shorewall6-lite-5.1.12.2/���������������������������������������������������������������������������0000775�0000000�0000000�00000000000�13243350236�013462� 5����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/lib.uninstaller������������������������������������������������������������0000664�0000000�0000000�00000004414�13243350236�016515� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
#
# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
#
# (c) 2017 - Tom Eastep (teastep@shorewall.net)
# (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see '
7) Implement 'section' action option
8) Embed BLACKLIST macro logic into the BLACKLIST action.
Changes in 5.1.1 Beta 2
1) Update release documents.
2) Replace USE_DEFAULT_RT=Exact with BALANCE_PROVIDERS=No.
3) Handle optional interfaces correctly in process_a_provider().
Changes in 5.1.1 Beta 1
1) Update release documents.
2) Catch routefilter/provider conflicts.
3) Set 'logmartians' along with 'routefilter'.
4) Implement USE_DEFAULT_RT=Exact.
Changes in 5.1.0.1
1) Update release documents.
2) Correct Shorewall6-lite .service file
3) Propagate PAGER setting to -lite systems.
Changes in 5.1.0 Final
1) Update release documents.
2) Ignore SUBSYSLOCK when $SERVICEDIR is non-empty
3) Correct splitting of IP(6)TABLES options.
4) Allow compact IPv6 addresses in IP6TABLES() parameters.
Changes in 5.1.0 RC 2
1) Update release documents.
2) Eliminate use of 'echo' escape sequences
3) Update kernel module files
Changes in 5.1.0 RC 1
1) Update release documents.
2) Move the action files into their own directory.
3) Add the 'show ipsec' command.
4) Remove rawpost support.
5) Add Stateful IPv6 netmapping
Changes in 5.1.0 Beta 2
1) Update release documents.
2) Fatal error on empty action file and presense of a file with
the same name as the action.
3) Use 'ip xfrm' to dump SPD and SAD
4) Create CLI symlinks
5) Correct intra-zone processing in policies.
Changes in 5.1.0 Beta 1
1) Update release documents.
2) Unify the CLI
3) Extend SOURCE/DEST syntax in the rules files
4) Remove CHAIN_SCRIPT support.
5) Avoid needless duplicate action chains.
6) Implement support for NFQUEUE CPU Fanout.
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/logrotate������������������������������������������������������������������0000664�0000000�0000000�00000000127�13243347103�015404� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/var/log/shorewall6-lite-init.log {
missingok
notifempty
create 0600 root root
}
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.apple����������������������������������������������������������0000664�0000000�0000000�00000002377�13243350236�017043� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Apple OS X Shorewall 5.0 rc file
#
BUILD=apple
HOST=apple
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR= #Unused on OS X
INITFILE= #Unused on OS X
INITSOURCE= #Unused on OS X
ANNOTATED= #Unused on OS X
SERVICEDIR= #Unused on OS X
SERVICEFILE= #Unused on OS X
SYSCONFDIR= #Unused on OS X
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on OS X
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/init.suse.sh���������������������������������������������������������������0000664�0000000�0000000�00000005536�13243347103�015747� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# shorewall6-lite start Starts the firewall
# shorewall6-lite restart Restarts the firewall
# shorewall6-lite reload Reload the firewall
# (same as restart)
# shorewall6-lite stop Stops the firewall
# shorewall6-lite status Displays firewall status
#
### BEGIN INIT INFO
# Provides: shorewall6-lite
# Required-Start: $local_fs $remote_fs $syslog $network
# Required-Stop: $network $remote_fs
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops the shorewall firewall
# Short-Description: Packet filtering firewall
### END INIT INFO
################################################################################
# Give Usage Information #
################################################################################
usage() {
echo "Usage: $0 start|stop|reload|restart|status"
exit 1
}
################################################################################
# Get startup options (override default)
################################################################################
OPTIONS=
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
export SHOREWALL_INIT_SCRIPT=1
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
command="$1"
case "$command" in
start)
exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS
;;
restart|reload)
exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS
;;
status|stop)
exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@
;;
*)
usage
;;
esac
������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/install.sh�����������������������������������������������������������������0000775�0000000�0000000�00000034572�13243350236�015502� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Script to install Shoreline Firewall Lite
#
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ ]"
echo "where is one of"
echo " -h"
echo " -v"
echo " -n"
exit $1
}
install_file() # $1 = source $2 = target $3 = mode
{
if cp -f $1 $2; then
if chmod $3 $2; then
if [ -n "$OWNER" ]; then
if chown $OWNER:$GROUP $2; then
return
fi
else
return 0
fi
fi
fi
echo "ERROR: Failed to install $2" >&2
exit 1
}
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
if [ -f shorewall-lite.service ]; then
PRODUCT=shorewall-lite
Product="Shorewall Lite"
else
PRODUCT=shorewall6-lite
Product="Shorewall6 Lite"
fi
#
# Source common functions
#
. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
#
# Parse the run line
#
finished=0
configure=1
while [ $finished -eq 0 ] ; do
option=$1
case "$option" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
usage 0
;;
v)
echo "$Product Firewall Installer Version $VERSION"
exit 0
;;
n*)
configure=0
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
#
# Read the RC file
#
if [ $# -eq 0 ]; then
if [ -f ./shorewallrc ]; then
file=./shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
elif [ -f ~/.shorewallrc ]; then
file=~/.shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
elif [ -f /usr/share/shorewall/shorewallrc ]; then
file=/usr/share/shorewall/shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
else
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
fi
elif [ $# -eq 1 ]; then
file=$1
case $file in
/*|.*)
;;
*)
file=./$file || exit 1
;;
esac
. $file || fatal_error "Can not load the RC file: $file"
else
usage 1
fi
if [ -z "${VARLIB}" ]; then
VARLIB=${VARDIR}
VARDIR=${VARLIB}/${PRODUCT}
elif [ -z "${VARDIR}" ]; then
VARDIR=${VARLIB}/${PRODUCT}
fi
for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
require $var
done
[ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
[ -n "$SANDBOX" ] && configure=0
#
# Determine where to install the firewall script
#
cygwin=
if [ -z "$BUILD" ]; then
case $(uname) in
cygwin*|CYGWIN*)
BUILD=cygwin
;;
Darwin)
BUILD=apple
;;
*)
if [ -f /etc/os-release ]; then
eval $(cat /etc/os-release | grep ^ID)
case $ID in
fedora|rhel|centos|foobar)
BUILD=redhat
;;
debian)
BUILD=debian
;;
gentoo)
BUILD=gentoo
;;
opensuse)
BUILD=suse
;;
*)
BUILD="$ID"
;;
esac
elif [ -f ${CONFDIR}/debian_version ]; then
BUILD=debian
elif [ -f /etc/gentoo-release ]; then
BUILD=gentoo
elif [ -f ${CONFDIR}/redhat-release ]; then
BUILD=redhat
elif [ -f ${CONFDIR}/SuSE-release ]; then
BUILD=suse
elif [ -f ${CONFDIR}/slackware-version ] ; then
BUILD=slackware
elif [ -f ${CONFDIR}/arch-release ] ; then
BUILD=archlinux
elif [ -f ${CONFDIR}/openwrt_release ]; then
BUILD=openwrt
else
BUILD=linux
fi
;;
esac
fi
case $BUILD in
cygwin*|CYGWIN*)
OWNER=$(id -un)
GROUP=$(id -gn)
;;
apple)
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=wheel
;;
*)
if [ $(id -u) -eq 0 ]; then
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root
fi
;;
esac
[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
[ -n "$HOST" ] || HOST=$BUILD
case "$HOST" in
cygwin)
echo "$PRODUCT is not supported on Cygwin" >&2
exit 1
;;
apple)
echo "$PRODUCT is not supported on OS X" >&2
exit 1
;;
debian)
echo "Installing Debian-specific configuration..."
;;
gentoo)
echo "Installing Gentoo-specific configuration..."
;;
redhat)
echo "Installing Redhat/Fedora-specific configuration..."
;;
slackware)
echo "Installing Slackware-specific configuration..."
;;
archlinux)
echo "Installing ArchLinux-specific configuration..."
;;
suse)
echo "Installing Suse-specific configuration..."
;;
openwrt)
echo "Installing OpenWRT-specific configuration..."
;;
linux)
;;
*)
fatal_error "ERROR: Unknown HOST \"$HOST\""
;;
esac
[ -z "$INITDIR" ] && INITDIR="${CONFDIR}/init.d"
if [ -n "$DESTDIR" ]; then
if [ `id -u` != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
make_parent_directory ${DESTDIR}${INITDIR} 0755
else
if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
exit 1
fi
fi
echo "Installing $Product Version $VERSION"
#
# Check for ${CONFDIR}/$PRODUCT
#
if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
exit 1
fi
[ -f ${CONFDIR}/$PRODUCT/shorewall.conf ] && \
mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
else
rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
rm -rf ${DESTDIR}${VARDIR}
[ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
fi
#
# Check for ${SHAREDIR}/$PRODUCT/version
#
if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
first_install=""
else
first_install="Yes"
fi
delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
[ -n "${INITFILE}" ] && make_parent_directory ${DESTDIR}${INITDIR} 0755
#
# Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
#
make_parent_directory ${DESTDIR}${CONFDIR}/$PRODUCT 0755
make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
make_parent_directory ${DESTDIR}${SBINDIR} 0755
make_parent_directory ${DESTDIR}${VARDIR} 0755
if [ -n "$DESTDIR" ]; then
make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
make_parent_directory ${DESTDIR}${INITDIR} 0755
fi
if [ -n "$INITFILE" ]; then
if [ -f "${INITSOURCE}" ]; then
initfile="${DESTDIR}${INITDIR}/${INITFILE}"
install_file ${INITSOURCE} "$initfile" 0544
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
echo "SysV init script $INITSOURCE installed in $initfile"
fi
fi
#
# Install the .service file
#
if [ -z "${SERVICEDIR}" ]; then
SERVICEDIR="$SYSTEMD"
fi
if [ -n "$SERVICEDIR" ]; then
make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
[ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
[ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
fi
#
# Install the config file
#
if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
install_file $PRODUCT.conf ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf 0744
echo "Config file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf"
fi
if [ $HOST = archlinux ] ; then
sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
elif [ $HOST = gentoo ]; then
# Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
fi
#
# Install the default config path file
#
install_file configpath ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath 0644
echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath"
#
# Install the libraries
#
for f in lib.* ; do
if [ -f $f ]; then
case $f in
*installer)
;;
*)
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
;;
esac
fi
done
ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
#
# Install Shorecap
#
install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap
echo
echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
#
# Install the Modules files
#
if [ -f modules ]; then
install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
fi
if [ -f helpers ]; then
install_file helpers ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers 0600
echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
fi
for f in modules.*; do
install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
done
#
# Install the Man Pages
#
if [ -d manpages -a -n "$MANDIR" ]; then
cd manpages
make_parent_directory ${DESTDIR}${MANDIR}/man5 0755
for f in *.5; do
gzip -c $f > $f.gz
install_file $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz 0644
echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
done
make_parent_directory ${DESTDIR}${MANDIR}/man8 0755
for f in *.8; do
gzip -c $f > $f.gz
install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 0644
echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
done
cd ..
