /etc/arch-release ] ; then
|
|
||||||
params[HOST]=archlinux
|
|
||||||
rcfile=shorewallrc.archlinux
|
|
||||||
elif [ -f /etc/openwrt_release ]; then
|
|
||||||
params[HOST]=openwrt
|
|
||||||
rcfile=shorewallrc.openwrt
|
|
||||||
else
|
|
||||||
params[HOST]=linux
|
|
||||||
rcfile=shorewallrc.default
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
vendor=${params[HOST]}
|
|
||||||
else
|
|
||||||
if [ $vendor = linux ]; then
|
|
||||||
rcfile=shorewallrc.default;
|
|
||||||
elif [ $vendor = debian -a -f /etc/debian_version ]; then
|
|
||||||
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
|
||||||
else
|
|
||||||
rcfile=shorewallrc.$vendor
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -f $rcfile ]; then
|
|
||||||
echo "ERROR: $vendor is not a recognized host type" >&2
|
|
||||||
exit 1
|
|
||||||
elif [ $vendor = default ]; then
|
|
||||||
params[HOST]=linux
|
|
||||||
vendor=linux
|
|
||||||
elif [[ $vendor == debian.* ]]; then
|
|
||||||
params[HOST]=debian
|
|
||||||
vendor=debian
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $vendor = linux ]; then
|
|
||||||
echo "INFO: Creating a generic Linux installation - " `date`;
|
|
||||||
else
|
|
||||||
echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo
|
|
||||||
|
|
||||||
getfileparams < $rcfile || exit 1
|
|
||||||
|
|
||||||
for p in ${!params[@]}; do
|
|
||||||
options[${p}]="${params[${p}]}"
|
|
||||||
done
|
|
||||||
|
|
||||||
echo '#' > shorewallrc
|
|
||||||
echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
|
|
||||||
echo "# rc file: $rcfile" >> shorewallrc
|
|
||||||
echo '#' >> shorewallrc
|
|
||||||
|
|
||||||
if [ $# -gt 0 ]; then
|
|
||||||
echo "# Input: $@" >> shorewallrc
|
|
||||||
echo '#' >> shorewallrc
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "${options[VARLIB]}" ]; then
|
|
||||||
if [ -z "${options[VARDIR]}" ]; then
|
|
||||||
options[VARDIR]='${VARLIB}/${PRODUCT}'
|
|
||||||
fi
|
|
||||||
elif [ -n "${options[VARDIR]}" ]; then
|
|
||||||
if [ -z "{$options[VARLIB]}" ]; then
|
|
||||||
options[VARLIB]=${options[VARDIR]}
|
|
||||||
options[VARDIR]='${VARLIB}/${PRODUCT}'
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "${options[SERVICEDIR]}" ]; then
|
|
||||||
options[SERVICEDIR]="${options[SYSTEMD]}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
for on in \
|
|
||||||
HOST \
|
|
||||||
PREFIX \
|
|
||||||
SHAREDIR \
|
|
||||||
LIBEXECDIR \
|
|
||||||
PERLLIBDIR \
|
|
||||||
CONFDIR \
|
|
||||||
SBINDIR \
|
|
||||||
MANDIR \
|
|
||||||
INITDIR \
|
|
||||||
INITSOURCE \
|
|
||||||
INITFILE \
|
|
||||||
AUXINITSOURCE \
|
|
||||||
AUXINITFILE \
|
|
||||||
SERVICEDIR \
|
|
||||||
SERVICEFILE \
|
|
||||||
SYSCONFFILE \
|
|
||||||
SYSCONFDIR \
|
|
||||||
SPARSE \
|
|
||||||
ANNOTATED \
|
|
||||||
VARLIB \
|
|
||||||
VARDIR \
|
|
||||||
DEFAULT_PAGER
|
|
||||||
do
|
|
||||||
echo "$on=${options[${on}]}"
|
|
||||||
echo "$on=${options[${on}]}" >> shorewallrc
|
|
||||||
done
|
|
@ -1,233 +0,0 @@
|
|||||||
#! /usr/bin/perl -w
|
|
||||||
#
|
|
||||||
# Shorewall Packet Filtering Firewall configuration program - V5.2
|
|
||||||
#
|
|
||||||
# (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# Usage: ./configure.pl <option>=<setting> ...
|
|
||||||
#
|
|
||||||
#
|
|
||||||
################################################################################################
|
|
||||||
use strict;
|
|
||||||
|
|
||||||
#
|
|
||||||
# Build updates this
|
|
||||||
#
|
|
||||||
use constant {
|
|
||||||
VERSION => '4.6.12'
|
|
||||||
};
|
|
||||||
|
|
||||||
my %params;
|
|
||||||
my %options;
|
|
||||||
|
|
||||||
my %aliases = ( VENDOR => 'HOST',
|
|
||||||
SHAREDSTATEDIR => 'VARLIB',
|
|
||||||
DATADIR => 'SHAREDIR' );
|
|
||||||
|
|
||||||
for ( @ARGV ) {
|
|
||||||
die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
|
|
||||||
|
|
||||||
my $pn = uc $1;
|
|
||||||
my $pv = $2 || '';
|
|
||||||
|
|
||||||
$pn = $aliases{$pn} if exists $aliases{$pn};
|
|
||||||
|
|
||||||
$params{$pn} = $pv;
|
|
||||||
}
|
|
||||||
|
|
||||||
use File::Basename;
|
|
||||||
chdir dirname($0);
|
|
||||||
|
|
||||||
my $vendor = $params{HOST};
|
|
||||||
my $rcfile;
|
|
||||||
my $rcfilename;
|
|
||||||
|
|
||||||
unless ( defined $vendor ) {
|
|
||||||
if ( -f '/etc/os-release' ) {
|
|
||||||
my $id = `cat /etc/os-release | grep ^ID=`;
|
|
||||||
|
|
||||||
chomp $id;
|
|
||||||
|
|
||||||
$id =~ s/ID=//;
|
|
||||||
|
|
||||||
if ( $id eq 'fedora' || $id eq 'rhel' ) {
|
|
||||||
$vendor = 'redhat';
|
|
||||||
} elsif ( $id eq 'opensuse' ) {
|
|
||||||
$vendor = 'suse';
|
|
||||||
} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
|
|
||||||
my $init = `ls -l /sbin/init`;
|
|
||||||
$vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
|
|
||||||
} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
|
|
||||||
$vendor = 'alt';
|
|
||||||
} else {
|
|
||||||
$vendor = $id;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$params{HOST} = $vendor;
|
|
||||||
$params{HOST} =~ s/\..*//;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( defined $vendor ) {
|
|
||||||
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
|
|
||||||
if ( -l '/sbin/init' ) {
|
|
||||||
if ( readlink('/sbin/init') =~ /systemd/ ) {
|
|
||||||
$rcfilename = 'shorewallrc.debian.systemd';
|
|
||||||
} else {
|
|
||||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
|
||||||
}
|
|
||||||
|
|
||||||
unless ( -f $rcfilename ) {
|
|
||||||
die qq("ERROR: $vendor" is not a recognized host type);
|
|
||||||
} elsif ( $vendor eq 'default' ) {
|
|
||||||
$params{HOST} = $vendor = 'linux';
|
|
||||||
} elsif ( $vendor =~ /^debian\./ ) {
|
|
||||||
$params{HOST} = $vendor = 'debian';
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if ( -f '/etc/debian_version' ) {
|
|
||||||
$vendor = 'debian';
|
|
||||||
if ( -l '/sbin/init' ) {
|
|
||||||
if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
|
|
||||||
$rcfilename = 'shorewallrc.debian.systemd';
|
|
||||||
} else {
|
|
||||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
|
||||||
}
|
|
||||||
} elsif ( -f '/etc/altlinux-release' ){
|
|
||||||
$vendor = 'alt';
|
|
||||||
$rcfilename = 'shorewallrc.alt';
|
|
||||||
} elsif ( -f '/etc/redhat-release' ){
|
|
||||||
$vendor = 'redhat';
|
|
||||||
$rcfilename = 'shorewallrc.redhat';
|
|
||||||
} elsif ( -f '/etc/slackware-version' ) {
|
|
||||||
$vendor = 'slackware';
|
|
||||||
$rcfilename = 'shorewallrc.slackware';
|
|
||||||
} elsif ( -f '/etc/SuSE-release' ) {
|
|
||||||
$vendor = 'suse';
|
|
||||||
$rcfilename = 'shorewallrc.suse';
|
|
||||||
} elsif ( -f '/etc/arch-release' ) {
|
|
||||||
$vendor = 'archlinux';
|
|
||||||
$rcfilename = 'shorewallrc.archlinux';
|
|
||||||
} elsif ( `uname` =~ '^Darwin' ) {
|
|
||||||
$vendor = 'apple';
|
|
||||||
$rcfilename = 'shorewallrc.apple';
|
|
||||||
} elsif ( `uname` =~ /^Cygwin/i ) {
|
|
||||||
$vendor = 'cygwin';
|
|
||||||
$rcfilename = 'shorewallrc.cygwin';
|
|
||||||
} else {
|
|
||||||
$vendor = 'linux';
|
|
||||||
$rcfilename = 'shorewallrc.default';
|
|
||||||
}
|
|
||||||
|
|
||||||
$params{HOST} = $vendor;
|
|
||||||
}
|
|
||||||
|
|
||||||
my @localtime = localtime;
|
|
||||||
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
|
|
||||||
|
|
||||||
if ( $vendor eq 'linux' ) {
|
|
||||||
printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
|
|
||||||
} else {
|
|
||||||
printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
|
|
||||||
}
|
|
||||||
|
|
||||||
open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
|
|
||||||
|
|
||||||
while ( <$rcfile> ) {
|
|
||||||
s/\s*#.*//;
|
|
||||||
unless ( /^\s*$/ ) {
|
|
||||||
chomp;
|
|
||||||
die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
|
|
||||||
$options{$1} = $2;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
close $rcfile;
|
|
||||||
|
|
||||||
while ( my ( $p, $v ) = each %params ) {
|
|
||||||
$options{$p} = ${v};
|
|
||||||
}
|
|
||||||
|
|
||||||
my $outfile;
|
|
||||||
|
|
||||||
open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
|
|
||||||
|
|
||||||
if ( $ENV{SOURCE_DATE_EPOCH} ) {
|
|
||||||
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
|
|
||||||
} else {
|
|
||||||
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
|
|
||||||
}
|
|
||||||
|
|
||||||
print $outfile "# rc file: $rcfilename\n#\n";
|
|
||||||
|
|
||||||
print $outfile "# Input: @ARGV\n#\n" if @ARGV;
|
|
||||||
|
|
||||||
if ( $options{VARLIB} ) {
|
|
||||||
unless ( $options{VARDIR} ) {
|
|
||||||
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
|
|
||||||
}
|
|
||||||
} elsif ( $options{VARDIR} ) {
|
|
||||||
$options{VARLIB} = $options{VARDIR};
|
|
||||||
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
|
|
||||||
}
|
|
||||||
|
|
||||||
$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
|
|
||||||
|
|
||||||
for ( qw/ HOST
|
|
||||||
PREFIX
|
|
||||||
SHAREDIR
|
|
||||||
LIBEXECDIR
|
|
||||||
PERLLIBDIR
|
|
||||||
CONFDIR
|
|
||||||
SBINDIR
|
|
||||||
MANDIR
|
|
||||||
INITDIR
|
|
||||||
INITSOURCE
|
|
||||||
INITFILE
|
|
||||||
AUXINITSOURCE
|
|
||||||
AUXINITFILE
|
|
||||||
SERVICEDIR
|
|
||||||
SERVICEFILE
|
|
||||||
SYSCONFFILE
|
|
||||||
SYSCONFDIR
|
|
||||||
SPARSE
|
|
||||||
ANNOTATED
|
|
||||||
VARLIB
|
|
||||||
VARDIR
|
|
||||||
DEFAULT_PAGER / ) {
|
|
||||||
|
|
||||||
my $val = $options{$_} || '';
|
|
||||||
|
|
||||||
print "$_=$val\n";
|
|
||||||
print $outfile "$_=$val\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
close $outfile;
|
|
||||||
|
|
||||||
1;
|
|
@ -1,424 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Script to install Shoreline Firewall Core Modules
|
|
||||||
#
|
|
||||||
# (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
|
|
||||||
VERSION=xxx # The Build script inserts the actual version
|
|
||||||
PRODUCT=shorewall-core
|
|
||||||
Product="Shorewall Core"
|
|
||||||
|
|
||||||
usage() # $1 = exit status
|
|
||||||
{
|
|
||||||
ME=$(basename $0)
|
|
||||||
echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
|
|
||||||
echo "where <option> is one of"
|
|
||||||
echo " -h"
|
|
||||||
echo " -v"
|
|
||||||
exit $1
|
|
||||||
}
|
|
||||||
|
|
||||||
install_file() # $1 = source $2 = target $3 = mode
|
|
||||||
{
|
|
||||||
if cp -f $1 $2; then
|
|
||||||
if chmod $3 $2; then
|
|
||||||
if [ -n "$OWNER" ]; then
|
|
||||||
if chown $OWNER:$GROUP $2; then
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "ERROR: Failed to install $2" >&2
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Change to the directory containing this script
|
|
||||||
#
|
|
||||||
cd "$(dirname $0)"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Source common functions
|
|
||||||
#
|
|
||||||
. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
|
|
||||||
|
|
||||||
#
|
|
||||||
# Parse the run line
|
|
||||||
#
|
|
||||||
finished=0
|
|
||||||
|
|
||||||
while [ $finished -eq 0 ]; do
|
|
||||||
option=$1
|
|
||||||
|
|
||||||
case "$option" in
|
|
||||||
-*)
|
|
||||||
option=${option#-}
|
|
||||||
|
|
||||||
while [ -n "$option" ]; do
|
|
||||||
case $option in
|
|
||||||
h)
|
|
||||||
usage 0
|
|
||||||
;;
|
|
||||||
v)
|
|
||||||
echo "$Product Firewall Installer Version $VERSION"
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
usage 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
finished=1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
#
|
|
||||||
# Read the RC file
|
|
||||||
#
|
|
||||||
if [ $# -eq 0 ]; then
|
|
||||||
if [ -f ./shorewallrc ]; then
|
|
||||||
file=./shorewallrc
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
elif [ -f ~/.shorewallrc ]; then
|
|
||||||
file=~/.shorewallrc
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
elif [ -f /usr/share/shorewall/shorewallrc ]; then
|
|
||||||
file=/usr/share/shorewall/shorewallrc
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
else
|
|
||||||
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
|
|
||||||
fi
|
|
||||||
elif [ $# -eq 1 ]; then
|
|
||||||
file=$1
|
|
||||||
case $file in
|
|
||||||
/*|.*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
file=./$file || exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
else
|
|
||||||
usage 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
update=0
|
|
||||||
|
|
||||||
if [ -z "${VARLIB}" ]; then
|
|
||||||
VARLIB=${VARDIR}
|
|
||||||
VARDIR="${VARLIB}/${PRODUCT}"
|
|
||||||
update=1
|
|
||||||
elif [ -z "${VARDIR}" ]; then
|
|
||||||
VARDIR="${VARLIB}/${PRODUCT}"
|
|
||||||
update=2
|
|
||||||
fi
|
|
||||||
|
|
||||||
for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
|
|
||||||
require $var
|
|
||||||
done
|
|
||||||
|
|
||||||
[ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
|
|
||||||
|
|
||||||
if [ -z "$BUILD" ]; then
|
|
||||||
case $(uname) in
|
|
||||||
cygwin*|CYGWIN*)
|
|
||||||
BUILD=cygwin
|
|
||||||
;;
|
|
||||||
Darwin)
|
|
||||||
BUILD=apple
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -f /etc/os-release ]; then
|
|
||||||
eval $(cat /etc/os-release | grep ^ID)
|
|
||||||
|
|
||||||
case $ID in
|
|
||||||
fedora|rhel|centos|foobar)
|
|
||||||
BUILD=redhat
|
|
||||||
;;
|
|
||||||
debian)
|
|
||||||
BUILD=debian
|
|
||||||
;;
|
|
||||||
gentoo)
|
|
||||||
BUILD=gentoo
|
|
||||||
;;
|
|
||||||
opensuse)
|
|
||||||
BUILD=suse
|
|
||||||
;;
|
|
||||||
alt|basealt|altlinux)
|
|
||||||
BUILD=alt
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
BUILD="$ID"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
elif [ -f /etc/debian_version ]; then
|
|
||||||
BUILD=debian
|
|
||||||
elif [ -f /etc/gentoo-release ]; then
|
|
||||||
BUILD=gentoo
|
|
||||||
elif [ -f /etc/altlinux-release ]; then
|
|
||||||
BUILD=alt
|
|
||||||
elif [ -f /etc/redhat-release ]; then
|
|
||||||
BUILD=redhat
|
|
||||||
elif [ -f /etc/slackware-version ] ; then
|
|
||||||
BUILD=slackware
|
|
||||||
elif [ -f /etc/SuSE-release ]; then
|
|
||||||
BUILD=suse
|
|
||||||
elif [ -f /etc/arch-release ] ; then
|
|
||||||
BUILD=archlinux
|
|
||||||
elif [ -f ${CONFDIR}/openwrt_release ] ; then
|
|
||||||
BUILD=openwrt
|
|
||||||
else
|
|
||||||
BUILD=linux
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
case $BUILD in
|
|
||||||
cygwin*)
|
|
||||||
if [ -z "$DESTDIR" ]; then
|
|
||||||
DEST=
|
|
||||||
INIT=
|
|
||||||
fi
|
|
||||||
|
|
||||||
OWNER=$(id -un)
|
|
||||||
GROUP=$(id -gn)
|
|
||||||
;;
|
|
||||||
apple)
|
|
||||||
if [ -z "$DESTDIR" ]; then
|
|
||||||
DEST=
|
|
||||||
INIT=
|
|
||||||
SPARSE=Yes
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -z "$OWNER" ] && OWNER=root
|
|
||||||
[ -z "$GROUP" ] && GROUP=wheel
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ $(id -u) -eq 0 ]; then
|
|
||||||
[ -z "$OWNER" ] && OWNER=root
|
|
||||||
[ -z "$GROUP" ] && GROUP=root
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
#
|
|
||||||
# Determine where to install the firewall script
|
|
||||||
#
|
|
||||||
|
|
||||||
[ -n "$HOST" ] || HOST=$BUILD
|
|
||||||
|
|
||||||
case "$HOST" in
|
|
||||||
cygwin)
|
|
||||||
echo "Installing Cygwin-specific configuration..."