echo "Man Pages Installed"
fi
if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
fi
#
# Create the version file
#
echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
#
# Remove and create the symbolic link to the init script
#
if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
rm -f ${SHAREDIR}/$PRODUCT/init
ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
fi
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
#
# Creatae the symbolic link for the CLI
#
ln -sf shorewall ${DESTDIR}${SBINDIR}/${PRODUCT}
#
# Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
#
if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
[ ${DESTDIR} ] && make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
if [ ${SHAREDIR} != /usr/share ]; then
eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
fi
if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
if [ -n "$SERVICEDIR" ]; then
if systemctl enable ${PRODUCT}.service; then
echo "$Product will start automatically at boot"
fi
elif mywhich insserv; then
if insserv ${INITDIR}/${INITFILE} ; then
echo "$PRODUCT will start automatically at boot"
if [ $HOST = debian ]; then
echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
touch /var/log/$PRODUCT-init.log
perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
else
echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
fi
else
cant_autostart
fi
elif mywhich chkconfig; then
if chkconfig --add $PRODUCT ; then
echo "$PRODUCT will start automatically in run levels as follows:"
echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
chkconfig --list $PRODUCT
else
cant_autostart
fi
elif mywhich update-rc.d ; then
echo "$PRODUCT will start automatically at boot"
echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
touch /var/log/$PRODUCT-init.log
perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
update-rc.d $PRODUCT enable
elif mywhich rc-update ; then
if rc-update add $PRODUCT default; then
echo "$PRODUCT will start automatically at boot"
if [ $HOST = debian ]; then
echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
touch /var/log/$PRODUCT-init.log
perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
else
echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
fi
else
cant_autostart
fi
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
/etc/init.d/$PRODUCT enable
if /etc/init.d/$PRODUCT enabled; then
echo "$PRODUCT will start automatically at boot"
else
cant_autostart
fi
elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
cant_autostart
fi
fi
#
# Report Success
#
echo "$Product Version $VERSION Installed"
��������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/sysconfig������������������������������������������������������������������0000664�0000000�0000000�00000000331�13243347103�015405� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Global start/restart/reload/stop options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Reload options
#
RELOADOPTIONS=""
#
# Stop options
#
STOPOPTIONS=""
# EOF
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorecap�������������������������������������������������������������������0000775�0000000�0000000�00000004615�13243347103�015221� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Shorewall Lite Packet Filtering Firewall Capabilities Detector
#
# (c) 2006,2007,2008,2009,2010, 2014 - Tom Eastep (teastep@shorewall.net)
#
# This file should be placed in /sbin/shorewall.
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ MODULESDIR= ] shorecap > capabilities
#
# Now move the capabilities file to the compilation system. The file must
# be placed in a directory on the CONFIG_PATH to be used when compiling firewalls
# for the target system.
#
# Default values for the two variables are:
#
# IPTABLES - iptables
# MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
# used during firewall compilation, then the generated firewall program will likewise not
# require Shorewall to be installed.
PRODUCT=shorewall6-lite
#
# This is modified by the installer when ${SHAREDIR} != /usr/share
#
. /usr/share/shorewall/shorewallrc
g_basedir=${SHAREDIR}/shorewall
. ${SHAREDIR}/shorewall/lib.cli
setup_product_environment
. ${SHAREDIR}/shorewall-lite/configpath
[ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
g_tool=$IP6TABLES
VERBOSITY=0
load_kernel_modules No
determine_capabilities
report_capabilities1
�������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/configpath�����������������������������������������������������������������0000664�0000000�0000000�00000000270�13243347103�015525� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Shorewall6 Lite version 5 - Default Config Path
#
# /usr/share/shorewall-lite/configpath
#
CONFIG_PATH=${CONFDIR}/shorewall-lite:${SHAREDIR}/shorewall6-lite:${SHAREDIR}/shorewall
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewall6-lite.service.debian���������������������������������������������0000664�0000000�0000000�00000001144�13243347103�021305� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood
#
[Unit]
Description=Shorewall IPv6 firewall (lite)
Wants=network-online.target
After=network-online.target
After=shorewall-lite.service
Conflicts=ip6tables.service firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/shorewall6-lite
StandardOutput=syslog
ExecStart=/sbin/shorewall6-lite $OPTIONS start
ExecStop=/sbin/shorewall6-lite $OPTIONS clear
ExecReload=/sbin/shorewall6-lite $OPTIONS reload
[Install]
WantedBy=basic.target
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.debian.sysvinit������������������������������������������������0000664�0000000�0000000�00000003532�13243350236�021045� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Debian Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=debian
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFFILE=default.debian.sysvinit #Name of the distributed file to be installed in $SYSCONFDIR
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
����������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/COPYING��������������������������������������������������������������������0000664�0000000�0000000�00000043135�13243347103�014522� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
Copyright (C) 19yy
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewall6-lite.service����������������������������������������������������0000664�0000000�0000000�00000001264�13243347103�020067� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood
# Copyright 2017 Tom Eastep
#
[Unit]
Description=Shorewall IPv6 firewall (lite)
Wants=network-online.target
After=network-online.target
After=shorewall-lite.service
Conflicts=ip6tables.service firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall6-lite
StandardOutput=syslog
ExecStart=/sbin/shorewall -6l $OPTIONS start $STARTOPTIONS
ExecStop=/sbin/shorewall -6l $OPTIONS stop
ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS
[Install]
WantedBy=basic.target
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/modules.extensions���������������������������������������������������������0000664�0000000�0000000�00000000771�13243350236�017260� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Shorewall6 -- /usr/share/shorewall6/modules.extension
#
# Extensions Modules File
#
# This file loads the modules that may be needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# If you need to modify this file, copy it to /etc/shorewall and modify the
# copy.
#
###############################################################################
loadmodule ip6_queue
�������shorewall6-lite-5.1.12.2/helpers��������������������������������������������������������������������0000664�0000000�0000000�00000002547�13243350236�015057� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Shorewall6 version 5 - Helpers File
#
# /usr/share/shorewall6/helpers
#
# This file loads the modules that may be needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# If you need to modify this file, copy it to /etc/shorewall and modify the
# copy.
#
###############################################################################
#
# Helpers
#
loadmodule nf_conntrack_amanda
loadmodule nf_conntrack_ftp
loadmodule nf_conntrack_h323
loadmodule nf_conntrack_irc
loadmodule nf_conntrack_netbios_ns
loadmodule nf_conntrack_netbios_ns
loadmodule nf_conntrack_netlink
loadmodule nf_conntrack_pptp
loadmodule nf_conntrack_proto_sctp
loadmodule nf_conntrack_proto_udplite
loadmodule nf_conntrack_sane
loadmodule nf_conntrack_sip sip_direct_media=0
loadmodule nf_conntrack_pptp
loadmodule nf_conntrack_proto_gre
loadmodule nf_conntrack_proto_sctp
loadmodule nf_conntrack_sip
loadmodule nf_conntrack_tftp
loadmodule nf_conntrack_sane
#
# While not actually helpers, these are included here so that
# LOG_BACKEND can work correctly. Not all of them will be
# loaded, since at least one of them will be an alias on any
# given system.
#
loadmodule ip6t_LOG
loadmodule nf_log_ipv6
loadmodule xt_LOG
loadmodule xt_NFLOG
loadmodule nfnetlink_log
���������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/init.sh��������������������������������������������������������������������0000775�0000000�0000000�00000005466�13243347103�014776� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ ]"
echo "where is one of"
echo " -h"
echo " -v"
echo " -n"
exit $1
}
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
if [ -f shorewall-lite.service ]; then
PRODUCT=shorewall-lite
Product="Shorewall Lite"
else
PRODUCT=shorewall6-lite
Product="Shorewall6 Lite"
fi
#
# Source common functions
#
. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
#
# Parse the run line
#
finished=0
configure=1
while [ $finished -eq 0 ]; do
option=$1
case "$option" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
usage 0
;;
v)
echo "$Product Firewall Uninstaller Version $VERSION"
exit 0
;;
n*)
configure=0
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
#
# Read the RC file
#
if [ $# -eq 0 ]; then
if [ -f ./shorewallrc ]; then
. ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
elif [ -f ~/.shorewallrc ]; then
. ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
elif [ -f /usr/share/shorewall/shorewallrc ]; then
. /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
else
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
fi
elif [ $# -eq 1 ]; then
file=$1
case $file in
/*|.*)
;;
*)
file=./$file || exit 1
;;
esac
. $file || fatal_error "Can not load the RC file: $file"
else
usage 1
fi
if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
VERSION="$INSTALLED_VERSION"
fi
else
echo "WARNING: $Product Version $VERSION is not installed"
VERSION=""
fi
echo "Uninstalling $Product $VERSION"
[ -n "$SANDBOX" ] && configure=0
if [ $configure -eq 1 ]; then
if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
${SBINDIR}/$PRODUCT clear
elif qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall6 ]; then
${SBINDIR}/$PRODUCT clear
fi
fi
remove_file ${SBINDIR}/$PRODUCT
if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
if [ $HOST = openwrt ]; then
if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
/etc/init.d/$PRODUCT disable
fi
FIREWALL=$(readlink ${SHAREDIR}/$PRODUCT/init)
else
FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)
fi
elif [ -n "$INITFILE" ]; then
FIREWALL=${INITDIR}/${INITFILE}
fi
if [ -f "$FIREWALL" ]; then
if [ $configure -eq 1 ]; then
if mywhich insserv ; then
insserv -r $FIREWALL
elif mywhich update-rc.d ; then
update-rc.d ${PRODUCT} remove
elif mywhich chkconfig ; then
chkconfig --del $(basename $FIREWALL)
fi
fi
remove_file $FIREWALL
fi
[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
if [ -n "$SERVICEDIR" ]; then
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
remove_file $SERVICEDIR/${PRODUCT}.service
fi
remove_directory ${CONFDIR}/$PRODUCT
remove_directory ${VARDIR}
remove_directory ${SHAREDIR}/$PRODUCT
remove_directory ${LIBEXECDIR}/$PRODUCT
remove_file ${CONFDIR}/logrotate.d/$PRODUCT
if [ -n "$SYSCONFDIR" ]; then
[ -n "$SYSCONFFILE" ] && remove_file ${SYSCONFDIR}/${PRODUCT}
fi
if [ -n "${MANDIR}" ]; then
remove_file_with_wildcard ${MANDIR}/man5/${PRODUCT}\*
remove_file_with_wildcard ${MANDIR}/man8/${PRODUCT}\*
fi
#
# Report Success
#
echo "$Product $VERSION Uninstalled"
�������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/manpages/������������������������������������������������������������������0000775�0000000�0000000�00000000000�13243350415�015254� 5����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/manpages/shorewall6-lite.conf.xml������������������������������������������0000664�0000000�0000000�00000016522�13243350413�021747� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
shorewall6-lite.conf
5
Configuration Files
shorewall6-lite.conf
Shorewall6 Lite global configuration file
/etc/shorewall6-lite/shorewall6-lite.conf
Description
This file sets options that apply to Shorewall6 Lite as a
whole.
The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements
(variable =value ). Each
variable's setting is preceded by comments that describe the variable and
it's effect.
Any option not specified in this file gets its value from the
shorewall6.conf file used during compilation of
/var/lib/shorewall6-lite/firewall. Those settings may be found in the file
/var/lib/shorewall6-lite/firewall.conf.
OPTIONS
The following options may be set in shorewall6.conf.
IP6TABLES= [pathname ]
This parameter names the ip6tables executable to be used by
Shorewall6. If not specified or if specified as a null value, then
the ip6tables executable located using the PATH option is
used.
LOGFILE= [pathname ]
This parameter tells the /sbin/shorewall6 program where to
look for Shorewall6 messages when processing the dump , logwatch , show
log , and hits commands.
If not assigned or if assigned an empty value, /var/log/messages is
assumed.