|
|
||||||
;;
|
|
||||||
apple)
|
|
||||||
echo "Installing Mac-specific configuration...";
|
|
||||||
;;
|
|
||||||
debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
fatal_error "Unknown HOST \"$HOST\""
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ -z "$file" ]; then
|
|
||||||
if [ $HOST = linux ]; then
|
|
||||||
file=shorewallrc.default
|
|
||||||
else
|
|
||||||
file=shorewallrc.${HOST}
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "You have not specified a configuration file and ~/.shorewallrc does not exist" >&2
|
|
||||||
echo "Shorewall-core $VERSION has determined that the $file configuration is appropriate for your system" >&2
|
|
||||||
echo "Please review the settings in that file. If you wish to change them, make a copy and modify the copy" >&2
|
|
||||||
echo "Then re-run install.sh passing either $file or the name of your modified copy" >&2
|
|
||||||
echo "" >&2
|
|
||||||
echo "Example:" >&2
|
|
||||||
echo "" >&2
|
|
||||||
echo " ./install.sh $file" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$DESTDIR" ]; then
|
|
||||||
if [ $BUILD != cygwin ]; then
|
|
||||||
if [ `id -u` != 0 ] ; then
|
|
||||||
echo "Not setting file owner/group permissions, not running as root."
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Installing $Product Version $VERSION"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Create directories
|
|
||||||
#
|
|
||||||
make_parent_directory ${DESTDIR}${LIBEXECDIR}/shorewall 0755
|
|
||||||
|
|
||||||
make_parent_directory ${DESTDIR}${SHAREDIR}/shorewall 0755
|
|
||||||
|
|
||||||
make_parent_directory ${DESTDIR}${CONFDIR} 0755
|
|
||||||
|
|
||||||
[ -n "${SYSCONFDIR}" ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
|
|
||||||
|
|
||||||
if [ -z "${SERVICEDIR}" ]; then
|
|
||||||
SERVICEDIR="$SYSTEMD"
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "${SERVICEDIR}" ] && make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
|
|
||||||
|
|
||||||
make_parent_directory ${DESTDIR}${SBINDIR} 0755
|
|
||||||
|
|
||||||
[ -n "${MANDIR}" ] && make_parent_directory ${DESTDIR}${MANDIR} 0755
|
|
||||||
|
|
||||||
if [ -n "${INITFILE}" ]; then
|
|
||||||
make_parent_directory ${DESTDIR}${INITDIR} 0755
|
|
||||||
|
|
||||||
if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
|
|
||||||
install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
|
|
||||||
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
|
|
||||||
echo "SysV init script $AUXINITSOURCE installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
#
|
|
||||||
# Note: ${VARDIR} is created at run-time since it has always been
|
|
||||||
# a relocatable directory on a per-product basis
|
|
||||||
#
|
|
||||||
# Install the CLI
|
|
||||||
#
|
|
||||||
install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
|
|
||||||
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
|
|
||||||
echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
|
|
||||||
#
|
|
||||||
# Install wait4ifup
|
|
||||||
#
|
|
||||||
install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
|
|
||||||
|
|
||||||
echo
|
|
||||||
echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
|
|
||||||
#
|
|
||||||
# Install stop_service
|
|
||||||
#
|
|
||||||
if [ -n "${STOPSERVICEFILE}" ]; then
|
|
||||||
install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
|
|
||||||
|
|
||||||
echo
|
|
||||||
echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
|
||||||
# Install the libraries
|
|
||||||
#
|
|
||||||
for f in lib.* ; do
|
|
||||||
case $f in
|
|
||||||
*installer)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
|
|
||||||
echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ $SHAREDIR != /usr/share ]; then
|
|
||||||
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
|
|
||||||
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
|
||||||
# Install the Man Pages
|
|
||||||
#
|
|
||||||
if [ -n "$MANDIR" ]; then
|
|
||||||
cd manpages
|
|
||||||
|
|
||||||
[ -n "$INSTALLD" ] || make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
|
|
||||||
|
|
||||||
for f in *.8; do
|
|
||||||
gzip -9c $f > $f.gz
|
|
||||||
install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
|
|
||||||
echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
|
|
||||||
done
|
|
||||||
|
|
||||||
cd ..
|
|
||||||
|
|
||||||
echo "Man Pages Installed"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
|
||||||
# Symbolically link 'functions' to lib.base
|
|
||||||
#
|
|
||||||
ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
|
|
||||||
#
|
|
||||||
# Create the version file
|
|
||||||
#
|
|
||||||
echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
|
|
||||||
chmod 0644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
|
|
||||||
|
|
||||||
if [ -z "${DESTDIR}" ]; then
|
|
||||||
if [ $update -ne 0 ]; then
|
|
||||||
echo "Updating $file - original saved in $file.bak"
|
|
||||||
|
|
||||||
cp $file $file.bak
|
|
||||||
|
|
||||||
echo '#' >> $file
|
|
||||||
echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
|
|
||||||
echo '#' >> $file
|
|
||||||
|
|
||||||
[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
|
|
||||||
|
|
||||||
echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
|
|
||||||
|
|
||||||
|
|
||||||
[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
|
|
||||||
|
|
||||||
if [ ${SHAREDIR} != /usr/share ]; then
|
|
||||||
for f in lib.*; do
|
|
||||||
case $f in
|
|
||||||
*installer)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ $BUILD != apple ]; then
|
|
||||||
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
|
|
||||||
else
|
|
||||||
eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/$f
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
#
|
|
||||||
# Report Success
|
|
||||||
#
|
|
||||||
echo "$Product Version $VERSION Installed"
|
|
@ -1,41 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 5.2 -- /usr/share/shorewall/lib.base
|
|
||||||
#
|
|
||||||
# (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# This library is a compatibility wrapper around lib.core.
|
|
||||||
#
|
|
||||||
|
|
||||||
if [ -z "$PRODUCT" ]; then
|
|
||||||
#
|
|
||||||
# This is modified by the installer when ${SHAREDIR} != /usr/share
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
g_basedir=${SHAREDIR}/shorewall
|
|
||||||
|
|
||||||
if [ -z "$SHOREWALL_LIBVERSION" ]; then
|
|
||||||
. ${g_basedir}/lib.core
|
|
||||||
fi
|
|
||||||
|
|
||||||
set_default_product
|
|
||||||
|
|
||||||
setup_product_environment
|
|
||||||
fi
|
|
File diff suppressed because it is too large
Load Diff
@ -1,826 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 5.2 -- /usr/share/shorewall/lib.common
|
|
||||||
#
|
|
||||||
# (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# The purpose of this library is to hold those functions used by both the CLI and by the
|
|
||||||
# generated firewall scripts. To avoid versioning issues, it is copied into generated
|
|
||||||
# scripts rather than loaded at run-time.
|
|
||||||
#
|
|
||||||
#########################################################################################
|
|
||||||
#
|
|
||||||
# Wrapper around logger that sets the tag according to $SW_LOGGERTAG
|
|
||||||
#
|
|
||||||
mylogger() {
|
|
||||||
local level
|
|
||||||
|
|
||||||
level=$1
|
|
||||||
shift
|
|
||||||
|
|
||||||
if [ -n "$SW_LOGGERTAG" ]; then
|
|
||||||
logger -p $level -t "$SW_LOGGERTAG" $*
|
|
||||||
else
|
|
||||||
logger -p $level $*
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Issue a message and stop
|
|
||||||
#
|
|
||||||
startup_error() # $* = Error Message
|
|
||||||
{
|
|
||||||
echo " ERROR: $@: Firewall state not changed" >&2
|
|
||||||
|
|
||||||
if [ $LOG_VERBOSITY -ge 0 ]; then
|
|
||||||
timestamp="$(date +'%b %e %T') "
|
|
||||||
echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
|
|
||||||
fi
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
start)
|
|
||||||
mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
|
|
||||||
;;
|
|
||||||
restore)
|
|
||||||
mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ $LOG_VERBOSITY -ge 0 ]; then
|
|
||||||
timestamp="$(date +'%b %e %T') "
|
|
||||||
|
|
||||||
case $COMMAND in
|
|
||||||
start)
|
|
||||||
echo "${timestamp} ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
|
|
||||||
;;
|
|
||||||
restart)
|
|
||||||
echo "${timestamp} ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
|
|
||||||
;;
|
|
||||||
restore)
|
|
||||||
echo "${timestamp} ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
mutex_off
|
|
||||||
kill $$
|
|
||||||
exit 2
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Create the required option string and run the passed script using
|
|
||||||
# $SHOREWALL_SHELL
|
|
||||||
#
|
|
||||||
run_it() {
|
|
||||||
local script
|
|
||||||
local options='-'
|
|
||||||
|
|
||||||
export VARDIR
|
|
||||||
|
|
||||||
script=$1
|
|
||||||
shift
|
|
||||||
|
|
||||||
|
|
||||||
if [ "$g_debugging" = debug ]; then
|
|
||||||
options='-D'
|
|
||||||
elif [ "$g_debugging" = trace ]; then
|
|
||||||
options='-T'
|
|
||||||
else
|
|
||||||
options='-';
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$g_noroutes" ] && options=${options}n
|
|
||||||
[ -n "$g_timestamp" ] && options=${options}t
|
|
||||||
[ -n "$g_purge" ] && options=${options}p
|
|
||||||
[ -n "$g_recovering" ] && options=${options}r
|
|
||||||
[ -n "$g_counters" ] && options=${options}c
|
|
||||||
|
|
||||||
options="${options}V $VERBOSITY"
|
|
||||||
|
|
||||||
[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
|
|
||||||
|
|
||||||
$SHOREWALL_SHELL $script $options $@
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Message to stderr
|
|
||||||
#
|
|
||||||
error_message() # $* = Error Message
|
|
||||||
{
|
|
||||||
echo " $@" >&2
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Undo the effect of 'split()'
|
|
||||||
#
|
|
||||||
join()
|
|
||||||
{
|
|
||||||
local f
|
|
||||||
local o
|
|
||||||
o=
|
|
||||||
|
|
||||||
for f in $* ; do
|
|
||||||
o="${o:+$o:}$f"
|
|
||||||
done
|
|
||||||
|
|
||||||
echo $o
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Return the number of elements in a list
|
|
||||||
#
|
|
||||||
list_count() # $* = list
|
|
||||||
{
|
|
||||||
return $#
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Split a colon-separated list into a space-separated list
|
|
||||||
#
|
|
||||||
split() {
|
|
||||||
local ifs
|
|
||||||
ifs=$IFS
|
|
||||||
IFS=:
|
|
||||||
echo $*
|
|
||||||
IFS=$ifs
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Split a comma-separated list into a space-separated list
|
|
||||||
#
|
|
||||||
split_list() {
|
|
||||||
local ifs
|
|
||||||
ifs=$IFS
|
|
||||||
IFS=,
|
|
||||||
echo $*
|
|
||||||
IFS=$ifs
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Search a list looking for a match -- returns zero if a match found
|
|
||||||
# 1 otherwise
|
|
||||||
#
|
|
||||||
list_search() # $1 = element to search for , $2-$n = list
|
|
||||||
{
|
|
||||||
local e
|
|
||||||
e=$1
|
|
||||||
|
|
||||||
while [ $# -gt 1 ]; do
|
|
||||||
shift
|
|
||||||
[ "x$e" = "x$1" ] && return 0
|
|
||||||
done
|
|
||||||
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Suppress all output for a command
|
|
||||||
#
|
|
||||||
qt()
|
|
||||||
{
|
|
||||||
"$@" >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Suppress all output and input - mainly for preventing leaked file descriptors
|
|
||||||
# to avoid SELinux denials
|
|
||||||
#
|
|
||||||
qtnoin()
|
|
||||||
{
|
|
||||||
"$@" </dev/null >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
qt1()
|
|
||||||
{
|
|
||||||
local status
|
|
||||||
|
|
||||||
while [ 1 ]; do
|
|
||||||
"$@" </dev/null >/dev/null 2>&1
|
|
||||||
status=$?