LOGFORMAT= [" formattemplate " ]
The value of this variable generate the --log-prefix setting
for Shorewall6 logging rules. It contains a “printf” formatting
template which accepts three arguments (the chain name, logging rule
number (optional) and the disposition). To use LOGFORMAT with
fireparse, set it as:
LOGFORMAT="fp=%s:%d a=%s "
If the LOGFORMAT value contains the substring “%d” then the
logging rule number is calculated and formatted in that position; if
that substring is not included then the rule number is not included.
If not supplied or supplied as empty (LOGFORMAT="") then
“Shorewall6:%s:%s:” is assumed.
PATH = pathname [: pathname ]...
Determines the order in which Shorewall6 searches directories
for executable files.
RESTOREFILE= [filename ]
Specifies the simple name of a file in /var/lib/shorewall6 to
be used as the default restore script in the shorewall6 save , shorewall6 restore , shorewall6 forget and shorewall6 -f start commands.
SHOREWALL_SHELL= [pathname ]
This option is used to specify the shell program to be used to
interpret the compiled script. If not specified or specified as a
null value, /bin/sh is assumed. Using a light-weight shell such as
ash or dash can significantly improve performance.
SUBSYSLOCK= [pathname ]
This parameter should be set to the name of a file that the
firewall should create if it starts successfully and remove when it
stops. Creating and removing this file allows Shorewall6 to work
with your distribution's initscripts. For RedHat, this should be set
to /var/lock/subsys/shorewall6. For Debian, the value is
/var/state/shorewall6 and in LEAF it is /var/run/shorewall.
VERBOSITY= [number
Shorewall6 has traditionally been very noisy (produced lots of
output). You may set the default level of verbosity using the
VERBOSITY OPTION.
Values are:
0 - Silent. You may make it more verbose using the -v
option
1 - Major progress messages displayed
2 - All progress messages displayed (old default
behavior)
If not specified, then 2 is assumed.
FILES
/etc/shorewall6-lite/shorewall6.conf
See ALSO
http://www.shorewall.net/Documentation_Index.html shorewall6-lite(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/manpages/shorewall6-lite.xml�����������������������������������������������0000664�0000000�0000000�00000002603�13243350415�021020� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
shorewall6-lite
8
Administrative Commands
shorewall6-lite
Administration tool for Shoreline Firewall 6 Lite
(Shorewall6-lite)
shorewall6-lite
trace |debug -options
command [
command-arguments ]
Description
The shorewall6-lite utility is used to control the Shoreline
Firewall 6 Lite (Shorewall6-lite).
Beginning with Shorewall 5.1.0, shorewall6-lite
is a symbolic link pointing to the shorewall (8) executable who
executes the command as if its
-6 and -l options had been
specified.
�����������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/manpages/shorewall6-lite-vardir.5������������������������������������������0000664�0000000�0000000�00000006411�13243350414�021651� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������'\" t
.\" Title: shorewall6-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.79.1
shorewall6-lite-vardir
5
Configuration Files
vardir
Shorewall6 Lite file
/etc/shorewall6-lite/vardir
Description
This file does not exist by default. You may create the file if you
want to change the directory used by Shorewall6 Lite to store state
information, including compiled firewall scripts. By default, the
directory used is /var/lib/shorewall6-lite/ .
The file contains a single variable assignment:
VARDIR= directory where directory is the name of a
directory. If you add this file, you should copy the files from
/var/lib/shorewall6-lite to the new directory before
performing a shorewall6-lite restart .
Beginning with Shorewall 4.5.2, use of this file is deprecated in
favor of specifying VARDIR in the shorewallrc file
used during installation of Shorewall Core. While the name of the
variable remains VARDIR, the meaning is slightly different. When set in
shorewallrc, Shorewall6 Lite will create a directory under the specified
path name to hold state information.
Example:
VARDIR=/opt/var/lib/
The state directory for Shorewall Lite will be
/opt/var/lib/shorewall6-lite .
When VARDIR is set in
/etc/shorewall6-lite/vardir , Shorewall Lite will
save its state in the directory
specified.
Example
VARDIR=/root/shorewall6
FILES
/etc/shorewall6-lite/vardir
See ALSO
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
����������������������shorewall6-lite-5.1.12.2/init.debian.sh�������������������������������������������������������������0000775�0000000�0000000�00000006273�13243347103�016214� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
### BEGIN INIT INFO
# Provides: shorewall6-lite
# Required-Start: $network $remote_fs
# Required-Stop: $network $remote_fs
# Default-Start: S
# Default-Stop: 0 1 6
# Short-Description: Configure the firewall at boot time
# Description: Configure the firewall according to the rules specified in
# /etc/shorewall6-lite
### END INIT INFO
. /lib/lsb/init-functions
SRWL='/sbin/shorewall6-lite -6'
SRWL_OPTS="-tvv"
test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
export SHOREWALL_INIT_SCRIPT
test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || {
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall6 Lite firewall\"."
exit 1
fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
echo "not done."
else
echo "not done (check $INITLOG)."
fi
exit 1
}
not_configured () {
echo "#### WARNING ####"
echo "the firewall won't be started/stopped unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "Please read about Debian specific customization in"
echo "/usr/share/doc/shorewall6-lite/README.Debian.gz."
fi
echo "#################"
exit 0
}
# parse the shorewall6 params file in order to use params in
# /etc/default/shorewall6
if [ -f "/etc/shorewall6-lite/params" ]
then
. /etc/shorewall6-lite/params
fi
# check if shorewall is configured or not
if [ -f "/etc/default/shorewall6-lite" ]
then
. /etc/default/shorewall6-lite
SRWL_OPTS="$SRWL_OPTS $OPTIONS"
if [ "$startup" != "1" ]
then
not_configured
fi
else
not_configured
fi
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
# start the firewall
shorewall6_start () {
printf "Starting \"Shorewall6 Lite firewall\": "
$SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# stop the firewall
shorewall6_stop () {
if [ "$SAFESTOP" = 1 ]; then
printf "Stopping \"Shorewall6 Lite firewall\": "
$SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
else
printf "Clearing all \"Shorewall6 Lite firewall\" rules: "
$SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
fi
return 0
}
# restart the firewall
shorewall6_restart () {
printf "Restarting \"Shorewall6 Lite firewall\": "
$SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# refresh the firewall
shorewall6_refresh () {
printf "Refreshing \"Shorewall6 Lite firewall\": "
$SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# status of the firewall
shorewall6_status () {
$SRWL $SRWL_OPTS status && exit 0 || exit $?
}
case "$1" in
start)
shorewall6_start
;;
stop)
shorewall6_stop
;;
refresh)
shorewall6_refresh
;;
force-reload|restart)
shorewall6_restart
;;
status)
shorewall6_status
;;
*)
echo "Usage: /etc/init.d/shorewall6-lite {start|stop|refresh|restart|force-reload|status}"
exit 1
esac
exit 0
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/configure������������������������������������������������������������������0000775�0000000�0000000�00000012322�13243350236�015371� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
#
# Shorewall Packet Filtering Firewall RPM configuration program - V4.6
#
# (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see = ] ...
#
#
################################################################################################
#
# Build updates this
#
VERSION=5.1.12.2
case "$BASH_VERSION" in
[4-9].*)
;;
*)
echo "ERROR: This program requires Bash 4.0 or later" >&2
exit 1
;;
esac
declare -A params
declare -A options
getfileparams() {
while read option; do
case $option in
\#*)
;;
*)
on=${option%=*}
ov=${option#*=}
ov=${ov%#*}
[ -n "$on" ] && options[${on}]="${ov}"
;;
esac
done
return 0
}
for p in $@; do
if [ -n "${p}" ]; then
declare -u pn
pn=${p%=*}
pn=${pn#--}
pv=${p#*=}
if [ -n "${pn}" ]; then
case ${pn} in
VENDOR)
pn=HOST
;;
SHAREDSTATEDIR)
pn=VARLIB
;;
DATADIR)
pn=SHAREDIR
;;
esac
params[${pn}]="${pv}"
else
echo "ERROR: Invalid option ($p)" >&2
exit 1
fi
fi
done
cd $(dirname $0)
vendor=${params[HOST]}
if [ -z "$vendor" ]; then
if [ -f /etc/os-release ]; then
eval $(cat /etc/os-release | grep ^ID=)
case $ID in
fedora|rhel)
vendor=redhat
;;
debian|ubuntu)
vendor=debian
;;
opensuse)
vendor=suse
;;
*)
vendor="$ID"
;;
esac
params[HOST]="$vendor"
fi
fi
if [ -z "$vendor" ]; then
case `uname` in
Darwin)
params[HOST]=apple
rcfile=shorewallrc.apple
;;
cygwin*|CYGWIN*)
params[HOST]=cygwin
rcfile=shorewallrc.cygwin
;;
*)
if [ -f /etc/debian_version ]; then
params[HOST]=debian
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
elif [ -f /etc/redhat-release ]; then
params[HOST]=redhat
rcfile=shorewallrc.redhat
elif [ -f /etc/slackware-version ] ; then
params[HOST]=slackware
rcfile=shorewallrc.slackware
elif [ -f /etc/SuSE-release ]; then
params[HOST]=suse
rcfile=shorewallrc.suse
elif [ -f /etc/arch-release ] ; then
params[HOST]=archlinux
rcfile=shorewallrc.archlinux
elif [ -f /etc/openwrt_release ]; then
params[HOST]=openwrt
rcfile=shorewallrc.openwrt
else
params[HOST]=linux
rcfile=shorewallrc.default
fi
;;
esac
vendor=${params[HOST]}
else
if [ $vendor = linux ]; then
rcfile=shorewallrc.default;
elif [ $vendor = debian -a -f /etc/debian_version ]; then
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
else
rcfile=shorewallrc.$vendor
fi
if [ ! -f $rcfile ]; then
echo "ERROR: $vendor is not a recognized host type" >&2
exit 1
elif [ $vendor = default ]; then
params[HOST]=linux
vendor=linux
elif [[ $vendor == debian.* ]]; then
params[HOST]=debian
vendor=debian
fi
fi
if [ $vendor = linux ]; then
echo "INFO: Creating a generic Linux installation - " `date`;
else
echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
fi
echo
getfileparams < $rcfile || exit 1
for p in ${!params[@]}; do
options[${p}]="${params[${p}]}"
done
echo '#' > shorewallrc
echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
echo "# rc file: $rcfile" >> shorewallrc
echo '#' >> shorewallrc
if [ $# -gt 0 ]; then
echo "# Input: $@" >> shorewallrc
echo '#' >> shorewallrc
fi
if [ -n "${options[VARLIB]}" ]; then
if [ -z "${options[VARDIR]}" ]; then
options[VARDIR]='${VARLIB}/${PRODUCT}'
fi
elif [ -n "${options[VARDIR]}" ]; then
if [ -z "{$options[VARLIB]}" ]; then
options[VARLIB]=${options[VARDIR]}
options[VARDIR]='${VARLIB}/${PRODUCT}'
fi
fi
if [ -z "${options[SERVICEDIR]}" ]; then
options[SERVICEDIR]="${options[SYSTEMD]}"
fi
for on in \
HOST \
PREFIX \
SHAREDIR \
LIBEXECDIR \
PERLLIBDIR \
CONFDIR \
SBINDIR \
MANDIR \
INITDIR \
INITSOURCE \
INITFILE \
AUXINITSOURCE \
AUXINITFILE \
SERVICEDIR \
SERVICEFILE \
SYSCONFFILE \
SYSCONFDIR \
SPARSE \
ANNOTATED \
VARLIB \
VARDIR \
DEFAULT_PAGER
do
echo "$on=${options[${on}]}"
echo "$on=${options[${on}]}" >> shorewallrc
done
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.openwrt��������������������������������������������������������0000664�0000000�0000000�00000003507�13243350236�017434� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# OpenWRT Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=openwrt
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR= #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.openwrt.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFDIR=${CONFDIR}/sysconfig #Directory where SysV init parameter files are installed
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.archlinux������������������������������������������������������0000664�0000000�0000000�00000003415�13243350236�017731� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Arch Linux Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=archlinux
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/usr/bin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR= #Directory where SysV init scripts are installed.