|
|
||||||
[ $status -ne 4 ] && return $status
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Determine if Shorewall[6] is "running"
|
|
||||||
#
|
|
||||||
product_is_started() {
|
|
||||||
qt1 $g_tool -L shorewall -n
|
|
||||||
}
|
|
||||||
|
|
||||||
shorewall_is_started() {
|
|
||||||
qt1 $IPTABLES -L shorewall -n
|
|
||||||
}
|
|
||||||
|
|
||||||
shorewall6_is_started() {
|
|
||||||
qt1 $IP6TABLES -L shorewall -n
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Echos the fully-qualified name of the calling shell program
|
|
||||||
#
|
|
||||||
my_pathname() {
|
|
||||||
local pwd
|
|
||||||
pwd=$PWD
|
|
||||||
cd $(dirname $0)
|
|
||||||
echo $PWD/$(basename $0)
|
|
||||||
cd $pwd
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Source a user exit file if it exists
|
|
||||||
#
|
|
||||||
run_user_exit() # $1 = file name
|
|
||||||
{
|
|
||||||
local user_exit
|
|
||||||
user_exit=$(find_file $1)
|
|
||||||
|
|
||||||
if [ -f $user_exit ]; then
|
|
||||||
progress_message "Processing $user_exit ..."
|
|
||||||
. $user_exit
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
|
|
||||||
# a space-separated list of directories to search for
|
|
||||||
# the module and that 'moduleloader' contains the
|
|
||||||
# module loader command.
|
|
||||||
#
|
|
||||||
loadmodule() # $1 = module name, $2 - * arguments
|
|
||||||
{
|
|
||||||
local modulename
|
|
||||||
modulename=$1
|
|
||||||
shift
|
|
||||||
local moduleoptions
|
|
||||||
moduleoptions=$*
|
|
||||||
local modulefile
|
|
||||||
local suffix
|
|
||||||
|
|
||||||
if [ -d /sys/module/ ]; then
|
|
||||||
if ! list_search $modulename $DONT_LOAD; then
|
|
||||||
if [ ! -d /sys/module/$modulename ]; then
|
|
||||||
case $moduleloader in
|
|
||||||
insmod)
|
|
||||||
for directory in $moduledirectories; do
|
|
||||||
for modulefile in $directory/${modulename}.*; do
|
|
||||||
if [ -f $modulefile ]; then
|
|
||||||
insmod $modulefile $moduleoptions
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
done
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
modprobe -q $modulename $moduleoptions
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
elif ! list_search $modulename $DONT_LOAD $MODULES; then
|
|
||||||
case $moduleloader in
|
|
||||||
insmod)
|
|
||||||
for directory in $moduledirectories; do
|
|
||||||
for modulefile in $directory/${modulename}.*; do
|
|
||||||
if [ -f $modulefile ]; then
|
|
||||||
insmod $modulefile $moduleoptions
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
done
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
modprobe -q $modulename $moduleoptions
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Reload the Modules
|
|
||||||
#
|
|
||||||
reload_kernel_modules() {
|
|
||||||
|
|
||||||
local save_modules_dir
|
|
||||||
save_modules_dir=$MODULESDIR
|
|
||||||
local directory
|
|
||||||
local moduledirectories
|
|
||||||
moduledirectories=
|
|
||||||
local moduleloader
|
|
||||||
moduleloader=modprobe
|
|
||||||
local uname
|
|
||||||
local extras
|
|
||||||
|
|
||||||
if ! qt mywhich modprobe; then
|
|
||||||
moduleloader=insmod
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$MODULESDIR" ]; then
|
|
||||||
case "$MODULESDIR" in
|
|
||||||
+*)
|
|
||||||
extras="$MODULESDIR"
|
|
||||||
extras=${extras#+}
|
|
||||||
MODULESDIR=
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$MODULESDIR" ]; then
|
|
||||||
uname=$(uname -r)
|
|
||||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
|
||||||
if [ -n "$extras" ]; then
|
|
||||||
for directory in $(split "$extras"); do
|
|
||||||
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
|
||||||
|
|
||||||
for directory in $(split $MODULESDIR); do
|
|
||||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
|
||||||
done
|
|
||||||
|
|
||||||
[ -n "$moduledirectories" ] && while read command; do
|
|
||||||
eval $command
|
|
||||||
done
|
|
||||||
|
|
||||||
MODULESDIR=$save_modules_dir
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Load kernel modules required for Shorewall
|
|
||||||
#
|
|
||||||
load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
|
||||||
{
|
|
||||||
local save_modules_dir
|
|
||||||
save_modules_dir=$MODULESDIR
|
|
||||||
local directory
|
|
||||||
local moduledirectories
|
|
||||||
moduledirectories=
|
|
||||||
local moduleloader
|
|
||||||
moduleloader=modprobe
|
|
||||||
local savemoduleinfo
|
|
||||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
|
||||||
local uname
|
|
||||||
local extras
|
|
||||||
|
|
||||||
if ! qt mywhich modprobe; then
|
|
||||||
moduleloader=insmod
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$MODULESDIR" ]; then
|
|
||||||
case "$MODULESDIR" in
|
|
||||||
+*)
|
|
||||||
extras="$MODULESDIR"
|
|
||||||
extras=${extras#+}
|
|
||||||
MODULESDIR=
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$MODULESDIR" ]; then
|
|
||||||
uname=$(uname -r)
|
|
||||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
|
||||||
if [ -n "$extras" ]; then
|
|
||||||
for directory in $(split "$extras"); do
|
|
||||||
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
for directory in $(split $MODULESDIR); do
|
|
||||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
|
||||||
done
|
|
||||||
|
|
||||||
modules=$(find_file helpers)
|
|
||||||
|
|
||||||
if [ -f $modules -a -n "$moduledirectories" ]; then
|
|
||||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
|
||||||
progress_message "Loading Modules..."
|
|
||||||
. $modules
|
|
||||||
if [ $savemoduleinfo = Yes ]; then
|
|
||||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
|
||||||
echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
|
|
||||||
cp -f $modules ${VARDIR}/.modules
|
|
||||||
fi
|
|
||||||
elif [ $savemoduleinfo = Yes ]; then
|
|
||||||
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
|
|
||||||
> ${VARDIR}/.modulesdir
|
|
||||||
> ${VARDIR}/.modules
|
|
||||||
fi
|
|
||||||
|
|
||||||
MODULESDIR=$save_modules_dir
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Note: The following set of IP address manipulation functions have anomalous
|
|
||||||
# behavior when the shell only supports 32-bit signed arithmetic and
|
|
||||||
# the IP address is 128.0.0.0 or 128.0.0.1.
|
|
||||||
#
|
|
||||||
|
|
||||||
LEFTSHIFT='<<'
|
|
||||||
|
|
||||||
#
|
|
||||||
# Convert an IP address in dot quad format to an integer
|
|
||||||
#
|
|
||||||
decodeaddr() {
|
|
||||||
local x
|
|
||||||
local temp
|
|
||||||
temp=0
|
|
||||||
local ifs
|
|
||||||
ifs=$IFS
|
|
||||||
|
|
||||||
IFS=.
|
|
||||||
|
|
||||||
for x in $1; do
|
|
||||||
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
|
|
||||||
done
|
|
||||||
|
|
||||||
echo $temp
|
|
||||||
|
|
||||||
IFS=$ifs
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# convert an integer to dot quad format
|
|
||||||
#
|
|
||||||
encodeaddr() {
|
|
||||||
addr=$1
|
|
||||||
local x
|
|
||||||
local y
|
|
||||||
y=$(($addr & 255))
|
|
||||||
|
|
||||||
for x in 1 2 3 ; do
|
|
||||||
addr=$(($addr >> 8))
|
|
||||||
y=$(($addr & 255)).$y
|
|
||||||
done
|
|
||||||
|
|
||||||
echo $y
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Netmask from CIDR
|
|
||||||
#
|
|
||||||
ip_netmask() {
|
|
||||||
local vlsm
|
|
||||||
vlsm=${1#*/}
|
|
||||||
|
|
||||||
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Network address from CIDR
|
|
||||||
#
|
|
||||||
ip_network() {
|
|
||||||
local decodedaddr
|
|
||||||
decodedaddr=$(decodeaddr ${1%/*})
|
|
||||||
local netmask
|
|
||||||
netmask=$(ip_netmask $1)
|
|
||||||
|
|
||||||
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following hack is supplied to compensate for the fact that many of
|
|
||||||
# the popular light-weight Bourne shell derivatives do not support XOR ("^").
|
|
||||||
#
|
|
||||||
ip_broadcast() {
|
|
||||||
local x
|
|
||||||
x=$(( 32 - ${1#*/} ))
|
|
||||||
|
|
||||||
[ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Calculate broadcast address from CIDR
|
|
||||||
#
|
|
||||||
broadcastaddress() {
|
|
||||||
local decodedaddr
|
|
||||||
decodedaddr=$(decodeaddr ${1%/*})
|
|
||||||
local netmask
|
|
||||||
netmask=$(ip_netmask $1)
|
|
||||||
local broadcast
|
|
||||||
broadcast=$(ip_broadcast $1)
|
|
||||||
|
|
||||||
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Test for network membership
|
|
||||||
#
|
|
||||||
in_network() # $1 = IP address, $2 = CIDR network
|
|
||||||
{
|
|
||||||
local netmask
|
|
||||||
netmask=$(ip_netmask $2)
|
|
||||||
#
|
|
||||||
# Use string comparison to work around a broken BusyBox ash in OpenWRT
|
|
||||||
#
|
|
||||||
test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Query NetFilter about the existence of a filter chain
|
|
||||||
#
|
|
||||||
chain_exists() # $1 = chain name, $2 = table name (optional)
|
|
||||||
{
|
|
||||||
qt1 $g_tool -t ${2:-filter} -L $1 -n
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find the interface with the passed MAC address
|
|
||||||
#
|
|
||||||
|
|
||||||
find_interface_by_mac() {
|
|
||||||
local mac
|
|
||||||
mac=$1
|
|
||||||
local first
|
|
||||||
local second
|
|
||||||
local rest
|
|
||||||
local dev
|
|
||||||
|
|
||||||
$IP link list | while read first second rest; do
|
|
||||||
case $first in
|
|
||||||
*:)
|
|
||||||
dev=$second
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ "$second" = $mac ]; then
|
|
||||||
echo ${dev%:}
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find interface address--returns the first IP address assigned to the passed
|
|
||||||
# device
|
|
||||||
#
|
|
||||||
find_first_interface_address() # $1 = interface
|
|
||||||
{
|
|
||||||
if [ $g_family -eq 4 ]; then
|
|
||||||
#
|
|
||||||
# get the line of output containing the first IP address
|
|
||||||
#
|
|
||||||
addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
|
||||||
#
|
|
||||||
# If there wasn't one, bail out now
|
|
||||||
#
|
|
||||||
[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
|
|
||||||
#
|
|
||||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
||||||
# along with everything else on the line
|
|
||||||
#
|
|
||||||
echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
|
|
||||||
else
|
|
||||||
#
|
|
||||||
# get the line of output containing the first IP address
|
|
||||||
#
|
|
||||||
addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
|
|
||||||
#
|
|
||||||
# If there wasn't one, bail out now
|
|
||||||
#
|
|
||||||
[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
|
|
||||||
#
|
|
||||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
||||||
# along with everything else on the line
|
|
||||||
#
|
|
||||||
echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
find_first_interface_address_if_any() # $1 = interface
|
|
||||||
{
|
|
||||||
if [ $g_family -eq 4 ]; then
|
|
||||||
#
|
|
||||||
# get the line of output containing the first IP address
|
|
||||||
#
|
|
||||||
addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
|
||||||
#
|
|
||||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
||||||
# along with everything else on the line
|
|
||||||
#
|
|
||||||
[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
|
|
||||||
else
|
|
||||||
#
|
|
||||||
# get the line of output containing the first IP address
|
|
||||||
#
|
|
||||||
addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
|
|
||||||
#
|
|
||||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
|
||||||
# along with everything else on the line
|
|
||||||
#
|
|
||||||
[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
#Determines if the passed interface is a loopback interface
|
|
||||||
#
|
|
||||||
loopback_interface() { #$1 = Interface name
|
|
||||||
[ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find Loopback Interfaces
|
|
||||||
#
|
|
||||||
find_loopback_interfaces() {
|
|
||||||
local interfaces
|
|
||||||
|
|
||||||
[ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
|
|
||||||
|
|
||||||
[ -n "$interfaces" ] && echo $interfaces || echo lo
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Internal version of 'which'
|
|
||||||
#
|
|
||||||
mywhich() {
|
|
||||||
local dir
|
|
||||||
|
|
||||||
for dir in $(split $PATH); do
|
|
||||||
if [ -x $dir/$1 ]; then
|
|
||||||
echo $dir/$1
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
return 2
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
|
|
||||||
#
|
|
||||||
find_file()
|
|
||||||
{
|
|
||||||
local saveifs
|
|
||||||
saveifs=
|
|
||||||
local directory
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
/*)
|
|
||||||
echo $1
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
for directory in $(split $CONFIG_PATH); do
|
|
||||||
if [ -f $directory/$1 ]; then
|
|
||||||
echo $directory/$1
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$g_shorewalldir" ]; then
|
|
||||||
echo ${g_shorewalldir}/$1
|
|
||||||
else
|
|
||||||
echo ${g_confdir}/$1
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Set the Shorewall state
|
|
||||||
#
|
|
||||||
set_state () # $1 = state
|
|
||||||
{
|
|
||||||
if [ $# -gt 1 ]; then
|
|
||||||
echo "$1 $(date) from $2" > ${VARDIR}/state
|
|
||||||
else
|
|
||||||
echo "$1 $(date)" > ${VARDIR}/state
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Perform variable substitution on the passed argument and echo the result
|
|
||||||
#
|
|
||||||
expand() # $@ = contents of variable which may be the name of another variable
|
|
||||||
{
|
|
||||||
eval echo \"$@\"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Function for including one file into another
|
|
||||||
#
|
|
||||||
INCLUDE() {
|
|
||||||
. $(find_file $(expand $@))
|
|
||||||
}
|
|
||||||
|
|
||||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
|
||||||
# rather than ${v:first:last} because light-weight shells like ash and
|
|
||||||
# dash do not support that form of expansion.
|
|
||||||
#
|
|
||||||
|
|
||||||
truncate() # $1 = length
|
|
||||||
{
|
|
||||||
cut -b -${1}
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Call this function to assert mutual exclusion with Shorewall. If you invoke the
|
|
||||||
# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
|
|
||||||
# the first argument. Example "shorewall -N refresh"
|
|
||||||
#
|
|
||||||
# This function uses the lockfile utility from procmail if it exists.
|
|
||||||
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
|
||||||
# behavior of lockfile.
|
|
||||||
#
|
|
||||||
mutex_on()
|
|
||||||
{
|
|
||||||
local try
|
|
||||||
try=0
|
|
||||||
local lockf
|
|
||||||
lockf=${LOCKFILE:=${VARDIR}/lock}
|
|
||||||
local lockpid
|
|
||||||
local lockd
|
|
||||||
local lockbin
|
|
||||||
local openwrt
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
|
||||||
|
|
||||||
if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
|
|
||||||
|
|
||||||
lockd=$(dirname $LOCKFILE)
|
|
||||||
|
|
||||||
[ -d "$lockd" ] || mkdir -p "$lockd"
|
|
||||||
|
|
||||||
lockbin=$(mywhich lock)
|
|
||||||
[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
|
|
||||||
|
|
||||||
if [ -f $lockf ]; then
|
|
||||||
lockpid=`cat ${lockf} 2> /dev/null`
|
|
||||||
if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
|
|
||||||
rm -f ${lockf}
|
|
||||||
error_message "WARNING: Stale lockfile ${lockf} removed"
|
|
||||||
elif [ -z "$openwrt" ]; then
|
|
||||||
if [ $lockpid -eq $$ ]; then
|
|
||||||
fatal_error "Mutex_on confusion"
|
|
||||||
elif ! qt ps --pid ${lockpid}; then
|
|
||||||
rm -f ${lockf}
|
|
||||||
error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$openwrt" ]; then
|
|
||||||
lock ${lockf} || fatal_error "Can't lock ${lockf}"
|
|
||||||
g_havemutex="lock -u ${lockf}"
|
|
||||||
elif qt mywhich lockfile; then
|
|
||||||
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
|
|
||||||
g_havemutex="rm -f ${lockf}"
|
|
||||||
chmod u+w ${lockf}
|
|
||||||
echo $$ > ${lockf}
|
|
||||||
chmod u-w ${lockf}
|
|
||||||
else
|
|
||||||
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
|
||||||
sleep 1
|
|
||||||
try=$((${try} + 1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
|
|
||||||
# Create the lockfile
|
|
||||||
echo $$ > ${lockf}
|
|
||||||
g_havemutex="rm -f ${lockf}"
|
|
||||||
else
|
|
||||||
echo "Giving up on lock file ${lockf}" >&2
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$g_havemutex" ]; then
|
|
||||||
trap mutex_off EXIT
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Call this function to release mutual exclusion
|
|
||||||
#
|
|
||||||
mutex_off()
|
|
||||||
{
|
|
||||||
if [ -n "$g_havemutex" ]; then
|
|
||||||
eval $g_havemutex
|
|
||||||
g_havemutex=
|
|
||||||
trap '' exit
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
@ -1,88 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
|
|
||||||
#
|
|
||||||
# (c) 2017 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
# (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# The purpose of this library is to hold those functions used by the products installer.
|
|
||||||
#
|
|
||||||
#########################################################################################
|
|
||||||
|
|
||||||
fatal_error()
|
|
||||||
{
|
|
||||||
echo " ERROR: $@" >&2
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
split() {
|
|
||||||
local ifs
|
|
||||||
ifs=$IFS
|
|
||||||
IFS=:
|
|
||||||
set -- $1
|
|
||||||
echo $*
|
|
||||||
IFS=$ifs
|
|
||||||
}
|
|
||||||
|
|
||||||
qt()
|
|
||||||
{
|
|
||||||
"$@" >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
mywhich() {
|
|
||||||
local dir
|
|
||||||
|
|
||||||
for dir in $(split $PATH); do
|
|
||||||
if [ -x $dir/$1 ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
return 2
|
|
||||||
}
|
|
||||||
|
|
||||||
delete_file() # $1 = file to delete
|
|
||||||
{
|
|
||||||
rm -f $1
|
|
||||||
}
|
|
||||||
|
|
||||||
require()
|
|
||||||
{
|
|
||||||
eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
|
|
||||||
}
|
|
||||||
|
|
||||||
make_directory() # $1 = directory , $2 = mode
|
|
||||||
{
|
|
||||||
mkdir $1
|
|
||||||
chmod $2 $1
|
|
||||||
[ -n "$OWNERSHIP" ] && chown $OWNERSHIP $1
|
|
||||||
}
|
|
||||||
|
|
||||||
make_parent_directory() # $1 = directory , $2 = mode
|
|
||||||
{
|
|
||||||
mkdir -p $1
|
|
||||||
chmod $2 $1
|
|
||||||
[ -n "$OWNERSHIP" ] && chown $OWNER:$GROUP $1
|
|
||||||
}
|
|
||||||
|
|
||||||
cant_autostart()
|
|
||||||
{
|
|
||||||
echo
|
|
||||||
echo "WARNING: Unable to configure $Product to start automatically at boot" >&2
|
|
||||||
}
|
|
@ -1,105 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
|
|
||||||
#
|
|
||||||
# (c) 2017 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
# (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
|
|
||||||
#
|
|
||||||
# Complete documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# The purpose of this library is to hold those functions used by the products uninstaller.
|
|
||||||
#
|
|
||||||
#########################################################################################
|
|
||||||
|
|
||||||
fatal_error()
|
|
||||||
{
|
|
||||||
echo " ERROR: $@" >&2
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
split() {
|
|
||||||
local ifs
|
|
||||||
ifs=$IFS
|
|
||||||
IFS=:
|
|
||||||
set -- $1
|
|
||||||
echo $*
|
|
||||||
IFS=$ifs
|
|
||||||
}
|
|
||||||
|
|
||||||
qt()
|
|
||||||
{
|
|
||||||
"$@" >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
mywhich() {
|
|
||||||
local dir
|
|
||||||
|
|
||||||
for dir in $(split $PATH); do
|
|
||||||
if [ -x $dir/$1 ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
return 2
|
|
||||||
}
|
|
||||||
|
|
||||||
remove_file() # $1 = file to remove
|
|
||||||
{
|
|
||||||
if [ -n "$1" ] ; then
|
|
||||||
if [ -f $1 -o -h $1 ] ; then
|
|
||||||
rm -f $1
|
|
||||||
echo "$1 Removed"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
remove_directory() # $1 = directory to remove
|
|
||||||
{
|
|
||||||
if [ -n "$1" ] ; then
|
|
||||||
if [ -d $1 ] ; then
|
|
||||||
rm -rf $1
|
|
||||||
echo "$1 Removed"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
remove_file_with_wildcard() # $1 = file with wildcard to remove
|
|
||||||
{
|
|
||||||
if [ -n "$1" ] ; then
|
|
||||||
for f in $1; do
|
|
||||||
if [ -d $f ] ; then
|
|
||||||
rm -rf $f
|
|
||||||
echo "$f Removed"
|
|
||||||
elif [ -f $f -o -h $f ] ; then
|
|
||||||
rm -f $f
|
|
||||||
echo "$f Removed"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
restore_file() # $1 = file to restore
|
|
||||||
{
|
|
||||||
if [ -f ${1}-shorewall.bkout ]; then
|
|
||||||
if (mv -f ${1}-shorewall.bkout $1); then
|
|
||||||
echo
|
|
||||||
echo "$1 restored"
|
|
||||||
else
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
File diff suppressed because it is too large
Load Diff
@ -1,43 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Shorewall Packet Filtering Firewall Control Program - V5.2
|
|
||||||
#
|
|
||||||
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
|
|
||||||
# Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
|
|
||||||
#
|
|
||||||
################################################################################################
|
|
||||||
#
|
|
||||||
# Default product is Shorewall. PRODUCT will be set based on $0 and on passed -[46] and -l
|
|
||||||
# options
|
|
||||||
#
|
|
||||||
PRODUCT=shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# This is modified by the installer when ${SHAREDIR} != /usr/share
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
g_basedir=${SHAREDIR}/shorewall
|
|
||||||
|
|
||||||
. ${g_basedir}/lib.cli
|
|
||||||
|
|
||||||
shorewall_cli $@
|
|
@ -1,25 +0,0 @@
|
|||||||
#
|
|
||||||
# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=alt
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/libexec #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${SHAREDIR}/perl5 #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
|
|
||||||
INITDIR=${CONFDIR}/rc.d/init.d #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE=$PRODUCT #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.alt.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
|
||||||
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,22 +0,0 @@
|
|||||||
#
|
|
||||||
# Apple OS X Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD=apple
|
|
||||||
HOST=apple
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
|
|
||||||
INITDIR= #Unused on OS X
|
|
||||||
INITFILE= #Unused on OS X
|
|
||||||
INITSOURCE= #Unused on OS X
|
|
||||||
ANNOTATED= #Unused on OS X
|
|
||||||
SERVICEDIR= #Unused on OS X
|
|
||||||
SERVICEFILE= #Unused on OS X
|
|
||||||
SYSCONFDIR= #Unused on OS X
|
|
||||||
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
|
|
||||||
VARLIB=/var/lib #Unused on OS X
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,23 +0,0 @@
|
|||||||
#
|
|
||||||
# Arch Linux Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=archlinux
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/usr/bin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
|
|
||||||
INITDIR= #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE= #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE= #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SYSCONFDIR= #Directory where SysV init parameter files are installed
|
|
||||||
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,22 +0,0 @@
|
|||||||
#
|
|
||||||
# Cygwin Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD=cygwin
|
|
||||||
HOST=cygwin
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/bin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/init.d #Unused on Cygwin
|
|
||||||
INITFILE= #Unused on Cygwin
|
|
||||||
INITSOURCE= #Unused on Cygwin
|
|
||||||
ANNOTATED= #Unused on Cygwin
|
|
||||||
SERVICEDIR= #Unused on Cygwin
|
|
||||||
SERVICEFILE= #Unused on Cygwin
|
|
||||||
SYSCONFDIR= #Unused on Cygwin
|
|
||||||
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
|
|
||||||
VARLIB=/var/lib #Unused on Cygwin
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,25 +0,0 @@
|
|||||||
#
|
|
||||||
# Debian Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=debian
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
|
|
||||||
INITDIR= #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE= #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-empty, annotated configuration files are installed
|
|
||||||
SYSCONFFILE=default.debian.systemd #Name of the distributed file to be installed in $SYSCONFDIR
|
|
||||||
SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
|
|
||||||
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
|
||||||
STOPSERVICEFILE=stop_service.debian #Name of script to stop systemd service that honours `SAFESTOP`.
|
|
@ -1,24 +0,0 @@
|
|||||||
#
|
|
||||||
# Debian Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=debian
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE=$PRODUCT #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SYSCONFFILE=default.debian.sysvinit #Name of the distributed file to be installed in $SYSCONFDIR
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
|
|
||||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,24 +0,0 @@
|
|||||||
#
|
|
||||||
# Default Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=linux #Generic Linux
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${PREFIX}/man #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE=$PRODUCT #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
|
|
||||||
SYSCONFDIR= #Directory where SysV init parameter files are installed
|
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,24 +0,0 @@
|
|||||||
#
|
|
||||||
# OpenWRT/LEDE Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=openwrt
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR= #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE=$PRODUCT #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.openwrt.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SYSCONFDIR=${CONFDIR}/sysconfig #Directory where SysV init parameter files are installed
|
|
||||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
|
||||||
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,24 +0,0 @@
|
|||||||
#
|
|
||||||
# RedHat/FedoraShorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=redhat
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/libexec #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/rc.d/init.d #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE=$PRODUCT #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,28 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 5.2 rc file for installing into a Sandbox
|
|
||||||
#
|
|
||||||
BUILD= # Default is to detect the build system
|
|
||||||
HOST=linux
|
|
||||||
INSTALLDIR= # Set this to the directory where you want Shorewall installed
|
|
||||||
PREFIX=${INSTALLDIR}/usr # Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share # Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share # Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall # Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=${INSTALLDIR}/etc # Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=${INSTALLDIR}/sbin # Directory where system administration programs are installed
|
|
||||||
MANDIR= # Leave empty
|
|
||||||
INITDIR= # Leave empty
|
|
||||||
INITSOURCE= # Leave empty
|
|
||||||
INITFILE= # Leave empty
|
|
||||||
AUXINITSOURCE= # Leave empty
|
|
||||||
AUXINITFILE= # Leave empty
|
|
||||||
SERVICEDIR= # Leave empty
|
|
||||||
SERVICEFILE= # Leave empty
|
|
||||||
SYSCONFFILE= # Leave empty
|
|
||||||
SYSCONFDIR= # Leave empty
|
|
||||||
SPARSE= # Leave empty
|
|
||||||
ANNOTATED= # If non-empty, annotated configuration files are installed
|
|
||||||
VARLIB=${INSTALLDIR}/var/lib # Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT # Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER=/usr/bin/less # Pager to use if none specified in shorewall[6].conf
|
|
||||||
SANDBOX=Yes # Indicates SANDBOX installation
|
|
@ -1,25 +0,0 @@
|
|||||||
#
|
|
||||||
# Slackware Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD=slackware
|
|
||||||
HOST=slackware
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SBINDIR=/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${PREFIX}/man #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/rc.d #Directory where SysV init scripts are installed.
|
|
||||||
AUXINITSOURCE=init.slackware.firewall.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
AUXINITFILE=rc.firewall #Name of the product's installed SysV init script
|
|
||||||
INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script
|
|
||||||
INITFILE=rc.$PRODUCT #Name of the product's installed second init script
|
|
||||||
SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only)
|
|
||||||
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
|
|
||||||
SYSCONFDIR= #Name of the directory where SysV init parameter files are installed.
|
|
||||||
ANNOTATED= #If non-empty, install annotated configuration files
|
|
||||||
VARLIB=/var/lib #Directory where product variable data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,24 +0,0 @@
|
|||||||
#
|
|
||||||
# SuSE Shorewall 5.2 rc file
|
|
||||||
#
|
|
||||||
BUILD= #Default is to detect the build system
|
|
||||||
HOST=suse
|
|
||||||
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
|
|
||||||
CONFDIR=/etc #Directory where subsystem configurations are installed
|
|
||||||
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
|
|
||||||
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
|
|
||||||
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
|
|
||||||
SBINDIR=/usr/sbin #Directory where system administration programs are installed
|
|
||||||
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
|
|
||||||
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
|
|
||||||
INITFILE= #Name of the product's SysV init script
|
|
||||||
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
|
|
||||||
ANNOTATED= #If non-zero, annotated configuration files are installed
|
|
||||||
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
|
|
||||||
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
|
|
||||||
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
|
|
||||||
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
|
|
||||||
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
|
|
||||||
VARLIB=/var/lib #Directory where persistent product data is stored.
|
|
||||||
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
|
|
||||||
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
|
|
@ -1,19 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
PRODUCT=$1
|
|
||||||
|
|
||||||
. /etc/default/${PRODUCT}
|
|
||||||
|
|
||||||
if [ "$SAFESTOP" = 1 ]; then
|
|
||||||
COMMAND=stop
|
|
||||||
else
|
|
||||||
COMMAND=clear
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${PRODUCT}" = shorewall6 ]; then
|
|
||||||
EXEC="/sbin/shorewall -6"
|
|
||||||
else
|
|
||||||
EXEC="/sbin/${PRODUCT}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec ${EXEC} ${OPTIONS} ${COMMAND}
|
|
@ -1,142 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Script to back uninstall Shoreline Firewall Core Modules
|
|
||||||
#
|
|
||||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# Usage:
|
|
||||||
#
|
|
||||||
# You may only use this script to uninstall the version
|
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
|
||||||
|
|
||||||
VERSION=xxx # The Build script inserts the actual version
|
|
||||||
PRODUCT=shorewall-core
|
|
||||||
Product="Shorewall Core"
|
|
||||||
|
|
||||||
usage() # $1 = exit status
|
|
||||||
{
|
|
||||||
ME=$(basename $0)
|
|
||||||
echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
|
|
||||||
echo "where <option> is one of"
|
|
||||||
echo " -h"
|
|
||||||
echo " -v"
|
|
||||||
exit $1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Change to the directory containing this script
|
|
||||||
#
|
|
||||||
cd "$(dirname $0)"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Source common functions
|
|
||||||
#
|
|
||||||
. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
|
|
||||||
|
|
||||||
#
|
|
||||||
# Parse the run line
|
|
||||||
#
|
|
||||||
finished=0
|
|
||||||
|
|
||||||
while [ $finished -eq 0 ]; do
|
|
||||||
option=$1
|
|
||||||
|
|
||||||
case "$option" in
|
|
||||||
-*)
|
|
||||||
option=${option#-}
|
|
||||||
|
|
||||||
while [ -n "$option" ]; do
|
|
||||||
case $option in
|
|
||||||
h)
|
|
||||||
usage 0
|
|
||||||
;;
|
|
||||||
v)
|
|
||||||
echo "$Product Firewall Uninstaller Version $VERSION"
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
usage 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
finished=1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
#
|
|
||||||
# Read the RC file
|
|
||||||
#
|
|
||||||
if [ $# -eq 0 ]; then
|
|
||||||
if [ -f ./shorewallrc ]; then
|
|
||||||
. ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
|
|
||||||
elif [ -f ~/.shorewallrc ]; then
|
|
||||||
. ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
|
|
||||||
elif [ -f /usr/share/shorewall/shorewallrc ]; then
|
|
||||||
. /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
|
|
||||||
else
|
|
||||||
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
|
|
||||||
fi
|
|
||||||
elif [ $# -eq 1 ]; then
|
|
||||||
file=$1
|
|
||||||
case $file in
|
|
||||||
/*|.*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
file=./$file || exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
else
|
|
||||||
usage 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
|
|
||||||
INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
|
|
||||||
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
|
|
||||||
echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
|
|
||||||
echo " and this is the $VERSION uninstaller."