INITFILE= #Name of the product's installed SysV init script
INITSOURCE= #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFDIR= #Directory where SysV init parameter files are installed
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.slackware������������������������������������������������������0000664�0000000�0000000�00000003766�13243350236�017721� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Slackware Shorewall 5.0 rc file
#
BUILD=slackware
HOST=slackware
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/man #Directory where manpages are installed.
INITDIR=/etc/rc.d #Directory where SysV init scripts are installed.
AUXINITSOURCE=init.slackware.firewall.sh #Name of the distributed file to be installed as the SysV init script
AUXINITFILE=rc.firewall #Name of the product's installed SysV init script
INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script
INITFILE=rc.$PRODUCT #Name of the product's installed second init script
SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR= #Name of the directory where SysV init parameter files are installed.
ANNOTATED= #If non-empty, install annotated configuration files
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
����������shorewall6-lite-5.1.12.2/shorewallrc.default��������������������������������������������������������0000664�0000000�0000000�00000003643�13243350236�017363� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Default Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=linux #Generic Linux
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR= #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.redhat���������������������������������������������������������0000664�0000000�0000000�00000003601�13243350236�017200� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# RedHat/FedoraShorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=redhat
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/libexec #Directory for executable scripts.
PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=/etc/rc.d/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewall6-lite.spec�������������������������������������������������������0000664�0000000�0000000�00000031712�13243350236�017363� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������%define name shorewall6-lite
%define version 5.1.12
%define release 2
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name}
Version: %{version}
Release: %{release}
License: GPLv2
Packager: Tom Eastep
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables iproute shorewall-core
Provides: shoreline_firewall = %{version}-%{release}
%description
The Shoreline Firewall 6, more commonly known as "Shorewall6", is a Netfilter
(ip6tables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
Shorewall6 Lite is a companion product to Shorewall6 that allows network
administrators to centralize the configuration of Shorewall6-based firewalls.
%prep
%setup
%build
%install
./configure.pl --host=%{_vendor} \
--prefix=%{_prefix} \
--tmpdir=%{_tmpdir} \
--perllibdir=%{perl_vendorlib} \
--libexecdir=%{_libexecdir} \
--sbindir=%{_sbindir}
DESTDIR=%{buildroot} ./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
%pre
%post
if [ $1 -eq 1 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl enable shorewall6-lite
elif [ -x /usr/bin/systemctl ]; then
/usr/bin/systemctl enable shorewall6-lite
elif [ -x %{_sbindir}/insserv ]; then
%{_sbindir}/insserv /etc/rc.d/shorewall6-lite
elif [ -x %{_sbindir}/chkconfig ]; then
%{_sbindir}/chkconfig --add shorewall6-lite;
fi
fi
%preun
if [ $1 -eq 0 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl disable shorewall6-lite
elif [ -x /usr/bin/systemctl ]; then
/usr/bin/systemctl disable shorewall6-lite
elif [ -x %{_sbindir}/insserv ]; then
%{_sbindir}/insserv -r %{_initddir}/shorewall6-lite
elif [ -x %{_sbindir}/chkconfig ]; then
%{_sbindir}/chkconfig --del shorewall6-lite
fi
fi
%files
%defattr(0644,root,root,0755)
%attr(0755,root,root) %dir /etc/shorewall6-lite
%attr(0644,root,root) %config(noreplace) /etc/shorewall6-lite/shorewall6-lite.conf
%attr(0644,root,root) /usr/lib/systemd/system/shorewall6-lite.service
%attr(0755,root,root) %dir /usr/share/shorewall6-lite
%attr(0700,root,root) %dir /var/lib/shorewall6-lite
%attr(0755,root,root) %dir /etc/sysconfig/
%attr(0600,root,root) %config(noreplace) /etc/sysconfig/shorewall6-lite
%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
%attr(- ,root,root) %{_sbindir}/shorewall6-lite
%attr(0644,root,root) /usr/share/shorewall6-lite/version
%attr(0644,root,root) /usr/share/shorewall6-lite/configpath
%attr(- ,root,root) /usr/share/shorewall6-lite/functions
%attr(0644,root,root) /usr/share/shorewall6-lite/lib.base
%attr(0644,root,root) /usr/share/shorewall6-lite/modules*
%attr(0644,root,root) /usr/share/shorewall6-lite/helpers
%attr(0544,root,root) %{_libexecdir}/shorewall6-lite/shorecap
%attr(0644,root,root) %{_mandir}/man5/shorewall6-lite.conf.5.gz
%attr(0644,root,root) %{_mandir}/man5/shorewall6-lite-vardir.5.gz
%attr(0644,root,root) %{_mandir}/man8/shorewall6-lite.8.gz
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Feb 10 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-2
* Fri Feb 09 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-1
* Tue Feb 06 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0base
* Wed Jan 31 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0RC1
* Tue Jan 23 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0Beta2
* Wed Jan 17 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0Beta1
* Wed Jan 10 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0base
* Fri Jan 05 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0RC1
* Sun Dec 31 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0Beta2
* Tue Dec 26 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0Beta1
* Sat Dec 23 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0base
* Mon Dec 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0RC2
* Sat Dec 09 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0RC1
* Fri Dec 01 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0Beta2
* Wed Nov 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0Beta1
* Wed Nov 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0base
* Sat Nov 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0RC1
* Fri Nov 03 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0Beta2
* Thu Oct 19 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0Beta1
* Sun Oct 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0base
* Tue Oct 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0RC1
* Sat Oct 07 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0Beta2
* Mon Sep 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0Beta1
* Mon Sep 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0base
* Sun Sep 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0RC2
* Fri Sep 01 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0RC1
* Wed Aug 23 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0Beta2
* Tue Aug 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0Beta1
* Wed Aug 16 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0base
* Tue Aug 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC2
* Tue Aug 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC1
* Wed Aug 09 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC1
* Thu Aug 03 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0Beta2
* Thu Jul 20 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0Beta1
* Mon Jun 26 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0base
* Wed Jun 21 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0RC1
* Fri Jun 16 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0Beta2
* Thu May 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0Beta1
* Fri May 05 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0base
* Mon Apr 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0RC1
* Fri Mar 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0Beta2
* Mon Mar 13 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0Beta1
* Mon Mar 13 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0base
* Sun Mar 12 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0RC2
* Fri Mar 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0RC1
* Mon Mar 06 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0Beta2
* Wed Feb 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0Beta1
* Fri Feb 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0RC1
* Fri Feb 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0Beta2
* Wed Jan 25 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0Beta1
* Tue Jan 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0base
* Thu Jan 19 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0RC1
* Tue Jan 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0Beta2
* Wed Jan 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0Beta1
* Tue Jan 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-1
* Wed Jan 04 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0base
* Wed Dec 28 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0RC2
* Tue Dec 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0RC1
* Mon Dec 12 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0Beta2
* Sun Dec 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0Beta1
* Fri Dec 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0base
* Thu Dec 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0RC2
* Sun Nov 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0RC1
* Thu Nov 17 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0Beta2
* Sun Nov 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0Beta1
* Mon Oct 31 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC3
* Sat Oct 29 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC2
* Thu Oct 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC1
* Tue Oct 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0Beta2
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0Beta1
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0base
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0RC2
* Sun Oct 09 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0RC1
* Tue Oct 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0Beta2
* Sun Oct 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0Beta1
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0base
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC3
* Tue Sep 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC2
* Tue Sep 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC1
* Tue Sep 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0Beta2
* Sat Aug 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0Beta1
* Sat Aug 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0base
* Sat Jul 30 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0RC1
* Wed Jul 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0Beta2
* Tue Jul 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0Beta1
* Fri Jul 08 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-1
* Sat Jun 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0base
* Tue Jun 21 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0RC1
* Tue Jun 14 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0Beta2
* Mon Jun 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0Beta1
* Thu May 12 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0base
* Thu May 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0RC1
* Thu Apr 28 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0Beta2
* Mon Apr 18 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0Beta1
* Fri Apr 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC2
* Mon Apr 11 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC1
* Thu Apr 07 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta4
* Sat Apr 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta3
* Fri Apr 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta2
* Sun Mar 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta1
* Thu Mar 24 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0base
* Fri Mar 18 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0RC1
* Sun Mar 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta4
* Sun Mar 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta3
* Tue Mar 08 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta2
* Sat Mar 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta1
* Fri Mar 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta6
* Fri Mar 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta5
* Thu Mar 03 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta4
* Sat Feb 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta3
* Sun Feb 21 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta2
* Fri Feb 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta1
* Wed Feb 17 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0base
* Mon Feb 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0RC2
* Wed Feb 03 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0RC1
* Fri Jan 29 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0Beta2
* Wed Jan 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0Beta1
* Wed Jan 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0base
* Tue Jan 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0RC2
* Mon Jan 11 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0RC1
* Tue Jan 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0Beta2
* Sat Jan 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0Beta1
* Sun Dec 27 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0base
* Thu Dec 24 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0RC2
* Sun Dec 13 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0RC1
* Sat Dec 05 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0Beta2
* Sat Nov 28 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0Beta1
* Sat Nov 21 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-1
* Sat Nov 07 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0base
* Sun Nov 01 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0RC1
* Mon Oct 26 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0Beta2
* Mon Oct 26 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0Beta1
* Tue Oct 13 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.1-1
* Mon Oct 12 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.1-0base
* Sat Oct 03 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0base
* Mon Sep 21 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0RC1
* Thu Sep 10 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0Beta2
* Mon Jul 27 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0Beta1
������������������������������������������������������shorewall6-lite-5.1.12.2/lib.base�������������������������������������������������������������������0000664�0000000�0000000�00000002217�13243347103�015065� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Shorewall 4.4 -- /usr/share/shorewall6-lite/lib.base
#
# (c) 2011, 2014 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ) is not terminating
Previously, an "unknown function" Perl diagnostic was issued in its
place.
4) Previously, if a policy action specification in shorewall[6].conf
or in the policy file included a log tag, a garbled error message
was issued. That has been corrected.
5) Under rare rare circumstances, syn flood limiting specified in a
policy was previously not enforced by the generated ruleset. That
has been corrected.
5.1.12.1
1) The macro SSDPServer released in 5.1.12 inadvertently contained the
content of macro.SSDP. The corrected macro is now available as
macro.SSDPserver (note the lower case 's' in 'server').
2) When double semicolons (";;") were used to introduce inline
matches, column/value pairs enclosed in braces ("{...}") were not
recongnized correctly if there was any white space between the
closing brace ("}") and the semicolons. That problem has been
corrected.
5.1.12
1) This release contains defect repair from releases through 5.1.11.2.
2) Many typos in comments in the chains module have been corrected.
3) Dead code was removed.
4) A function that is called only from lib.cli-std had been moved
there from lib.cli.
5) Trailing white space is now omitted from the generated script.
6) Apparently random blank lines in the generated script have been
eliminated.
7) Previously, the output of 'shorewall show capabilties' only
displayed the 'Ipset Match (IPSET_MATCH)' capability if it was
available. Now, it is also displayed when it is not available.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The 'enable', 'reenable' and 'disable' commands do not work
correctly in configurations with USE_DEFAULT_RT=No and optional
providers listed in the DUPLICATE column.