|
|
||||||
VERSION="$INSTALLED_VERSION"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "WARNING: $Product Version $VERSION is not installed"
|
|
||||||
VERSION=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Uninstalling $Product $VERSION"
|
|
||||||
|
|
||||||
if [ -n "${MANDIR}" ]; then
|
|
||||||
remove_file_with_wildcard ${MANDIR}/man5/shorewall\*
|
|
||||||
remove_file_with_wildcard ${MANDIR}/man8/shorewall\*
|
|
||||||
fi
|
|
||||||
|
|
||||||
remove_directory ${SHAREDIR}/shorewall
|
|
||||||
remove_file ~/.shorewallrc
|
|
||||||
remove_file ${SBINDIR}/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# Report Success
|
|
||||||
#
|
|
||||||
echo "$Product $VERSION Uninstalled"
|
|
@ -2,8 +2,7 @@
|
|||||||
Version 2, June 1991
|
Version 2, June 1991
|
||||||
|
|
||||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||||
51 Franklin Street, Fifth Floor,
|
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
Boston, MA 02110-1301 USA
|
|
||||||
Everyone is permitted to copy and distribute verbatim copies
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
of this license document, but changing it is not allowed.
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
1
Shorewall-init/README.txt
Normal file
1
Shorewall-init/README.txt
Normal file
@ -0,0 +1 @@
|
|||||||
|
This is the Shorewall-init stable 4.4 branch of Git.
|
@ -1,21 +0,0 @@
|
|||||||
# List the Shorewall products that Shorewall-init is to
|
|
||||||
# initialize (space-separated list).
|
|
||||||
#
|
|
||||||
# Sample: PRODUCTS="shorewall shorewall6"
|
|
||||||
#
|
|
||||||
PRODUCTS=""
|
|
||||||
|
|
||||||
#
|
|
||||||
# Set this to 1 if you want Shorewall-init to react to
|
|
||||||
# ifup/ifdown and NetworkManager events
|
|
||||||
#
|
|
||||||
IFUPDOWN=0
|
|
||||||
#
|
|
||||||
# Where Up/Down events get logged
|
|
||||||
#
|
|
||||||
LOGFILE=/var/log/shorewall-ifupdown.log
|
|
||||||
|
|
||||||
# Startup options - set verbosity to 0 (minimal reporting)
|
|
||||||
OPTIONS="-V0"
|
|
||||||
|
|
||||||
# IOF
|
|
@ -1,27 +0,0 @@
|
|||||||
# List the Shorewall products that Shorewall-init is to
|
|
||||||
# initialize (space-separated list).
|
|
||||||
#
|
|
||||||
# Sample: PRODUCTS="shorewall shorewall6"
|
|
||||||
#
|
|
||||||
PRODUCTS=""
|
|
||||||
|
|
||||||
#
|
|
||||||
# Set this to 1 if you want Shorewall-init to react to
|
|
||||||
# ifup/ifdown and NetworkManager events
|
|
||||||
#
|
|
||||||
IFUPDOWN=0
|
|
||||||
#
|
|
||||||
# Set this to the name of the file that is to hold
|
|
||||||
# ipset contents. Shorewall-init will load those ipsets
|
|
||||||
# during 'start' and will save them there during 'stop'.
|
|
||||||
#
|
|
||||||
SAVE_IPSETS=""
|
|
||||||
#
|
|
||||||
# Where Up/Down events get logged
|
|
||||||
#
|
|
||||||
LOGFILE=/var/log/shorewall-ifupdown.log
|
|
||||||
|
|
||||||
# Startup options - set verbosity to 0 (minimal reporting)
|
|
||||||
OPTIONS="-V0"
|
|
||||||
|
|
||||||
# IOF
|
|
@ -1,148 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Debian ifupdown script for Shorewall-based products
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
||||||
#
|
|
||||||
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ ! -x $STATEDIR/firewall ]; then
|
|
||||||
if [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
Debian_ppp() {
|
|
||||||
NEWPRODUCTS=
|
|
||||||
INTERFACE="$1"
|
|
||||||
|
|
||||||
case $0 in
|
|
||||||
/etc/ppp/ip-*)
|
|
||||||
#
|
|
||||||
# IPv4
|
|
||||||
#
|
|
||||||
for product in $PRODUCTS; do
|
|
||||||
case $product in
|
|
||||||
shorewall|shorewall-lite)
|
|
||||||
NEWPRODUCTS="$NEWPRODUCTS $product";
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
;;
|
|
||||||
/etc/ppp/ipv6-*)
|
|
||||||
#
|
|
||||||
# IPv6
|
|
||||||
#
|
|
||||||
for product in $PRODUCTS; do
|
|
||||||
case $product in
|
|
||||||
shorewall6|shorewall6-lite)
|
|
||||||
NEWPRODUCTS="$NEWPRODUCTS $product";
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
PRODUCTS="$NEWPRODUCTS"
|
|
||||||
|
|
||||||
case $0 in
|
|
||||||
*up/*)
|
|
||||||
COMMAND=up
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
COMMAND=down
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
IFUPDOWN=0
|
|
||||||
PRODUCTS=
|
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
if [ -f /etc/default/shorewall-init ]; then
|
|
||||||
. /etc/default/shorewall-init
|
|
||||||
elif [ -f /etc/sysconfig/shorewall-init ]; then
|
|
||||||
. /etc/sysconfig/shorewall-init
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
|
|
||||||
|
|
||||||
case $0 in
|
|
||||||
/etc/ppp*)
|
|
||||||
#
|
|
||||||
# Debian ppp
|
|
||||||
#
|
|
||||||
Debian_ppp
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
#
|
|
||||||
# Debian ifupdown system - MODE and INTERFACE inherited from the environment
|
|
||||||
#
|
|
||||||
INTERFACE="$IFACE"
|
|
||||||
|
|
||||||
if [ "$MODE" = start ]; then
|
|
||||||
COMMAND=up
|
|
||||||
elif [ "$MODE" = stop ]; then
|
|
||||||
COMMAND=down
|
|
||||||
else
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
|
|
||||||
case $PRODUCT in
|
|
||||||
*6*)
|
|
||||||
[ ${ADDRFAM} = inet6 ] || continue
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
[ ${ADDRFAM} = inet ] || continue
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
setstatedir
|
|
||||||
|
|
||||||
if [ -x $VARLIB/$PRODUCT/firewall ]; then
|
|
||||||
( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
exit 0
|
|
@ -1,120 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Redhat/Fedora/Centos/Foobar ifupdown script for Shorewall-based products
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
||||||
#
|
|
||||||
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
|
|
||||||
# Get startup options (override default)
|
|
||||||
OPTIONS=
|
|
||||||
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ ! -x $STATEDIR/firewall ]; then
|
|
||||||
if [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
IFUPDOWN=0
|
|
||||||
PRODUCTS=
|
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
if [ -f /etc/default/shorewall-init ]; then
|
|
||||||
. /etc/default/shorewall-init
|
|
||||||
elif [ -f /etc/sysconfig/shorewall-init ]; then
|
|
||||||
. /etc/sysconfig/shorewall-init
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
|
|
||||||
|
|
||||||
PHASE=''
|
|
||||||
|
|
||||||
case $0 in
|
|
||||||
/etc/ppp*)
|
|
||||||
INTERFACE="$1"
|
|
||||||
|
|
||||||
case $0 in
|
|
||||||
*ip-up.local)
|
|
||||||
COMMAND=up
|
|
||||||
;;
|
|
||||||
*ip-down.local)
|
|
||||||
COMMAND=down
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
#
|
|
||||||
# RedHat ifup/down system
|
|
||||||
#
|
|
||||||
INTERFACE="$1"
|
|
||||||
|
|
||||||
case $0 in
|
|
||||||
*ifup*)
|
|
||||||
COMMAND=up
|
|
||||||
;;
|
|
||||||
*ifdown*)
|
|
||||||
COMMAND=down
|
|
||||||
;;
|
|
||||||
*dispatcher.d*)
|
|
||||||
case "$2" in
|
|
||||||
up|down)
|
|
||||||
COMMAND="$2"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
setstatedir
|
|
||||||
|
|
||||||
if [ -x "$STATEDIR/firewall" ]; then
|
|
||||||
echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
|
|
||||||
( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
exit 0
|
|
@ -1,12 +1,12 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# SuSE ifupdown script for Shorewall-based products
|
# ifupdown script for Shorewall-based products
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||||
#
|
#
|
||||||
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2010 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
# Shorewall documentation is available at http://shorewall.net
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
@ -22,24 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
setstatedir() {
|
Debian_SuSE_ppp() {
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ ! -x $STATEDIR/firewall ]; then
|
|
||||||
if [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
SuSE_ppp() {
|
|
||||||
NEWPRODUCTS=
|
NEWPRODUCTS=
|
||||||
INTERFACE="$1"
|
INTERFACE="$1"
|
||||||
|
|
||||||
@ -88,11 +71,6 @@ SuSE_ppp() {
|
|||||||
IFUPDOWN=0
|
IFUPDOWN=0
|
||||||
PRODUCTS=
|
PRODUCTS=
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
if [ -f /etc/default/shorewall-init ]; then
|
if [ -f /etc/default/shorewall-init ]; then
|
||||||
. /etc/default/shorewall-init
|
. /etc/default/shorewall-init
|
||||||
elif [ -f /etc/sysconfig/shorewall-init ]; then
|
elif [ -f /etc/sysconfig/shorewall-init ]; then
|
||||||
@ -101,54 +79,117 @@ fi
|
|||||||
|
|
||||||
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
|
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
|
||||||
|
|
||||||
PHASE=''
|
if [ -f /etc/debian_version ]; then
|
||||||
|
case $0 in
|
||||||
case $0 in
|
/etc/ppp*)
|
||||||
/etc/ppp*)
|
#
|
||||||
#
|
# Debian ppp
|
||||||
# SUSE ppp
|
#
|
||||||
#
|
Debian_SuSE_ppp
|
||||||
SuSE_ppp
|
;;
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
*)
|
||||||
#
|
#
|
||||||
# SuSE ifupdown system
|
# Debian ifupdown system
|
||||||
#
|
#
|
||||||
INTERFACE="$2"
|
INTERFACE="$IFACE"
|
||||||
|
|
||||||
case $0 in
|
if [ "$MODE" = start ]; then
|
||||||
*dispatcher.d*)
|
|
||||||
INTERFACE="$1"
|
|
||||||
case "$2" in
|
|
||||||
up|down)
|
|
||||||
COMMAND="$2"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
;;
|
|
||||||
*if-up.d*)
|
|
||||||
COMMAND=up
|
COMMAND=up
|
||||||
;;
|
elif [ "$MODE" = stop ]; then
|
||||||
*if-down.d*)
|
|
||||||
COMMAND=down
|
COMMAND=down
|
||||||
;;
|
else
|
||||||
*)
|
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
fi
|
||||||
esac
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
|
case "$PHASE" in
|
||||||
|
pre-*)
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
elif [ -f /etc/SuSE-release ]; then
|
||||||
|
case $0 in
|
||||||
|
/etc/ppp*)
|
||||||
|
#
|
||||||
|
# SUSE ppp
|
||||||
|
#
|
||||||
|
Debian_SuSE_ppp
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
#
|
||||||
|
# SuSE ifupdown system
|
||||||
|
#
|
||||||
|
INTERFACE="$2"
|
||||||
|
|
||||||
|
case $0 in
|
||||||
|
*if-up.d*)
|
||||||
|
COMMAND=up
|
||||||
|
;;
|
||||||
|
*if-down.d*)
|
||||||
|
COMMAND=down
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
else
|
||||||
|
#
|
||||||
|
# Assume RedHat/Fedora/CentOS/Foobar/...
|
||||||
|
#
|
||||||
|
case $0 in
|
||||||
|
/etc/ppp*)
|
||||||
|
INTERFACE="$1"
|
||||||
|
|
||||||
|
case $0 in
|
||||||
|
*ip-up.local)
|
||||||
|
COMMAND=up
|
||||||
|
;;
|
||||||
|
*ip-down.local)
|
||||||
|
COMMAND=down
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
#
|
||||||
|
# RedHat ifup/down system
|
||||||
|
#
|
||||||
|
INTERFACE="$1"
|
||||||
|
|
||||||
|
case $0 in
|
||||||
|
*ifup*)
|
||||||
|
COMMAND=up
|
||||||
|
;;
|
||||||
|
*ifdown*)
|
||||||
|
COMMAND=down
|
||||||
|
;;
|
||||||
|
*dispatcher.d*)
|
||||||
|
COMMAND="$2"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
for PRODUCT in $PRODUCTS; do
|
||||||
setstatedir
|
VARDIR=/var/lib/$PRODUCT
|
||||||
|
[ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
|
||||||
if [ -x $VARLIB/$PRODUCT/firewall ]; then
|
if [ -x $VARDIR/firewall ]; then
|
||||||
( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
|
( . /usr/share/$PRODUCT/lib.base
|
||||||
|
mutex_on
|
||||||
|
${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
|
||||||
|
mutex_off
|
||||||
|
)
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
@ -1,150 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Shorewall init script
|
|
||||||
#
|
|
||||||
# chkconfig: - 09 91
|
|
||||||
# description: Initialize the shorewall firewall at boot time
|
|
||||||
#
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: shorewall-init
|
|
||||||
# Required-Start: $local_fs
|
|
||||||
# Required-Stop: $local_fs
|
|
||||||
# Default-Start: 3 4 5
|
|
||||||
# Default-Stop: 0 1 2 6
|
|
||||||
# Short-Description: Initialize the shorewall firewall at boot time
|
|
||||||
# Description: Place the firewall in a safe state at boot time
|
|
||||||
# prior to bringing up the network.
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
# Do not load RH compatibility interface.
|
|
||||||
WITHOUT_RC_COMPAT=1
|
|
||||||
|
|
||||||
# Source function library.
|
|
||||||
. /etc/init.d/functions
|
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
NAME="Shorewall-init firewall"
|
|
||||||
PROG="shorewall-init"
|
|
||||||
SHOREWALL="$SBINDIR/$PROG"
|
|
||||||
LOGGER="logger -i -t $PROG"
|
|
||||||
|
|
||||||
# Get startup options (override default)
|
|
||||||
OPTIONS=
|
|
||||||
|
|
||||||
LOCKFILE=/var/lock/subsys/shorewall-init
|
|
||||||
|
|
||||||
# check if shorewall-init is configured or not
|
|
||||||
if [ -f "/etc/sysconfig/shorewall-init" ]; then
|
|
||||||
. /etc/sysconfig/shorewall-init
|
|
||||||
if [ -z "$PRODUCTS" ]; then
|
|
||||||
echo "No PRODUCTS configured"
|
|
||||||
exit 6
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "/etc/sysconfig/shorewall-init not found"
|
|
||||||
exit 6
|
|
||||||
fi
|
|
||||||
|
|
||||||
RETVAL=0
|
|
||||||
|
|
||||||
# set the STATEDIR variable
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
elif [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
start() {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
|
|
||||||
RETVAL=$?
|
|
||||||
else
|
|
||||||
RETVAL=6
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
ipset -R < "$SAVE_IPSETS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
|
|
||||||
return $RETVAL
|
|
||||||
}
|
|
||||||
|
|
||||||
stop() {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
|
|
||||||
RETVAL=$?
|
|
||||||
else
|
|
||||||
RETVAL=6
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
|
|
||||||
return $RETVAL
|
|
||||||
}
|
|
||||||
|
|
||||||
# See how we were called.
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
start
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
stop
|
|
||||||
;;
|
|
||||||
restart|reload|condrestart|condreload)
|
|
||||||
# "Not implemented"
|
|
||||||
;;
|
|
||||||
condstop)
|
|
||||||
if [ -e "$LOCKFILE" ]; then
|
|
||||||
stop
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
status)
|
|
||||||
status "$PROG"
|
|
||||||
RETVAL=$?