3) While the 'ip' utility now accepts IPv6 routes with multiple
'nexthop' destinations, these routes are not balanced. They are
rather instantiated as a sequence of single routes with different
metrics. Furthermore, the 'ip route replace' command fails on
such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a
single "replace" command.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Beginning with this release, SNAT can be performed on flows
destined for the firewall itself. In this case, SNAT will be
performed in the INPUT chain of the nat table; see
shorewall-snat(5) for details.
This change introduced a new capability:
INPUT chain in the nat table (NAT_INPUT_CHAIN)
2) The undocumented optimize option OPTIMIZE_USE_FIRST (0x1000)
has been removed.
3) Some minor performance enhancements have been make to optimization
category 8.
4) While INLINE_MATCHES=Yes has been documented as deprecated for some
time, it has thus far not generated a warning. Beginning with this
release, a warning is issued:
WARNING: Option INLINE_MATCHES=Yes is deprecated
See the Migration Issues section for additional information.
5) The IPMI macro has been extended to include additional protocols
(Tuomo Soini).
6) Several new macros have been added:
Apcupsd
FreeIPA
Kpasswd
RedisSecure
Rwhois
SSDP
SSDPServer
(Tuomo Soini)
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) If you are migrating from Shorewall 4.6.x or earlier, please see
http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
2) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
manpages are now minimal and refer the reader to shorewall(8).
For backward compatibility, Shorewall6, Shorewall-lite and
Shorewall6-lite install symlinks $SBINDIR/shorewall6,
$SBINDIR/shorewall-lite and
$SBINDIR/shorewall6-lite respectively. When the shorewall program
is invoked through one of these symlinks, it adopts the appropriate
personality.
3) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text or to use the
IP[6]TABLES target and/or inline matches.
For the common case where you have an action xxx with an empty
action.xxx file and have perl code in a file named xxx, the
compiler will now generate a fatal error:
ERROR: File action.xxx is empty and file xxx exists - the two
must be combined as described in the Migration
Considerations section of the Shorewall release notes
For information about resolving this error, see
http://www.shorewall.org/Shorewall-5.html#idp41228128.
4) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see
shorewall6-netmap(5)).
5) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed.
6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
etc. options may now specify a comma-separated list of actions
rather than just a single action. The actions are invoked in the
order in which they are listed and each action may optionally be
followed by a colon (":") and a log level. The POLICY column in
shorewall[6]-policy can now specify a similar list of actions. In
that file, the list may be preceded by a plus sign ("+"), in which
case the listed actions will be in addition to those listed in the
related _DEFAULT setting in shorewall[6].conf.
With these changes, the Drop and Reject policy actions are now
deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
the reader to http://www.shorewall.net/Actions.html#Default.
7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and
Broadcast no longer handle multicast. Multicast is handeled
separately in actions allowMcast, dropMcast and Multicast. The
now-deprecated Drop and Reject policy actions have been modified so
that they continue to silently drop multicast packets.
8) According to the Netfilter team (see
https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
of the NFLOG target has never worked correctly, and they have
deprecated that option in favor of the --nflog-size option.
To accomodate this change, Shorewall 5.1.5 added an "--nflog-size
support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE
option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the
capability is present, Shorewall will use '--nflog-size' in place
of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not
present, an error is raised.
If you don't use NFLOG or if you use NFLOG with omittted second
parameter or with 0 as the second parameter, and 'shorewall show
capabilities' indicated that --nflog-size support is present, you
may safely set USE_NFLOG_SIZE=Yes.
If you pass a non-zero value as the second parameter to NFLOG and
the '--nflog-size support' capability is present, you need to
verify that those NFLOG messages are as you expect with
USE_NFLOG_SIZE=Yes.
9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in
Shorewall 5.1.7. Shorewall now finds modules, independent of their
filename suffix.
'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
setting.
10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the
default route is only restored when there are no enabled
'balance/primary' providers and no enabled fallback providers.
Also beginning with Shorewall 5.1.8, if the default route(s) have
been restored to the 'main' table, and a fallback provider is
successfully enabled, the default route(s) are removed from the
main table.
11) Because restoring default routes to the main routing table can
break the ability of Foolsm and other link status monitors to
properly detect non-functioning provider links, a warning message
is issued when the 'persistent' provider option is specified and
RESTORE_DEFAULT_ROUTE=Yes.
WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
may not work as expected
This change was released in Shorewall 5.1.8.
12) Most interface OPTIONS have always been ignored when the INTERFACE
name is '+'. Beginning with the Shorewall 5.1.10 release, a warning
is issued when an ignored option is specified with interface name '+'.
Example: The 'sourceroute' option is ignored when used with
interface name '+'
In many cases, this issue can be worked around by a change similar
to the following:
Original:
net + dhcp,routeback,sourceroute=0
Change to:
net all dhcp,physical=+,routeback,sourceroute=0
--- ----------
As part of this change, interfaces that specify a wildcard physical
interface name will generate a warning if any of the following
options are specified:
accept_ra
arp_filter
arp_ignore
forward
logmartians
proxyarp
proxyndp
routefilter
sourceroute
When the warning is issued, the specified option is then ignored
for the interface.
Example:
WARNING: The 'sourceroute' option is ignored when used with a
wildcard physical name
/etc/shorewall6.universal/interfaces (line 14)
13) INLINE_MATCHES=Yes has been documented as deprecated for some
time, but it has not generated a warning. Beginning with the
Shorewall 5.1.12 release, a warning is issued:
WARNING: Option INLINE_MATCHES=Yes is deprecated
Additionally, each line that requires modification to work with
INLINE_MATCHES=No is flagged with the warning:
WARNING: This entry needs to be changed (replace ';' with ';;')
before the INLINE_MATCHES option is removed in
Shorewall 5.2
You can eliminate the warnings by setting INLINE_MATCHES=No and
by replacing the single semicolon (";") separating inline matches
from the column-oriented part of the rule with two semicolons
(";;") in each entry flagged by the second warning.
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 1
----------------------------------------------------------------------------
5.1.11.1
1) When AUTOMAKE=Yes and the 'find' utility is Busybox-based,
Shorewall 5.1.11 would fail during compilation with the error:
find: unrecognized: -quit
That has been corrected.
5.1.11
1) This release contains defect repair from releases through 5.1.10.2.
2) Previously, if DYNAMIC_BLACKLIST=ipset,disconnect..., the CLI would
verify the existence of the 'conntrack' utility on the local system
when the command was 'remote-start', 'remote-reload' or
'remote-restart'. Now, that verification is only done for the
blacklist-oriented commands ('blacklist', 'allow', 'drop', etc.).
3) Previously, when DYNAMIC_BLACKLIST=ipsec..., the CLI required the
firewall to be started in order to run the 'allow' command. Now,
the command only requires that the dynamic blacklist ipset
exists.
4) Previously, if an address variable was used in the stoppedrules
file, the 'clear' command could fail in two different ways,
depending on whether the related interface was optional or not.
If the interface was optional, the failure message was similar to
the following:
$ shorewall clear
Clearing Shorewall....
Preparing iptables-restore input...
/var/lib/shorewall/firewall: 3064: [: !=: unexpected operator
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
done.
If the interface was not optional, the result was similar to:
$ shorewall debug clear
Clearing Shorewall....
Preparing iptables-restore input...
Running debug_restore_input...
Bad argument `6'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s
172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT"
Failed
Terminated
This problem has been corrected.
5) Previously, the 'clear' command enabled forwarding
unconditionally. Beginning with this release, 'clear' will
conditionally enable/disable forwarding in the same manner as
'stop'.
6) In multi-ISP configurations, it is possible for an IPSEC-tunneled
connection from the Internet to be forwarded back out to the
Internet (for example, if all traffic from the remote endpoint is
sent through the tunnel). If the provider handling the tunnel has
the 'track' option (or if TRACK_PROVIDERS=Yes), then the outgoing
tunneled connection is sent back out that interface by
default (since the encapsulated initial packet arrived through that
interface). Since this is not always desirable, Shorewall now
clears the tracking mark on the connection while processing the
first packet, allowing the connection to not match routing rules
that are dependent on the tracking mark.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 1 1
----------------------------------------------------------------------------
1) Previously, the 'show' command was not available to non-root
users. Beginning with this release, non-root users may now
run the following 'show' commands:
show action
show actions
show ip
show macro
show macros
show routing
2) When a RATE is specified on a policy, the rate is enforced in a
chain whose name begins with '@' (e.g., @net-dmz). Previously, log
messages in the chain omitted the '@', leading to possible
confusion. Beginning with this release, the log message will
reflect the chain's actual name (including the '@').
3) To improve efficiency, TCP CT entries in the conntrack file and
TCP entries in the rules file that specify a HELPER will now
assume that 'tcp:syn' had been specified. That way, the generated
ip[6]tables rule will only match on the first packet of the
three-way handshake.
4) Now that the route caches have been removed from the kernel,
Multi-ISP really doesn't work without the 'track' provider option.
As a consequence, TRACK_PROVIDERS=Yes is now the default. Note that
the 'track' option may still be turned off using 'notrack', when
TRACK_PROVIDERS=Yes.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 0
----------------------------------------------------------------------------
5.1.10.2
1) When AUTOMAKE=Yes, the commands 'start', 'restart' and 'reload'
cause the 'find' utility to be run in each entry in the CONFIG_PATH
to look for files that have been modified since the current
firewall script was created.There are two related defects in 5.1.10
and 5.1.10.1 that manifest when AUTOMAKE=Yes.
a) While the compiler only searches in the directories themselves,
'find' was not limited to just those directories, but was rather
searched the entire tree rooted in each path in CONFIG_PATH.
b) If the CONFIG_PATH was prefixed by ":", then there was
effectively an empty path in CONFIG_PATH, which resulted in a
search of the entire tree rooted in the current working
directory.
Both problems have been corrected:
a) Find is run with '-maxdepth 1', to limit the search to just the
files in the directory.
b) Find is not run on empty paths in CONFIG_PATH.
5.1.10.1
1) The Shorewall-core installer previously failed to update the shell library
files correctly when SHAREDIR was not set to /usr/share/. That has
been corrected.
2) Previously, the installer modified the shorewall[6].conf installed
in /etc/shorewall[6] based on the Linux distribution (HOST in
shorewallrc) but installed an unmodified file in
/usr/share/shorewall/configfiles/. Beginning with this release,
the modified file is also installed in the latter directory.
5.1.10
1) Several typos have been corrected in the manpages (Roberto
Sánchez).
2) Regarding Known Problem 3 below, the code added in 5.0.15 could
fail to delete an existing default route if the new default route
was not identical to the one being replaced. Now, the default route
is deleted, even the new route is different.
3) Previously, if the 'ss' utility was not installed but 'netstat' was
installed, the 'dump' command would issue the error message
/sbin/shorewall: line 1: netatat: not found
and the dump would not contain socket information. That problem
has been corrected.
4) Previously, a plain 'reset' command would only reset counters in
the 'filter' and 'mangle' tables. Now, all four tables have their
counters reset.
5) Specifying IN-BANDWIDTH would previously cause a run-time
start/restart/reload failure when a later version of iproute2 was
installed. The problem has been observed on both iproute2 4.13.0
and 4.14.0. The failure message was similar to the following:
Setting up Traffic Control...
"rate" or "avrate" MUST be specified.
Illegal "police"
ERROR: Command "tc filter add dev ppp0 parent ffff: protocol all
prio 10 basic police mpu 64 drop rate 55378kbit burst 10kb" Failed
This problem has been resolved.
6) Previously, Shorewall-init would recompile the firewall script each
time that it ran. Now, it only compiles the script if it doesn't
exist.
7) Most interface OPTIONS have always been ignored when the INTERFACE
name is '+'. Beginning with this release, a warning is issued when
an ignored option is specified with interface name '+'.
Example: The 'sourceroute' option is ignored when used with
interface name '+'
In most cases, this issue can be worked around by a change similar
to the following:
Original:
net + dhcp,routeback,sourceroute=0
Change to:
net all dhcp,physical=+,routeback,sourceroute=0
--- ----------
As part of this change, interfaces that specify a wildcard physical
interface name will generate a warning if any of the following
options are specified:
accept_ra
arp_filter
arp_ignore
forward
logmartians
proxyarp
proxyndp
routefilter
sourceroute
When the warning is issued, the specified option is then ignored
for the interface.
Example:
WARNING: The 'sourceroute' option is ignored when used with a
wildcard physical name
/etc/shorewall6.universal/interfaces (line 14)
8) When the IPv6 Universal sample configuration was used, the
following warning was issued during start/restart/reload:
WARNING: Cannot set Accept Source Routing on +
The Universal interfaces file has been corrected to eliminate that
error.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 1 0
----------------------------------------------------------------------------
1) Previously, it was necessary to remove ${CONFDIR}/shorewall[6] from
the CONFIG_PATH to create a configuration directory for a remote
firewall managed by shorewall[6]-lite. Without this modification,
when the compiler looked for a file that was not present in the
configuration directory, it would attempt to read the file by the
same name residing in ${CONFDIR}/shorewall[6].
Now, if the setting of CONFIG_PATH begins with a colon (":"),
the first directory in the path is ignored when compiling for
export or when the user running the compiler is not root.
The released copies of shorewall[6].conf have all been modified to
set CONFIG_PATH with a leading colon.
2) The documentation surrounding use of DNS names in Shorewall
configuration has been improved.
3) It is now possible to associate a particular protocol with an
action in shorewall[6]-actions(5). When a protocol is specified in
that file, it is not necessary to specify the protocol in the PROTO
column when invoking the action. If a protocol is included in the
PROTO column then it must match the one specified in the actions
file. If an action defined with a protocol is used as a Policy
Action, then only packets with the specified protocol will be
passed to the action.
A number of standard actions definitions in
/usr/share/shorewall[6]/actions.std have had a protocol added.
The protocol has no effect if 'builtin' or 'inline' is also
specified; specifying 'builtin' with a protocol results in a
warning message. No warning is issued when 'inline' is specified
with a protocol, thus allowing 'inline' and a protocol to appear
together in actions.std. Note that 'noinline' in
shorewall-actions(5) can override an 'inline' specification in
actions.std.
4) The FIN action previously included the PSH flag (FIN,ACK,PSH). To
make the action a bit more general, the PSH flag is now removed and
TCP packets with just the FIN and ACK flags set will now match.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 9
----------------------------------------------------------------------------
1) This release includes defect repair through Shorewall 5.1.8.1.
2) Previously, Shorewall6 did not accept square brackets ("[...]")
around the GATEWAY address in a Providers file entry. That has been
corrected, so that the usual convention of enclosing IPv6 addresses
in square brackets is allowed in that context.
3) Previously, if the IP variables was set in a remote firewall's
configuration directory, and the named file did not exist on the
local administrative system, then a fatal error was raised.
Example:
ERROR: The program specified in IP (/usr/bin/ip) does not exist
or is not executable
Beginning with this release, the contents of the IP option will not
be verified at compile time when compiling for export.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 9
----------------------------------------------------------------------------
1) The mangle file now supports a TCPMSS action for setting the MSS
value in TCP SYN packets. See shorewall-mangle(5) for details. As
part of this change, the TCPMSS rule generated by the CLAMPMSS
option has been moved from the filter table FOWARD chain to the
mangle table FORWARD chain.
2) The Broadcast and Multicast actions are now inlined when the
Address Type Match capability is available.
3) It is now possible to specify 'noinline' in an entry in
/etc/shorewall[6]/actions to override the 'inline' option
specified in /usr/share/shorewall/actions.std.
4) Logging is now supported in the snat file.
- Log levels may be specified on SNAT, MASQUERADE and CONTINUE
rules.
- The NFLOG, ULOG and LOG actions are now supported.
See shorewall-snat(5) for details.
5) A logging manpage (shorewall-logging(5)) has been added.
6) The IPMI macro now includes support for Redfish remote consoles.
7) The Sample configuration files now use logical interface names to
simplify adapting them to fit the newer interface naming
convention adopted by the kernel.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 8
----------------------------------------------------------------------------
1) This release includes defect repair through Shorewall 5.1.7.2.
2) The copyright dates and product version comments have been updated
in a number of files.
3) The undocumented and unmaintained Makefile files for Shorewall-lite
and Shorewall6-lite have been removed from Shorewall and Shorewall6
respectively.
4) The 'dump' command logic now does a better job of detecting
and suppressing the printing of empty IPSec SPD entries.
5) A number of issues with persistent providers that resulted in
'ip rule add' and 'ip route add' failures have been corrected. The
most common senario involved a 'reload' while a persistent
interface was disabled.
6) Previously, the generated script contained incorrect logic for
deleting default routes with metric zero ('balanced' routes and
routes generated by 'fallback=nn'); the logic only worked correctly
when applied to the 'main' routing table. It now works correctly
for all routing tables.
7) The 'ip xfrm policy' command ignores the -4 and -6 options and
dumps the policies for both address families. This release contains
a workaround that suppresses entries for the other family.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 8
----------------------------------------------------------------------------
1) For historical reasons, Shorewall has always assumed that LOG target
support is present unless proven otherwise. While this has worked
correctly when a capabilities file is used and when
LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall
script when LOAD_HELPERS_ONLY=Yes.
Beginning with this release, Shorewall will treat LOG target like
any other capability and will verify its presense in all cases
where the target is used.
2) The level 4 optimizer now does a better job of handling small
chains with rules specifying an IPSEC policy. This can result in
elimination of these chains.
3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the
default route is only restored when there are no enabled
'balance/primary' providers and no enabled fallback providers.
Also beginning with this release, if the default route(s) have been
restored to the 'main' table, and a fallback provider is
successfully enabled, the default route(s) are removed from the
main table.
4) Because restoring default routes to the main routing table can
break the ability of Foolsm and other link status monitors to
properly detect non-functioning provider links, a warning message
is now issued when the 'persistent' provider option is specified
and RESTORE_DEFAULT_ROUTE=Yes.
WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
may not work as expected
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 7
----------------------------------------------------------------------------
5.1.7.2
1) Previously during the opening of a configuration file, if SELinux
denied the "getattr" (stat) request, then the compiler would skip
processing of the file as if it did not exist. Now, if "getattr"
fails for any reason other than that the file does not exist, an
error is raised.
ERROR: Unable to access :
2) Previously, when a range was passed to the MARK() action (mangle
file), any specified protocol, port and time restrictions were
ignored. Now these elements are included in the rule.
5.1.7.1
1) Previously, the 'reenable' command failed on a persistent provider
interface with a message similar to the following:
RTNETLINK answers: File exists
ERROR: Command "/sbin/ip -4 rule add from 10.2.10.2 pref 20000
table IPv6Beta" Failed
That problem has been corrected and the 'reenable' command now
works properly on both persistant and non-persistant interfaces.
Note: The firewall script must be recompiled in order for this
change to become effective.
5.1.7
1) This release includes defect repair through Shorewall 5.1.6.1.
2) Previously, there was a typo in IPv4 Example 5 in the
shorewall-snat(5) manpage. The DEST column contained
eth0+myset[dst]
which should have been
eth0:+myset[dst]
That has been corrected.
3) Previously, specifying an ipset name in the DEST column of the IPv4
snat file had no effect. That has been corrected so that only
connections whose destination matches the ipset are affected by the
rule.
4) Previously, passing an invalid vlsm to the 'ipcalc' command coult
result in a series of shell diagnostics beginning with:
shorewall: 3730: /home/teastep/bin/shorewall: Invalid VLSM: not
found
That has been corrected so that the correct message is issued:
ERROR: Invalid VLSM
(Tuomo Soini)
5) ADD_IP_ALIASES has defaulted to Yes for both Shorewall and
Shorewall6, leading to 'not found' errors during
start/reload/restart. Now, ADD_IP_ALIASES=No is the default for
IPv6 and may not be changed.
6) When Shorewall-init was configured to save ipsets, it could leave
behind an empty or useless .tmp file if no ipsets were saved. Now
that file is removed automatically.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 7
----------------------------------------------------------------------------
1) Loading of kernel modules has been streamlined (Tuomo Soini).
2) The MODULE_SUFFIX option in shorewall[6].conf has been
eliminated. Shorewall now finds modules, independent of their
filename suffix.
'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
setting.
3) When 'detect' is specified in the GATEWAY column for a provider,
the generated script now looks for an existing default route in
the provider's routing table to obtain the provider's default
gateway. This is useful when dhcpcd5 is installed, since the .lease
files created by dhcpcd5 are binary coded and are hence not usable
for learning the configured gateway.
4) The Shorewall Event actions (IfEvent, SetEvent and ResetEvent) now
accept DNAT and REDIRECT as the argument. For DNAT, a
server address must be specified in the DEST column. A server port
may NOT be specified in the DEST column, so the port number cannot
be changed by the action.
5) Shorewall now supports Docker configuration that create the
DOCKER-INGRESS chain in the filter table.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 6
----------------------------------------------------------------------------
1) This release contains defect repair through Shorewall 5.1.5.2.
2) http://www.shorewall.net/shorewall_extension_scripts.htm states
that $SHAREDIR and $CONFDIR can be used in extension scripts, that
has not been true for some time. Beginning with this release, those
variables are once again available in the generated script.
3) Under very rare circumstances, when OPTIMIZE level 8 was used,
messages such as the following could be issued during compilation:
Use of uninitialized value in hash element at
/usr/share/shorewall/Shorewall/Rules.pm line 818.
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Rules.pm line 823.
That has been corrected.
4) Previously, Shorewall's treatment of wildcard interfaces differed
from Netfilter's. Shorewall did not consider 'eth' to match 'eth+'
while Netfilter did. Beginning with this release, Shorewall is
consistent with Netfilter.
5) Previously, systemd could attempt to start the IPv4 and IPv6
firewalls simultaneously, which might lead to iptables-restore and
ip6tables-restore being run at the same time resulting in a failure
to start one of the firewalls.
Beginning with this release, Shorewall and Shorwall6 will be
started serially as will Shorewall-lite and Shorewall6-lite.
6) To prevent other init systems from starting the IPv4 and IPv6
firewalls in parallel, the ip[6]-tables-restore '--wait' option, if
available, is used. This change introduces a new
RESTORE_WAIT_OPTION capability.
Note: If the new capability is not available on your system, and
you don't run systemd, you can still avoid the parallel start
problem by configuring the same LOCKFILE in both your
shorewall.conf and shorewall6.conf files.
7) Previously, the RDP macro only allowed TCP traffic, even though RDP
also requires UDP. That has been corrected so that both protocols
are allowed.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 6
----------------------------------------------------------------------------
1) The SPARSE option in shorewallrc originally caused only
shorewall[6].conf to be installed in /etc/shorewall[6], but later
the conntrack and params files were also installed. To prevent
these additional files from being installed, SPARSE may now be set
to 'Very', either by editing the file directly or by using the
configure or configure.pl scripts.