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo $"Usage: ${0##*/} {start|stop|restart|reload|condrestart|condstop|status}"
|
|
||||||
RETVAL=1
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit $RETVAL
|
|
@ -1,14 +1,14 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
|
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||||
#
|
#
|
||||||
# (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
|
# (c) 2010 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||||
#
|
#
|
||||||
# Complete documentation is available at https://shorewall.org
|
# Complete documentation is available at http://shorewall.net
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
@ -30,14 +30,12 @@
|
|||||||
# Required-Stop: $local_fs
|
# Required-Stop: $local_fs
|
||||||
# X-Stop-After: $network
|
# X-Stop-After: $network
|
||||||
# Default-Start: S
|
# Default-Start: S
|
||||||
# Default-Stop: 0 1 6
|
# Default-Stop: 0 6
|
||||||
# Short-Description: Initialize the firewall at boot time
|
# Short-Description: Initialize the firewall at boot time
|
||||||
# Description: Place the firewall in a safe state at boot time prior to
|
# Description: Place the firewall in a safe state at boot time prior to
|
||||||
# bringing up the network
|
# bringing up the network
|
||||||
### END INIT INFO
|
### END INIT INFO
|
||||||
|
|
||||||
. /lib/lsb/init-functions
|
|
||||||
|
|
||||||
export VERBOSITY=0
|
export VERBOSITY=0
|
||||||
|
|
||||||
if [ "$(id -u)" != "0" ]
|
if [ "$(id -u)" != "0" ]
|
||||||
@ -52,122 +50,82 @@ echo_notdone () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
not_configured () {
|
not_configured () {
|
||||||
echo "#### WARNING ####"
|
echo "#### WARNING ####"
|
||||||
echo "the firewall won't be initialized unless it is configured"
|
echo "the firewall won't be initialized unless it is configured"
|
||||||
if [ "$1" != "stop" ]
|
if [ "$1" != "stop" ]
|
||||||
then
|
then
|
||||||
echo ""
|
echo ""
|
||||||
echo "Please read about Debian specific customization in"
|
echo "Please read about Debian specific customization in"
|
||||||
echo "/usr/share/doc/shorewall-init/README.Debian.gz."
|
echo "/usr/share/doc/shorewall-init/README.Debian.gz."
|
||||||
fi
|
fi
|
||||||
echo "#################"
|
echo "#################"
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# set the STATEDIR variable
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
else
|
|
||||||
if [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
# check if shorewall-init is configured or not
|
# check if shorewall-init is configured or not
|
||||||
if [ -f "$SYSCONFDIR/shorewall-init" ]
|
if [ -f "/etc/default/shorewall-init" ]
|
||||||
then
|
then
|
||||||
. $SYSCONFDIR/shorewall-init
|
. /etc/default/shorewall-init
|
||||||
if [ -z "$PRODUCTS" ]
|
if [ -z "$PRODUCTS" ]
|
||||||
then
|
then
|
||||||
not_configured
|
not_configured
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
not_configured
|
not_configured
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Initialize the firewall
|
# Initialize the firewall
|
||||||
shorewall_start () {
|
shorewall_start () {
|
||||||
local PRODUCT
|
local product
|
||||||
local STATEDIR
|
local VARDIR
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
echo -n "Initializing \"Shorewall-based firewalls\": "
|
||||||
|
for product in $PRODUCTS; do
|
||||||
for PRODUCT in $PRODUCTS; do
|
VARDIR=/var/lib/$product
|
||||||
if setstatedir; then
|
[ -f /etc/$product/vardir ] && . /etc/$product/vardir
|
||||||
#
|
if [ -x ${VARDIR}/firewall ]; then
|
||||||
|
#
|
||||||
# Run in a sub-shell to avoid name collisions
|
# Run in a sub-shell to avoid name collisions
|
||||||
#
|
#
|
||||||
(
|
(
|
||||||
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
|
. /usr/share/$product/lib.base
|
||||||
${STATEDIR}/firewall ${OPTIONS} stop
|
#
|
||||||
|
# Get mutex so the firewall state is stable
|
||||||
|
#
|
||||||
|
mutex_on
|
||||||
|
if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
|
||||||
|
${VARDIR}/firewall stop || echo_notdone
|
||||||
fi
|
fi
|
||||||
|
mutex_off
|
||||||
)
|
)
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
echo "done."
|
echo "done."
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
|
|
||||||
printf "Restoring ipsets: "
|
|
||||||
|
|
||||||
if ! ipset -R < "$SAVE_IPSETS"; then
|
|
||||||
echo_notdone
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "done."
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# Clear the firewall
|
# Clear the firewall
|
||||||
shorewall_stop () {
|
shorewall_stop () {
|
||||||
local PRODUCT
|
local product
|
||||||
local STATEDIR
|
local VARDIR
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
echo -n "Clearing \"Shorewall-based firewalls\": "
|
||||||
for PRODUCT in $PRODUCTS; do
|
for product in $PRODUCTS; do
|
||||||
if setstatedir; then
|
VARDIR=/var/lib/$product
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear
|
[ -f /etc/$product/vardir ] && . /etc/$product/vardir
|
||||||
|
if [ -x ${VARDIR}/firewall ]; then
|
||||||
|
( . /usr/share/$product/lib.base
|
||||||
|
mutex_on
|
||||||
|
${VARDIR}/firewall clear || echo_notdone
|
||||||
|
mutex_off
|
||||||
|
)
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
echo "done."
|
echo "done."
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
|
|
||||||
echo "Saving ipsets: "
|
|
||||||
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
echo_notdone
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "done."
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -181,7 +139,7 @@ case "$1" in
|
|||||||
reload|force-reload)
|
reload|force-reload)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo "Usage: $0 {start|stop|reload|force-reload}"
|
echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
|
||||||
exit 1
|
exit 1
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
@ -1,164 +0,0 @@
|
|||||||
#! /bin/bash
|
|
||||||
#
|
|
||||||
# chkconfig: - 09 91
|
|
||||||
# description: Initialize the shorewall firewall at boot time
|
|
||||||
#
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: shorewall-init
|
|
||||||
# Required-Start: $local_fs
|
|
||||||
# Required-Stop: $local_fs
|
|
||||||
# Default-Start:
|
|
||||||
# Default-Stop: 0 1 2 3 4 5 6
|
|
||||||
# Short-Description: Initialize the shorewall firewall at boot time
|
|
||||||
# Description: Place the firewall in a safe state at boot time
|
|
||||||
# prior to bringing up the network.
|
|
||||||
### END INIT INFO
|
|
||||||
#determine where the files were installed
|
|
||||||
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
prog="shorewall-init"
|
|
||||||
logger="logger -i -t $prog"
|
|
||||||
lockfile="/var/lock/subsys/shorewall-init"
|
|
||||||
|
|
||||||
# Source function library.
|
|
||||||
. /etc/rc.d/init.d/functions
|
|
||||||
|
|
||||||
# Get startup options (override default)
|
|
||||||
OPTIONS=
|
|
||||||
|
|
||||||
# check if shorewall-init is configured or not
|
|
||||||
if [ -f "/etc/sysconfig/shorewall-init" ]; then
|
|
||||||
. /etc/sysconfig/shorewall-init
|
|
||||||
else
|
|
||||||
echo "/etc/sysconfig/shorewall-init not found"
|
|
||||||
exit 6
|
|
||||||
fi
|
|
||||||
|
|
||||||
# set the STATEDIR variable
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
elif [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Initialize the firewall
|
|
||||||
start () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
if [ -z "$PRODUCTS" ]; then
|
|
||||||
echo "No firewalls configured for shorewall-init"
|
|
||||||
failure
|
|
||||||
return 6 #Not configured
|
|
||||||
fi
|
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
ipset -R < "$SAVE_IPSETS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
setstatedir
|
|
||||||
retval=$?
|
|
||||||
|
|
||||||
if [ $retval -eq 0 ]; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
|
|
||||||
retval=${PIPESTATUS[0]}
|
|
||||||
[ $retval -ne 0 ] && break
|
|
||||||
else
|
|
||||||
retval=6 #Product not configured
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ $retval -eq 0 ]; then
|
|
||||||
touch $lockfile
|
|
||||||
success
|
|
||||||
else
|
|
||||||
failure
|
|
||||||
fi
|
|
||||||
echo
|
|
||||||
return $retval
|
|
||||||
}
|
|
||||||
|
|
||||||
# Clear the firewall
|
|
||||||
stop () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
setstatedir
|
|
||||||
retval=$?
|
|
||||||
|
|
||||||
if [ $retval -eq 0 ]; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
|
|
||||||
retval=${PIPESTATUS[0]}
|
|
||||||
[ $retval -ne 0 ] && break
|
|
||||||
else
|
|
||||||
retval=6 #Product not configured
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ $retval -eq 0 ]; then
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f $lockfile
|
|
||||||
success
|
|
||||||
else
|
|
||||||
failure
|
|
||||||
fi
|
|
||||||
echo
|
|
||||||
return $retval
|
|
||||||
}
|
|
||||||
|
|
||||||
status_q() {
|
|
||||||
status > /dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
status_q && exit 0
|
|
||||||
$1
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
status_q || exit 0
|
|
||||||
$1
|
|
||||||
;;
|
|
||||||
restart|reload|force-reload|condrestart|try-restart)
|
|
||||||
echo "Not implemented"
|
|
||||||
exit 3
|
|
||||||
;;
|
|
||||||
status)
|
|
||||||
status $prog
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: $0 {start|stop|status}"
|
|
||||||
exit 1
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit 0
|
|
@ -1,137 +0,0 @@
|
|||||||
#!/bin/sh /etc/rc.common
|
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
|
|
||||||
#
|
|
||||||
# (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
# (c) 2016 - Matt Darfeuille (matdarf@gmail.com)
|
|
||||||
#
|
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall-init.
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by the
|
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
|
||||||
# option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
|
|
||||||
# arg1 of init script is arg2 when rc.common is sourced
|
|
||||||
|
|
||||||
case "$action" in
|
|
||||||
start|stop|boot)
|
|
||||||
if [ "$(id -u)" != "0" ]
|
|
||||||
then
|
|
||||||
echo "You must be root to start, stop or restart \"Shorewall \"."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# check if shorewall-init is configured or not
|
|
||||||
if [ -f "/etc/sysconfig/shorewall-init" ]
|
|
||||||
then
|
|
||||||
. /etc/sysconfig/shorewall-init
|
|
||||||
if [ -z "$PRODUCTS" ]
|
|
||||||
then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
;;
|
|
||||||
enable|disable|enabled)
|
|
||||||
# Openwrt related
|
|
||||||
# start and stop runlevel variable
|
|
||||||
START=19
|
|
||||||
STOP=91
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: /etc/init.d/shorewall-init {start|stop}"
|
|
||||||
exit 1
|
|
||||||
esac
|
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
# Locate the current PRODUCT's statedir
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . ${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
elif [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Initialize the firewall
|
|
||||||
start () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} stop
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
ipset -R < "$SAVE_IPSETS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
boot () {
|
|
||||||
start
|
|
||||||
}
|
|
||||||
|
|
||||||
# Clear the firewall
|
|
||||||
stop () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
@ -1,24 +1,22 @@
|
|||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
|
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
|
||||||
#
|
#
|
||||||
# (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||||
|
#
|
||||||
|
# (c) 2010 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
# On most distributions, this file should be called /etc/init.d/shorewall.
|
||||||
#
|
#
|
||||||
# This program is part of Shorewall.
|
# Complete documentation is available at http://shorewall.net
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by the
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
# as published by the Free Software Foundation.
|
||||||
# option, any later version.
|
|
||||||
#
|
#
|
||||||
# This program is distributed in the hope that it will be useful,
|
# This program is distributed in the hope that it will be useful,
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
# GNU General Public License for more details.
|
# GNU General Public License for more details.
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
#
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
@ -31,7 +29,7 @@
|
|||||||
# Required-start: $local_fs
|
# Required-start: $local_fs
|
||||||
# Required-stop: $local_fs
|
# Required-stop: $local_fs
|
||||||
# Default-Start: 2 3 5
|
# Default-Start: 2 3 5
|
||||||
# Default-Stop: 6
|
# Default-Stop:
|
||||||
# Short-Description: Initialize the firewall at boot time
|
# Short-Description: Initialize the firewall at boot time
|
||||||
# Description: Place the firewall in a safe state at boot time
|
# Description: Place the firewall in a safe state at boot time
|
||||||
# prior to bringing up the network.
|
# prior to bringing up the network.
|
||||||
@ -55,71 +53,39 @@ else
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
# Locate the current PRODUCT's statedir
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
|
|
||||||
else
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Initialize the firewall
|
# Initialize the firewall
|
||||||
shorewall_start () {
|
shorewall_start () {
|
||||||
local PRODUCT
|
local PRODUCT
|
||||||
local STATEDIR
|
local VARDIR
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
echo -n "Initializing \"Shorewall-based firewalls\": "
|
||||||
for PRODUCT in $PRODUCTS; do
|
for PRODUCT in $PRODUCTS; do
|
||||||
if setstatedir; then
|
VARDIR=/var/lib/$PRODUCT
|
||||||
if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
|
[ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
|
||||||
${STATEDIR}/firewall ${OPTIONS} stop
|
if [ -x ${VARDIR}/firewall ]; then
|
||||||
|
if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
|
||||||
|
${VARDIR}/firewall stop || echo_notdone
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
ipset -R < "$SAVE_IPSETS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# Clear the firewall
|
# Clear the firewall
|
||||||
shorewall_stop () {
|
shorewall_stop () {
|
||||||
local PRODUCT
|
local PRODUCT
|
||||||
local STATEDIR
|
local VARDIR
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
echo -n "Clearing \"Shorewall-based firewalls\": "
|
||||||
for PRODUCT in $PRODUCTS; do
|
for PRODUCT in $PRODUCTS; do
|
||||||
if setstatedir; then
|
VARDIR=/var/lib/$PRODUCT
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear
|
[ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
|
||||||
|
if [ -x ${VARDIR}/firewall ]; then
|
||||||
|
${VARDIR}/firewall clear || exit 1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,149 +0,0 @@
|
|||||||
#! /bin/bash
|
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
||||||
#
|
|
||||||
# (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
|
||||||
#
|
|
||||||
# Complete documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: shorewall-init
|
|
||||||
# Required-Start: $local_fs
|
|
||||||
# Required-Stop: $local_fs
|
|
||||||
# Default-Start: 2 3 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Short-Description: Initialize the firewall at boot time
|
|
||||||
# Description: Place the firewall in a safe state at boot time
|
|
||||||
# prior to bringing up the network.
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
#Return values acc. to LSB for all commands but status:
|
|
||||||
# 0 - success
|
|
||||||
# 1 - generic or unspecified error
|
|
||||||
# 2 - invalid or excess argument(s)
|
|
||||||
# 3 - unimplemented feature
|
|
||||||
# 4 - insufficient privilege
|
|
||||||
# 5 - program is not installed
|
|
||||||
# 6 - program is not configured
|
|
||||||
# 7 - program is not running
|
|
||||||
|
|
||||||
if [ "$(id -u)" != "0" ]
|
|
||||||
then
|
|
||||||
echo "You must be root to start, stop or restart \"Shorewall \"."