This setting is recommended if you wish to use a single set of
configuration files for both IPv4 and IPv6 as described at
http://www.shorewall.org/SharedConfig.html.
2) Two new run-time extensions scripts have been added:
- enabled
Invoked when an optional interface has been successfully enabled
using the 'enable' command.
- disabled
Invoked when an optional interface has been successfully disabled
using the 'disable' command.
Like all run-time extension scripts, the contents of each script
are placed in a function body. In the case of these new scripts,
the function is passed arguments:
$1 = the physical name of the interface
$2 = the logical name of the interface
$3 = the name of the Provider, if any, associated with the
interface.
3) When a zone (z1) is defined to be a sub-zone of another zone (z2),
the compiler now verifies that the two zones have at least one
interface in common. If they do not, a warning message is
generated:
WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two
zones have no interface in common
4) Runtime address variables may now be used as the server IP address
and Runtime port variables may be used as the server port in DNAT
rules.
Example:
DNAT net $FW:ð1:%{PORT} tcp 9999
5) Previously, systemd could attempt to start the IPv4 and IPv6
firewalls simultaneously, which might lead to iptables-restore and
ip6tables-restore being run at the same time resulting in a failure
to start one of the firewalls.
Beginning with this release, Shorewall and Shorwall6 will be
started serially as will Shorewall-lite and Shorewall6-lite.
6) To prevent problems when other init systems start the IPv4 and IPv6
firewalls in parallel, the ip[6]-tables '--wait' option, if
available, is used. The amount of time to wait is determined by the
setting of MUTEX_TIMEOUT (default 60 seconds). This change
introduces a new RESTORE_WAIT_OPTION capability.
Note: If the new capability is not available on your system, and
you don't run systemd, you can still avoid the parallel start
problem by configuring the same LOCKFILE in both your
shorewall.conf and shorewall6.conf files.
7) Previously, the sample configuration files specified
MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified
MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based
systems. Beginning with this release, the default .conf files also
specify MODULE_SUFFIX="ko ko.xz".
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 5
----------------------------------------------------------------------------
5.1.5.2
1) Previously, Specifying a USER in the OUTPUT section of the
accounting file caused the compilter to incorrectly generate the
following error message:
ERROR: USER/GROUP may only be specified in the OUTPUT section
That has been corrected, and no error message is generated in this
case.
2) When BASIC_FILTERS=Yes, the compiler previously generated an
invalid tc command when when a source port was specified in a
tcfilters entry. The compiler now generates correct input in this
case.
3) Previously, a MAC address could be specified in the OUTPUT
section of the accounting file and no error would be generated at
compile time. A failure would occur, however, at run-time. Now, an
error is raised during compilation.
5.1.5.1
1) To compensate for the presence of a masq file with no entries,
the compiler will now attempt to process the snat file when such a
masq file is found. Previously, if a masq file with no entries was
found, the snat file, if any, was ignored.
2) Previously, maintainers could not create reproducible packages
because the 'configure' and 'configure.pl' scripts inserted the
current date and time into the generated shorewallrc file.
To support reproducible package builds, the scripts now recognize
the SOURCE_DATE_EPOCH environmental variable (see
https://reproducible-builds.org/specs/source-date-epoch/).
The change to 'configure' was supplied by Bernhard M. Wiedemann.
5.1.5
1) This release contains defect repair through Shorewall 5.1.4.4.
2) Previously, when 0 was used as a port number or when a port number
> 65535 was specified, an 'uninitialized variable' Perl exception
occurred when the compiler attempted to issue an error
message. That has been corrected.
3) When running with Perl 5.26, messages such at the following could
be issued:
Unescaped left brace in regex is deprecated here (and will be
fatal in Perl 5.30), passed through in regex; marked by <-- HERE
in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at
/usr/share/shorewall/Shorewall/Config.pm line 2343.
That problem has been corrected.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 5
----------------------------------------------------------------------------
1) Run-time port variables are now supported. See
http://www.shorewall.org/configuration_file_basics.htm#Port_Variables
for details.
2) The Shorewall and Shorewall6 manpages are now consolidated. Almost
all of the Shorewall6 manpages are manpage aliases for the
corresponding Shorewall manpages which describe the files for both
products.
3) There is now a FIN standard action which handles TCP packets with
the FIN, ACK and PSH flags set.
4) According to the Netfilter team (see
https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
of the NFLOG target has never worked correctly, and they have
deprecated that option in favor of the --nflog-size option. To
accomodate this change, there is now an "--nflog-size support"
(NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in
shorewall[6].conf.
For further information, see the Migrations Issues item number 8.
5) The RESTORE_DEFAULT_ROUTE option has now been added to
shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes
has always been assumed for Shorewall6 configurations.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 4
----------------------------------------------------------------------------
5.1.4.4
1) A defect in 5.1.4.3 caused a startup failure when two or more
'fallback' providers were configured. That has been corrected.
5.1.4.3
1) When running on prior-generation distributions such as RHEL6,
IPv6 multi-ISP configurations failed to start due to an error such as
the following:
ERROR: Command "ip -6 -6 route replace default scope global
table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1"
Failed
Such configurations now start successfully.
5.1.4.2
1) Many broken links in the manpages have been corrected.
2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in
Shorewall 5.1.0, contained a defect which could result in the
following compile-time error:
Use of uninitialized value $fanout in concatenation (.) or string
at /usr/share/shorewall/Shorewall/Rules.pm line 643,
<$currentfile> line 2.
That has been corrected.
5.1.4.1
1) The introductory material in shorewall-rules(5) has been cleaned
up.
2) The information about LOGFORMAT in shorewall[6].conf(5) and
shorewall[6]-zones(5) has been expanded.
In Shorewall 5.1.0, the setting of LOGFORMAT in the default and
sample .conf files was changed to "%s:%s " to enable 10-character
zone names (up from 5 characters using the default
"Shorewall:%s:%s:" setting). As part of this change, if a
shorewall.conf file which did not set LOGFORMAT is updated using
"shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to
preserve the existing behavior.
This can have an effect on new installations, however in that
scipts or log analyzers can no longer be configured to simply look
for "Shorewall:" in log messages unless the setting of LOGFORMAT is
changed. The manpages (and the Migration Considerations below) have
been updated to describe how to locate these messages using the new
"%s:%s " setting.
3) The BLACKLIST action was inadvertently omitted from Shorewall6 in
Shorewall 5.1.1. That has been corrected.
5.1.4.1
1) The introductory material in shorewall-rules(5) has been cleaned
up.
2) The information about LOGFORMAT in shorewall[6].conf(5) and
shorewall[6]-zones(5) has been expanded.
In Shorewall 5.1.0, the setting of LOGFORMAT in the default and
sample .conf files was changed to "%s:%s " to enable 10-character
zone names (up from 5 characters using the default
"Shorewall:%s:%s:" setting). As part of this change, if a
shorewall.conf file which did not set LOGFORMAT is updated using
"shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to
preserve the existing behavior.
This can have an effect on new installations, however in that
scipts or log analyzers can no longer be configured to simply look
for "Shorewall:" in log messages unless the setting of LOGFORMAT is
changed. The manpages (and the Migration Considerations below) have
been updated to describe how to locate these messages using the new
"%s:%s " setting.
3) The BLACKLIST action was inadvertently omitted from Shorewall6 in
Shorewall 5.1.1. That has been corrected.
5.1.4
1) This release contains defect repair through Shorewall 5.1.3.1.
2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target
of a conditional ?RESET directive (one that was enclosed in ?if...
?else...?endif logic), the compiler could incorrectly use an
existing chain created from the action rather than creating a new
(and different) chain. That has been corrected.
3) Previously, if alternate input format specified a column that had
already been specified, the contents of that column were silently
overwritten. Now, a warning message is issued stating that the
prior value has been replaced by the newer value.
4) Previously, a string-valued interface option, such as
'physical', could be given an empty value (e.g., "physical=,"), and
the compiler would fail to flag it. Now, this usage raises an
error.
5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would
generate an error under Shorewall6. That has been corrected.
6) A number of small documentation corrections have been made.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 4
----------------------------------------------------------------------------
1) All IPv6 standard actions have been deleted and their logic
has been added to their IPv4 counterparts who can now handle
both address families.
2) Previously, ?error and ?require messages as well as verbose ?info
and ?warning messages (those that report the file and line numbers)
generated from an action file would report the action file name and
line number rather than the file and line number where the action
was invoked. The file and line number where the action was invoked
were listed second. Beginning with this release, the invoking file
and line number are listed first and the action file and line number
are not reported. This allows for creation of clearer messages.
Example:
Previously, when an invalid value was passed for the 'bricks'
parameter to the GlusterFS action on line 45 of the rules file, a
message such as the following was issued (folded to 76 columns):
ERROR: Invalid value for Bricks (2000)
/usr/share/shorewall/action.GlusterFS (line 15)
from /etc/shorewall/rules (line 45)
Note that the message seems to imply that the error is in
action.GlusterFS rather than in the rules file.
Beginning with this release, the message will be:
ERROR: Invalid value (2000) for the GlusterFS Bricks argument
/etc/shorewall/rules (line 45)
Note: This change only affects actions, including inline actions.
Macros will continue to report the old way.
3) IPv6 UPnP support (including MINIUPNPD) is now available.
4) A PERL_HASH_SEED option has been added to allow the Perl hash seed
to be specified. See shorewall.conf(5) and perlsec(1) for details.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 3
----------------------------------------------------------------------------
5.1.3.1
1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3
sample config files, which resulted in a compilation error.
That typo has been corrected.
2) There was also a typo in the two-interface IPv4 sample snat file;
192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has
been corrected.
3) Previously, when processing the policy file, 'all+' was incorrectly
treated the same as 'all'. That has been corrected so that 'all+'
causes intra-zone traffic to be included in the policy.
5.1.3
1) This release includes defect repair for releases through 5.1.2.4.
2) The documentation for 'reload' has been corrected:
- A command synopsis has been added in shorewall(8).
- The command synopsis in the 'help' output has been corrected.
3) The CONFIG_PATH setting has been corrected in the IPv6 Universal
sample configuration.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 3
----------------------------------------------------------------------------
1) The tarball installers and uninstallers have been unified and
now use a common library that is included in each tarball (Matt
Darfuille).
2) The installers now print a diagnostic if the relevant shorewallrc
file cannot be loaded (Matt Darfuille).
3) The /etc/default/... files installed on Debian are now dependent on
whether systemd is used or not (Matt Darfuille).
4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the
behavior of the hash function used in the implementation of
hashes. The hash key is now chosen randomly as a defense against
DOS attacks targeting Perl programs. Such attacks supply input data
that causes a single hash bucket to be used. While those changes
improved security, they cause non-deterministic program behavior
when the 'keys', 'values' and 'each' functions are used.
Prior to this release, Shorewall sorted the lists produced by those
functions to ensure that consecutive compilations of the same
configuration produced the same ruleset. In this release,
compilation speed has been improved by removing the sort calls and
by instructing Perl to use a constant hash key.
Note: The ruleset produced by this release will be equivalent
to that produced by 5.1.2, but will likely be different.
5) All builtin actions have been replaced with standard actions. In
some cases. the standard action produces different but equivalent
rules when compared to those produced by the corresponding builtin
action.
6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches
TCP packets with the SYN flag reset or one or more of ACK, RST or
FIN set. The dropNotSyn and rejNotSyn actions have been modified to
use this feature.
7) During 'update', the settings of all _LEVEL and _DEFAULT options
are now enclosed in quotes. This is done because these settings
often contain parentheses and the .conf files are process by
the shell. The sample configurations also have these settings
enclosed in quotes.