|
|
||||||
exit 4
|
|
||||||
fi
|
|
||||||
|
|
||||||
# check if shorewall-init is configured or not
|
|
||||||
if [ -f "/etc/sysconfig/shorewall-init" ]
|
|
||||||
then
|
|
||||||
. /etc/sysconfig/shorewall-init
|
|
||||||
|
|
||||||
if [ -z "$PRODUCTS" ]
|
|
||||||
then
|
|
||||||
echo "No PRODUCTS configured"
|
|
||||||
exit 6
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "/etc/sysconfig/shorewall-init not found"
|
|
||||||
exit 6
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
|
||||||
# The installer may alter this
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
# set the STATEDIR variable
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
elif [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
else
|
|
||||||
return 6
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Initialize the firewall
|
|
||||||
shorewall_start () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
|
|
||||||
$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
ipset -R < "$SAVE_IPSETS"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Clear the firewall
|
|
||||||
shorewall_stop () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
shorewall_start
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
shorewall_stop
|
|
||||||
;;
|
|
||||||
reload|forced-reload)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: /etc/init.d/shorewall-init {start|stop}"
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit 0
|
|
@ -2,586 +2,359 @@
|
|||||||
#
|
#
|
||||||
# Script to install Shoreline Firewall Init
|
# Script to install Shoreline Firewall Init
|
||||||
#
|
#
|
||||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||||
|
#
|
||||||
|
# (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
|
||||||
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
|
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
|
||||||
#
|
#
|
||||||
# Shorewall documentation is available at https://shorewall.org
|
# Shorewall documentation is available at http://shorewall.net
|
||||||
#
|
#
|
||||||
# This program is part of Shorewall.
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
|
# as published by the Free Software Foundation.
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is distributed in the hope that it will be useful,
|
||||||
# it under the terms of the GNU General Public License as published by the
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
# Free Software Foundation, either version 2 of the license or, at your
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
# option, any later version.
|
# GNU General Public License for more details.
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
#
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=xxx # The Build script inserts the actual version
|
VERSION=4.4.16.1
|
||||||
PRODUCT=shorewall-init
|
|
||||||
Product="Shorewall Init"
|
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
ME=$(basename $0)
|
ME=$(basename $0)
|
||||||
echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
|
echo "usage: $ME"
|
||||||
echo "where <option> is one of"
|
echo " $ME -v"
|
||||||
echo " -h"
|
echo " $ME -h"
|
||||||
echo " -v"
|
|
||||||
echo " -n"
|
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
split() {
|
||||||
|
local ifs
|
||||||
|
ifs=$IFS
|
||||||
|
IFS=:
|
||||||
|
set -- $1
|
||||||
|
echo $*
|
||||||
|
IFS=$ifs
|
||||||
|
}
|
||||||
|
|
||||||
|
qt()
|
||||||
|
{
|
||||||
|
"$@" >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
|
mywhich() {
|
||||||
|
local dir
|
||||||
|
|
||||||
|
for dir in $(split $PATH); do
|
||||||
|
if [ -x $dir/$1 ]; then
|
||||||
|
echo $dir/$1
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
return 2
|
||||||
|
}
|
||||||
|
|
||||||
|
run_install()
|
||||||
|
{
|
||||||
|
if ! install $*; then
|
||||||
|
echo
|
||||||
|
echo "ERROR: Failed to install $*" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
cant_autostart()
|
||||||
|
{
|
||||||
|
echo
|
||||||
|
echo "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
delete_file() # $1 = file to delete
|
||||||
|
{
|
||||||
|
rm -f $1
|
||||||
|
}
|
||||||
|
|
||||||
install_file() # $1 = source $2 = target $3 = mode
|
install_file() # $1 = source $2 = target $3 = mode
|
||||||
{
|
{
|
||||||
if cp -f $1 $2; then
|
run_install $T $OWNERSHIP -m $3 $1 ${2}
|
||||||
if chmod $3 $2; then
|
|
||||||
if [ -n "$OWNER" ]; then
|
|
||||||
if chown $OWNER:$GROUP $2; then
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "ERROR: Failed to install $2" >&2
|
|
||||||
exit 1
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Parse the run line
|
||||||
|
#
|
||||||
|
# DEST is the SysVInit script directory
|
||||||
|
# INIT is the name of the script in the $DEST directory
|
||||||
|
# ARGS is "yes" if we've already parsed an argument
|
||||||
|
#
|
||||||
|
ARGS=""
|
||||||
|
|
||||||
|
if [ -z "$DEST" ] ; then
|
||||||
|
DEST="/etc/init.d"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$INIT" ] ; then
|
||||||
|
INIT="shorewall-init"
|
||||||
|
fi
|
||||||
|
|
||||||
|
while [ $# -gt 0 ] ; do
|
||||||
|
case "$1" in
|
||||||
|
-h|help|?)
|
||||||
|
usage 0
|
||||||
|
;;
|
||||||
|
-v)
|
||||||
|
echo "Shorewall Init Installer Version $VERSION"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
ARGS="yes"
|
||||||
|
done
|
||||||
|
|
||||||
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
#
|
||||||
|
# Determine where to install the firewall script
|
||||||
|
#
|
||||||
|
|
||||||
|
case $(uname) in
|
||||||
|
Darwin)
|
||||||
|
[ -z "$OWNER" ] && OWNER=root
|
||||||
|
[ -z "$GROUP" ] && GROUP=wheel
|
||||||
|
T=
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
[ -z "$OWNER" ] && OWNER=root
|
||||||
|
[ -z "$GROUP" ] && GROUP=root
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
OWNERSHIP="-o $OWNER -g $GROUP"
|
||||||
|
|
||||||
|
if [ -n "$DESTDIR" ]; then
|
||||||
|
if [ `id -u` != 0 ] ; then
|
||||||
|
echo "Not setting file owner/group permissions, not running as root."
|
||||||
|
OWNERSHIP=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
|
||||||
|
elif [ -f /etc/debian_version ]; then
|
||||||
|
DEBIAN=yes
|
||||||
|
elif [ -f /etc/SuSE-release ]; then
|
||||||
|
SUSE=Yes
|
||||||
|
elif [ -f /etc/slackware-version ] ; then
|
||||||
|
echo "Shorewall-init is currently not supported on Slackware" >&2
|
||||||
|
exit 1
|
||||||
|
# DEST="/etc/rc.d"
|
||||||
|
# INIT="rc.firewall"
|
||||||
|
elif [ -f /etc/arch-release ] ; then
|
||||||
|
echo "Shorewall-init is currently not supported on Arch Linux" >&2
|
||||||
|
exit 1
|
||||||
|
# DEST="/etc/rc.d"
|
||||||
|
# INIT="shorewall-init"
|
||||||
|
# ARCHLINUX=yes
|
||||||
|
elif [ -d /etc/sysconfig/network-scripts/ ]; then
|
||||||
|
#
|
||||||
|
# Assume RedHat-based
|
||||||
|
#
|
||||||
|
REDHAT=Yes
|
||||||
|
else
|
||||||
|
echo "Unknown distribution: Shorewall-init support is not available" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
# Change to the directory containing this script
|
# Change to the directory containing this script
|
||||||
#
|
#
|
||||||
cd "$(dirname $0)"
|
cd "$(dirname $0)"
|
||||||
|
|
||||||
#
|
echo "Installing Shorewall Init Version $VERSION"
|
||||||
# Source common functions
|
|
||||||
#
|
|
||||||
. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
|
|
||||||
|
|
||||||
#
|
|
||||||
# Parse the run line
|
|
||||||
#
|
|
||||||
|
|
||||||
finished=0
|
|
||||||
configure=1
|
|
||||||
|
|
||||||
while [ $finished -eq 0 ] ; do
|
|
||||||
option="$1"
|
|
||||||
|
|
||||||
case "$option" in
|
|
||||||
-*)
|
|
||||||
option=${option#-}
|
|
||||||
|
|
||||||
while [ -n "$option" ]; do
|
|
||||||
case $option in
|
|
||||||
h)
|
|
||||||
usage 0
|
|
||||||
;;
|
|
||||||
v)
|
|
||||||
echo "$Product Firewall Installer Version $VERSION"
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
n*)
|
|
||||||
configure=0
|
|
||||||
option=${option#n}
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
usage 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
finished=1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
#
|
|
||||||
# Read the RC file
|
|
||||||
#
|
|
||||||
if [ $# -eq 0 ]; then
|
|
||||||
if [ -f ./shorewallrc ]; then
|
|
||||||
file=./shorewallrc
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
elif [ -f ~/.shorewallrc ]; then
|
|
||||||
file=~/.shorewallrc
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
elif [ -f /usr/share/shorewall/shorewallrc ]; then
|
|
||||||
file=/usr/share/shorewall/shorewallrc
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
else
|
|
||||||
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
|
|
||||||
fi
|
|
||||||
elif [ $# -eq 1 ]; then
|
|
||||||
file=$1
|
|
||||||
case $file in
|
|
||||||
/*|.*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
file=./$file || exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
. $file || fatal_error "Can not load the RC file: $file"
|
|
||||||
else
|
|
||||||
usage 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "${VARLIB}" ]; then
|
|
||||||
VARLIB=${VARDIR}
|
|
||||||
VARDIR=${VARLIB}/${PRODUCT}
|
|
||||||
elif [ -z "${VARDIR}" ]; then
|
|
||||||
VARDIR=${VARLIB}/${PRODUCT}
|
|
||||||
fi
|
|
||||||
|
|
||||||
for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
|
|
||||||
require $var
|
|
||||||
done
|
|
||||||
|
|
||||||
[ -n "$SANDBOX" ] && configure=0
|
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
||||||
|
|
||||||
[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
|
|
||||||
|
|
||||||
if [ -z "$BUILD" ]; then
|
|
||||||
case $(uname) in
|
|
||||||
cygwin*)
|
|
||||||
BUILD=cygwin
|
|
||||||
;;
|
|
||||||
Darwin)
|
|
||||||
BUILD=apple
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -f /etc/os-release ]; then
|
|
||||||
ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
|
|
||||||
|
|
||||||
case $ID in
|
|
||||||
fedora|rhel|centos|foobar)
|
|
||||||
BUILD=redhat
|
|
||||||
;;
|
|
||||||
debian|ubuntu)
|
|
||||||
BUILD=debian
|
|
||||||
;;
|
|
||||||
opensuse)
|
|
||||||
BUILD=suse
|
|
||||||
;;
|
|
||||||
alt|basealt|altlinux)
|
|
||||||
BUILD=alt
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
BUILD="$ID"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
elif [ -f /etc/debian_version ]; then
|
|
||||||
BUILD=debian
|
|
||||||
elif [ -f /etc/ubuntu_version ]; then
|
|
||||||
BUILD=debian
|
|
||||||
elif [ -f /etc/gentoo-release ]; then
|
|
||||||
BUILD=gentoo
|
|
||||||
elif [ -f /etc/altlinux-release ]; then
|
|
||||||
BUILD=alt
|
|
||||||
elif [ -f /etc/redhat-release ]; then
|
|
||||||
BUILD=redhat
|
|
||||||
elif [ -f /etc/SuSE-release ]; then
|
|
||||||
BUILD=suse
|
|
||||||
elif [ -f /etc/slackware-version ] ; then
|
|
||||||
BUILD=slackware
|
|
||||||
elif [ -f /etc/arch-release ] ; then
|
|
||||||
BUILD=archlinux
|
|
||||||
elif [ -f ${CONFDIR}/openwrt_release ]; then
|
|
||||||
BUILD=openwrt
|
|
||||||
else
|
|
||||||
BUILD=linux
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
|
|
||||||
case $BUILD in
|
|
||||||
apple)
|
|
||||||
[ -z "$OWNER" ] && OWNER=root
|
|
||||||
[ -z "$GROUP" ] && GROUP=wheel
|
|
||||||
;;
|
|
||||||
cygwin*|CYGWIN*)
|
|
||||||
OWNER=$(id -un)
|
|
||||||
GROUP=$(id -gn)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ $(id -u) -eq 0 ]; then
|
|
||||||
[ -z "$OWNER" ] && OWNER=root
|
|
||||||
[ -z "$GROUP" ] && GROUP=root
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
|
|
||||||
|
|
||||||
[ -n "$HOST" ] || HOST=$BUILD
|
|
||||||
|
|
||||||
case "$HOST" in
|
|
||||||
debian)
|
|
||||||
echo "Installing Debian-specific configuration..."
|
|
||||||
;;
|
|
||||||
gentoo)
|
|
||||||
echo "Installing Gentoo-specific configuration..."
|
|
||||||
;;
|
|
||||||
redhat)
|
|
||||||
echo "Installing Redhat/Fedora-specific configuration..."
|
|
||||||
;;
|
|
||||||
slackware)
|
|
||||||
echo "Shorewall-init is currently not supported on Slackware" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
archlinux)
|
|
||||||
echo "Shorewall-init is currently not supported on Arch Linux" >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
suse)
|
|
||||||
echo "Installing SuSE-specific configuration..."
|
|
||||||
;;
|
|
||||||
openwrt)
|
|
||||||
echo "Installing Openwrt-specific configuration..."
|
|
||||||
;;
|
|
||||||
alt)
|
|
||||||
echo "Installing ALT-specific configuration...";
|
|
||||||
;;
|
|
||||||
linux)
|
|
||||||
fatal_error "Shorewall-init is not supported on this system"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
fatal_error "Unsupported HOST distribution: \"$HOST\""
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
[ -z "$TARGET" ] && TARGET=$HOST
|
|
||||||
|
|
||||||
if [ -n "$DESTDIR" ]; then
|
|
||||||
if [ $(id -u) != 0 ] ; then
|
|
||||||
echo "Not setting file owner/group permissions, not running as root."
|
|
||||||
OWNERSHIP=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
make_parent_directory ${DESTDIR}${INITDIR} 0755
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Installing $Product Version $VERSION"
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Check for /usr/share/shorewall-init/version
|
# Check for /usr/share/shorewall-init/version
|
||||||
#
|
#
|
||||||
if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
|
if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
|
||||||
first_install=""
|
first_install=""
|
||||||
else
|
else
|
||||||
first_install="Yes"
|
first_install="Yes"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install the Firewall Script
|
# Install the Init Script
|
||||||
#
|
#
|
||||||
if [ -n "$INITFILE" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
make_parent_directory ${DESTDIR}${INITDIR} 0755
|
install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
|
||||||
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
|
#elif [ -n "$ARCHLINUX" ]; then
|
||||||
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
|
# install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||||
|
else
|
||||||
if [ -n "${AUXINITSOURCE}" ]; then
|
install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
|
||||||
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "SysV init script $INITSOURCE installed in ${DESTDIR}${INITDIR}/$INITFILE"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
echo "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
|
||||||
# Install the .service file
|
|
||||||
#
|
|
||||||
if [ -z "${SERVICEDIR}" ]; then
|
|
||||||
SERVICEDIR="$SYSTEMD"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$SERVICEDIR" ]; then
|
|
||||||
make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
|
|
||||||
[ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
|
|
||||||
install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
|
|
||||||
[ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
|
|
||||||
echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
|
|
||||||
[ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
|
|
||||||
install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
|
|
||||||
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
|
|
||||||
echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create /usr/share/shorewall-init if needed
|
# Create /usr/share/shorewall-init if needed
|
||||||
#
|
#
|
||||||
make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
|
mkdir -p ${DESTDIR}/usr/share/shorewall-init
|
||||||
|
chmod 755 ${DESTDIR}/usr/share/shorewall-init
|
||||||
#
|
|
||||||
# Install logrotate file
|
|
||||||
#
|
|
||||||
if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
|
|
||||||
install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
|
|
||||||
echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
|
|
||||||
fi
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create the version file
|
# Create the version file
|
||||||
#
|
#
|
||||||
echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
|
echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
|
||||||
chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
|
chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
|
||||||
|
|
||||||
#
|
#
|
||||||
# Remove and create the symbolic link to the init script
|
# Remove and create the symbolic link to the init script
|
||||||
#
|
#
|
||||||
if [ -z "$DESTDIR" ]; then
|
if [ -z "$DESTDIR" ]; then
|
||||||
rm -f ${SHAREDIR}/$PRODUCT/init
|
rm -f /usr/share/shorewall-init/init
|
||||||
ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
|
ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $HOST = debian ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
if [ -n "${DESTDIR}" ]; then
|
if [ -n "${DESTDIR}" ]; then
|
||||||
make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
|
mkdir -p ${DESTDIR}/etc/network/if-up.d/
|
||||||
make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
|
mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
|
||||||
elif [ $configure -eq 0 ]; then
|
|
||||||
make_parent_directory ${CONFDIR}/network/if-up.d 0755
|
|
||||||
make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
|
|
||||||
rm -f ${CONFDIR}/network/if-down.d/shorewall
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
|
if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
|
||||||
[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
|
if [ -n "${DESTDIR}" ]; then
|
||||||
|
mkdir ${DESTDIR}/etc/default
|
||||||
|
fi
|
||||||
|
|
||||||
[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
|
install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
|
||||||
install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
|
|
||||||
echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
IFUPDOWN=ifupdown.debian.sh
|
|
||||||
else
|
else
|
||||||
if [ -n "$DESTDIR" ]; then
|
if [ -n "$DESTDIR" ]; then
|
||||||
make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
|
mkdir -p ${DESTDIR}/etc/sysconfig
|
||||||
|
|
||||||
if [ -z "$RPM" ]; then
|
if [ -z "$RPM" ]; then
|
||||||
if [ $HOST = suse ]; then
|
if [ -n "$SUSE" ]; then
|
||||||
make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
|
mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
|
||||||
make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
|
mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
|
||||||
elif [ $HOST = gentoo ]; then
|
else
|
||||||
# Gentoo does not support if-{up,down}.d
|
mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
|
||||||
/bin/true
|
|
||||||
elif [ $HOST = openwrt ]; then
|
|
||||||
# Not implemented on OpenWRT
|
|
||||||
/bin/true
|
|
||||||
elif [ "$HOST" != debian ]; then
|
|
||||||
make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
|
if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
|
||||||
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
|
install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
|
||||||
echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
[ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install the ifupdown script
|
# Install the ifupdown script
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ $HOST != openwrt ]; then
|
mkdir -p ${DESTDIR}/usr/share/shorewall-init
|
||||||
cp $IFUPDOWN ifupdown
|
|
||||||
|
|
||||||
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
|
install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
|
||||||
|
|
||||||
make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
|
|
||||||
|
|
||||||
install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
|
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
|
||||||
if [ "$HOST" = debian ]; then
|
install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
|
||||||
rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
|
fi
|
||||||
|
|
||||||
|
if [ -n "$DEBIAN" ]; then
|
||||||
|
install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
|
||||||
|
install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
|
||||||
|
elif [ -n "$SUSE" ]; then
|
||||||
|
install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
|
||||||
|
install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
|
||||||
|
elif [ -n "$REDHAT" ]; then
|
||||||
|
if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
|
||||||
|
echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
|
||||||
else
|
else
|
||||||
[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
|
install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
|
||||||
install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
|
install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case $HOST in
|
|
||||||
debian)
|
|
||||||
if [ $configure -eq 1 ]; then
|
|
||||||
install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
|
|
||||||
install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
|
|
||||||
rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
|
|
||||||
else
|
|
||||||
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
|
|
||||||
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
suse)
|
|
||||||
if [ -z "$RPM" ]; then
|
|
||||||
if [ $configure -eq 0 ]; then
|
|
||||||
make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
|
|
||||||
make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
|
|
||||||
fi
|
|
||||||
|
|
||||||
install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
|
|
||||||
install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
redhat)
|
|
||||||
if [ -z "$DESTDIR" ]; then
|
|
||||||
install_local=
|
|
||||||
|
|
||||||
if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
|
|
||||||
if ! grep -qF Shorewall-based ${SBINDIR}/ifup-local || ! grep -qF Shorewall-based ${SBINDIR}/ifdown-local; then
|
|
||||||
echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
|
|
||||||
else
|
|
||||||
install_local=Yes
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
install_local=Yes
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$install_local" ]; then
|
|
||||||
install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
|
|
||||||
install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
if [ -z "$DESTDIR" ]; then
|
if [ -z "$DESTDIR" ]; then
|
||||||
if [ $configure -eq 1 -a -n "first_install" ]; then
|
if [ -n "$first_install" ]; then
|
||||||
if [ $HOST = debian ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
if [ -n "$SERVICEDIR" ]; then
|
|
||||||
if systemctl enable ${PRODUCT}.service; then
|
update-rc.d shorewall-init defaults
|
||||||
echo "$Product will start automatically at boot"
|
|
||||||
fi
|
echo "Shorewall Init will start automatically at boot"
|
||||||
elif mywhich insserv; then
|
|
||||||
if insserv ${INITDIR}/$PRODUCT; then
|
|
||||||
echo "$Product will start automatically at boot"
|
|
||||||
else
|
|
||||||
cant_autostart
|
|
||||||
fi
|
|
||||||
elif mywhich update-rc.d ; then
|
|
||||||
if update-rc.d $PRODUCT enable; then
|
|
||||||
echo "$Product will start automatically at boot"
|
|
||||||
echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
|
|
||||||
else
|
|
||||||
cant_autostart
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
cant_autostart
|
|
||||||
fi
|
|
||||||
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
|
|
||||||
/etc/init.d/$PRODUCT enable
|
|
||||||
if /etc/init.d/$PRODUCT enabled; then
|
|
||||||
echo "$Product will start automatically at boot"
|
|
||||||
else
|
|
||||||
cant_autostart
|
|
||||||
fi
|
|
||||||
elif [ $HOST = gentoo ]; then
|
|
||||||
# On Gentoo, a service must be enabled manually by the user,
|
|
||||||
# not by the installer
|
|
||||||
/bin/true
|
|
||||||
else
|
else
|
||||||
if [ -n "$SERVICEDIR" ]; then
|
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
|
||||||
if systemctl enable ${PRODUCT}.service; then
|
if insserv /etc/init.d/shorewall-init ; then
|
||||||
echo "$Product will start automatically at boot"
|
echo "Shorewall Init will start automatically at boot"
|
||||||
fi
|
|
||||||
elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
|
|
||||||
if insserv ${INITDIR}/$PRODUCT ; then
|
|
||||||
echo "$Product will start automatically at boot"
|
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
|
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
|
||||||
if chkconfig --add $PRODUCT ; then
|
if chkconfig --add shorewall-init ; then
|
||||||
echo "$Product will start automatically at boot"
|
echo "Shorewall Init will start automatically in run levels as follows:"
|
||||||
chkconfig --list $PRODUCT
|
chkconfig --list shorewall-init
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
elif [ -x ${SBINDIR}/rc-update ]; then
|
elif [ -x /sbin/rc-update ]; then
|
||||||
if rc-update add $PRODUCT default; then
|
if rc-update add shorewall-init default; then
|
||||||
echo "$Product will start automatically at boot"
|
echo "Shorewall Init will start automatically at boot"
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
|
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||||
/etc/init.d/$PRODUCT enable
|
|
||||||
if /etc/init.d/$PRODUCT enabled; then
|
|
||||||
echo "$Product will start automatically at boot"
|
|
||||||
else
|
|
||||||
cant_autostart
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ $configure -eq 1 -a -n "$first_install" ]; then
|
if [ -n "$first_install" ]; then
|
||||||
if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
|
if [ -n "$DEBIAN" ]; then
|
||||||
if [ -n "${DESTDIR}" ]; then
|
if [ -n "${DESTDIR}" ]; then
|
||||||
make_parent_directory ${DESTDIR}/etc/rcS.d 0755
|
mkdir -p ${DESTDIR}/etc/rcS.d
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
|
ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
|
||||||
echo "$Product will start automatically at boot"
|
echo "Shorewall Init will start automatically at boot"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
|
if [ -f ${DESTDIR}/etc/ppp ]; then
|
||||||
|
if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
|
||||||
if [ -d ${DESTDIR}/etc/ppp ]; then
|
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
||||||
case $HOST in
|
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
|
||||||
debian|suse)
|
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
||||||
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
done
|
||||||
make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
|
elif [ -n "$REDHAT" ]; then
|
||||||
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
|
#
|
||||||
done
|
# Must use the dreaded ip_xxx.local file
|
||||||
;;
|
#
|
||||||
redhat)
|
for file in ip-up.local ip-down.local; do
|
||||||
#
|
FILE=${DESTDIR}/etc/ppp/$file
|
||||||
# Must use the dreaded ip_xxx.local file
|
if [ -f $FILE ]; then
|
||||||
#
|
if fgrep -q Shorewall-based $FILE ; then
|
||||||
for file in ip-up.local ip-down.local; do
|
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
|
||||||
FILE=${DESTDIR}/etc/ppp/$file
|
|
||||||
if [ -f $FILE ]; then
|
|
||||||
if grep -qF Shorewall-based $FILE ; then
|
|
||||||
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
|
|
||||||
else
|
|
||||||
echo "$FILE already exists -- ppp devices will not be handled"
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
|
echo "$FILE already exists -- ppp devices will not be handled"
|
||||||
|
break
|
||||||
fi
|
fi
|
||||||
done
|
else
|
||||||
;;
|
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
|
||||||
esac
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
# Report Success
|
# Report Success
|
||||||
#
|
#
|
||||||
echo "shorewall Init Version $VERSION Installed"
|
echo "shorewall Init Version $VERSION Installed"
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
/var/log/shorewall-ifupdown.log {
|
|
||||||
missingok
|
|
||||||
notifempty
|
|
||||||
create 0600 root root
|
|
||||||
}
|
|
@ -1,136 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
|
|
||||||
#
|
|
||||||
# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# On most distributions, this file should be called
|
|
||||||
# /etc/init.d/shorewall.
|
|
||||||
#
|
|
||||||
# Complete documentation is available at https://shorewall.org
|
|
||||||
#
|
|
||||||
# This program is part of Shorewall.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 2 of the license or,
|
|
||||||
# at your option, any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
# set the STATEDIR variable
|
|
||||||
|
|
||||||
setstatedir() {
|
|
||||||
local statedir
|
|
||||||
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
|
|
||||||
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
|
|
||||||
|
|
||||||
if [ -x ${STATEDIR}/firewall ]; then
|
|
||||||
return 0
|
|
||||||
elif [ $PRODUCT = shorewall ]; then
|
|
||||||
${SBINDIR}/shorewall compile
|
|
||||||
elif [ $PRODUCT = shorewall6 ]; then
|
|
||||||
${SBINDIR}/shorewall -6 compile
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Initialize the firewalls
|
|
||||||
|
|
||||||
shorewall_init_start () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Initializing \"Shorewall-based firewalls\": "
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
|
|
||||||
ipset -R < "$SAVE_IPSETS"
|
|
||||||
fi
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
#
|
|
||||||
# Run in a sub-shell to avoid name collisions
|
|
||||||
#
|
|
||||||
(
|
|
||||||
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} stop
|
|
||||||
fi
|
|
||||||
)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
# Clear the firewalls
|
|
||||||
|
|
||||||
shorewall_init_stop () {
|
|
||||||
local PRODUCT
|
|
||||||
local STATEDIR
|
|
||||||
|
|
||||||
printf "Clearing \"Shorewall-based firewalls\": "
|
|
||||||
|
|
||||||
for PRODUCT in $PRODUCTS; do
|
|
||||||
if setstatedir; then
|
|
||||||
#
|
|
||||||
# Run in sub-shell to avoid name collisions
|
|
||||||
#
|
|
||||||
(
|
|
||||||
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
|
|
||||||
${STATEDIR}/firewall ${OPTIONS} clear
|
|
||||||
fi
|
|
||||||
)
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$SAVE_IPSETS" ]; then
|
|
||||||
mkdir -p $(dirname "$SAVE_IPSETS")
|
|
||||||
if ipset -S > "${SAVE_IPSETS}.tmp"; then
|
|
||||||
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
else
|
|
||||||
rm -f "${SAVE_IPSETS}.tmp"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# This is modified by the installer when ${SHAREDIR} <> /usr/share
|
|
||||||
#
|
|
||||||
. /usr/share/shorewall/shorewallrc
|
|
||||||
|
|
||||||
# check if shorewall-init is configured or not
|
|
||||||
if [ -f "$SYSCONFDIR/shorewall-init" ]; then
|
|
||||||
. $SYSCONFDIR/shorewall-init
|
|
||||||
if [ -z "$PRODUCTS" ]; then
|
|
||||||
echo "ERROR: No products configured" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
shorewall_init_start
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
shorewall_init_stop
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: $0 {start|stop}"
|
|
||||||
exit 1
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit 0
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user