Update will continue to also enclose in quotes any settings that
contains characters other than alphanumeric, '/', and '.'.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 2
----------------------------------------------------------------------------
1) Previously, when the 5.1 CLI program was run with no command given,
a shell exception was raised. That has been corrected (Tuomo
Soini).
2) A caution has been added in shorewall[6]-rtrules regarding
similar rules at the same priority.
3) The 'dropBcasts' builtin action now works with
Shorewall6. Previously, an attempt to use that action failed with a
'missing action file' error.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 2
----------------------------------------------------------------------------
1) Terminology change. What we've previously referred to as "default
actions" are now called "policy actions" to better describe their
purpose.
2) The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a
comma-separated list of actions rather than just a single
action. The actions are invoked in the order in which they are
listed and each action may optionally be followed by a colon (":")
and a log level.
The POLICY column in shorewall[6]-policy can now specify a
similar list of actions. In that file, the list may be preceded by
a plus sign ("+"), in which case the listed actions will be in
addition to those listed in the related _DEFAULT setting in
shorewall[6].conf.
3) With the preceding change, the Drop and Reject policy actions are
now deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
the reader to http://www.shorewall.net/Actions.html#Default.
4) A LOG_LEVEL option has been added to shorewall[6].conf with default
value 'info'. The sample config files have been updated to use
$LOG_LEVEL rather than 'info' so that changing this option's
setting will change all default packet logging. Like with any
option, $LOG_LEVEL can be used throughout the configuration (with
the exception of shorewall[6]-params).
5) The LIMIT column in shorewall[6]-policy has been renamed RATE for
consistency with shorewall[6]-rules. No change is required to
existing configurations, including those that specify 'limit' in
alternate input format.
6) Beginning with this release, the allowBcast, dropBcast, and
Broadcast no longer handling multicast. Multicast is handeled
separately in actions allowMcast, dropMcast and Multicast. The
now-deprecated Drop and Reject actions have been modified so that
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 1
----------------------------------------------------------------------------
1) This release contains defect repair up through Shorewall 5.1.0.1.
2) Previously, expanded variables would be enclosed in single quotes
in ?ERROR, ?WARNING and ?INFO directive output. That has been
corrected.
3) The obsolete Drop and Reject macros have been removed (Drop and
Reject are now actions rather than macros).
4) A typo has been corrected in the parameter descriptions in
action.Drop and action.Reject.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 1
----------------------------------------------------------------------------
1) Previously, the compiler did not check for routefilter/provider
issues. Now, a fatal compilation error is raised in the following
cases:
a) USE_DEFAULT_RT=Yes, ROUTE_FILTER=Yes in shorewall.conf and a
regular provider (not tproxy) is defined in the
providers file.
b) USE_DEFAULT_RT=Yes and a provider interface specifies a
non-zero value for the 'routefilter' option in the interfaces
file.
c) USE_DEFAULT_RT=No, ROUTE_FILTER=Yes in shorewall.conf, and
a provider interface doesn't specify the 'balance' or 'primary'
option in the providers file.
d) USE_DEFAULT_RT=No, a provider interface specifies the non-zero
value for the 'routefilter' option in the interfaces file but
does not specify the 'balance' or 'primary' option in the
providers file.
2) When 'routefilter' is specified by itself or with a non-zero value
(e.g., routefilter=1), the 'logmartians' option is now also set
implicitly when LOG_MARTIANS=No. If you actually want route
filtering without logging, then you must also include
'logmartians=0'.
3) Since the creation of the USE_DEFAULT_RT option, when
USE_DEFAULT_RT=Yes, 'balance=1' is assumed on all provider
interfaces unless 'fallback', 'load', 'primary', 'loose' or
'tproxy' is specified. This makes it awkward to define a provider
that does not generate a default route in either the 'balance' or
'default' routing tables; it is necessary to specify 'loose' then
add the routing rules that are suppressed by that option.
To address this issue, it is now possible to specify
BALANCE_PROVIDERS=No. When BALANCE_PROVIDERS=No and none of the
above-listed options is specified, the provider will generate no
entry in the 'balance' or 'default routing tables irrespective of
the setting of USE_DEFAULT_RT.
All of the released shorewall[6].conf files now specify
BALANCE_PROVIDERS=No. The default value is the effective setting of
USE_DEFAULT_RT to provide backward compatibility with earlier
releases.
4) When using ipset-based dynamic blacklisting, it is now possible to
specify BLACKLIST in the POLICY column of policy files. When
BLACKLIST is specified, the source IP address is automatically
added to the dynamic blacklist ipset and then the packet is
dropped. This new policy adds BLACKLIST_DEFAULT to
shorewall[6].conf; the default setting is "Drop".
5) A BLACKLIST action has been added; the action adds the sender to
the dynamic blacklist IPSET.
BLACKLIST accepts two optional argument:
1 - Action to take after adding the sender to the ipset. Default is
DROP.
2 - specifies the timeout for the added/updated entry.
If no timeout is passed, the one specified in
DYNAMIC_BLACKLIST, if any, is used. Otherwise, the one specified
when the ipset was created, if any, is used.
6) Given that there was already a BLACKLIST macro which implemented
the BLACKLIST action in blrules, the preceding change required that
BLACKLIST behave differently when invoked from the blrules file and
when invoked from the rules file. Because BLACKLIST invoked from
the rules file normally generates two rules, an action (not
inlined) is more appropriate there than is a macro. When it is
invoked from the blrules file, it only generates a single rule so
the optimizer will inline it anyway.
For historical reasons, the compiler treats the blrules file as if
it were the section BLACKLIST in the rules file. So, to implement
this dual behavior in the BLACKLIST action, a new 'section' option
has been added in the action file. When 'section' is specified, the
name of the current section and a comma are prepended to the
argument list passed when invoking the action. The action.BLACKLIST
file then has the following structure:
?if @1 eq 'BLACKLIST'
?else
?endif
7) There is now a 'show action ' command for Shorewall and
Shorewall6. The command displays the action file for the specified
.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 0
----------------------------------------------------------------------------
5.1.0.1
1) Shorewall6-lite 5.1.0 failed to start under systemd. That has
been corrected.
2) Previously, the setting of PAGER in shorewall[6].conf was not
propagated to a remote configuration during 'export',
'remote-start', 'remote-reload' and 'remote-restart'. That has been
corrected.
5.1.0
1) This release includes defect repair through Shorewall 5.0.15.2.
2) A defect associated with CHAIN_SCRIPTS=Yes previously prevented
some of the optimizations associated with optimize level 4 from
being applied. Removal of the CHAIN_SCRIPT option (see below) has
eliminated the defect.
3) The install.sh and uninstall.sh have had some minor cleanup (Matt
Darfeuille).
4) Previously, when SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4, the restore
phase of a rejected safe-restart would fail. That has been
corrected.
5) It is now possible to include compact IPv6 addresses (those with
"::") in IP6TABLES() parameters. Previously, such addresses
resulted in an "INVALID ACTION..." error.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 0
----------------------------------------------------------------------------
1) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
manpages are now minimal and refer the reader to shorewall(8).
For backward compatibility, Shorewall6, Shorewall-lite and
Shorewall6-lite install symlinks $SBINDIR/shorewall6,
$SBINDIR/shorewall-lite and
$SBINDIR/shorewall6-lite respectively. When the shorewall program
is invoked through one of these symlinks, it adopts the appropriate
personality.
2) Several settings in the default/sample .conf files have been
modified:
a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:"
to "%s %s " to enable longer zone names.
b) The LOGLIMIT setting has been changed from empty to
"s:1/sec:10", to enable log trottling by default.
c) The AUTOMAKE setting has been changed from "No" to "Yes", to
avoid unnecessary recompilation.
d) The IP_FORWARDING setting has been changed from "On" to "Keep"
in shorewall.conf to accomodate cases where forwarding has been
configured before installing Shorewall.
e) The OPTIMIZE setting has been changed to "All", to create more
compact rulesets by default.
f) TC_CLEAR has been set to "No" in the shorewall6.conf files.
3) The allowed syntax in the SOURCE and DEST columns in the rules file
has been extended to allow multiple comma-separated
:[:][] tupples in a single
rule. Where the lists mulitiple addresses separated
by commas, the must be enclosed in parentheses.
Example: net:(1.2.3.4,2.3.4.5),dmz:(5.6.7.8,6.7.8.9)
See shorewall[6]-rules(5) for details.
A similar change has been made to the conntrack and mangle files,
where multiple : groups can be specified:
Example: eth0:(1.2.3.4,2.3.4.5),eth1(5.6.7.8,6.7.8.9)
See shorewall[6]-conntrack(5) and shorewall[6]-mangle(5) for
details.
5) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text or to use the
IP[6]TABLES target and/or inline matches.
See http://www.shorewall.org/Shorewall-5.html#idp41228128.
5) The --queue-cpu-fanout NFQUEUE option is now supported in NFQUEUE
rules and policies. It is enabled by following the high queue
number with the letter 'c' (e.g., NFQUEUE(0:3c)). This option
requires 'NFQUEUE CPU Fanout' support in your kernel and
ip[6]tables.
6) A SWITCH column has been added to the mangle files. See
shorewall[6]-mangle(5) for details.
7) A 'show ipsec' command has been added. This command displays the
contents of the IPSEC "Security Policy Database" (SPD) and
"Security Association Database" (SAD). SAD keys are not shown.
8) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see
shorewall6-netmap(5)).
9) In the released tarballs, the action.* files now reside in a
separate Actions/ directory.
10) The 'echo' builtin in recent versions of the dash shell does not
support the -n option. To accomodate that version, Shorewall no
longer uses either the -e or -n options.
11) When LOAD_HELPERS_ONLY=No, additional modules required for NAT are
now loaded.
12) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed.
1
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/init.fedora.sh�������������������������������������������������������������0000775�0000000�0000000�00000004252�13243347103�016225� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Shorewall init script
#
# chkconfig: - 28 90
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: shorewall6-lite
# Required-Start: $local_fs $remote_fs $syslog $network
# Should-Start: VMware $time $named
# Required-Stop:
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: Packet filtering firewall
# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
# Netfilter (iptables) based firewall
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
prog="shorewall -6l"
shorewall="${SBINDIR}/$prog"
logger="logger -i -t $prog"
lockfile="/var/lock/subsys/$prog"
# Get startup options (override default)
OPTIONS=
if [ -f ${SYSCONFDIR}/$prog ]; then
. ${SYSCONFDIR}/$prog
fi
start() {
printf $"Starting Shorewall: "
$shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
touch $lockfile
success
else
failure
fi
echo
return $retval
}
stop() {
printf $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
rm -f $lockfile
success
else
failure
fi
echo
return $retval
}
restart() {
# Note that we don't simply stop and start since shorewall has a built in
# restart which stops the firewall if running and then starts it.
printf $"Restarting Shorewall: "
$shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present
rm -f $lockfile
failure
fi
echo
return $retval
}
status(){
$shorewall status
return $?
}
status_q() {
status > /dev/null 2>&1
}
case "$1" in
start)
status_q && exit 0
$1
;;
stop)
status_q || exit 0
$1
;;
restart|reload|force-reload)
restart
;;
condrestart|try-restart)
status_q || exit 0
restart
;;
status)
$1
;;
*)
echo "Usage: $0 start|stop|reload|restart|force-reload|status"
exit 1
;;
esac
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/configure.pl���������������������������������������������������������������0000775�0000000�0000000�00000013565�13243350236�016015� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /usr/bin/perl -w
#
# Shorewall Packet Filtering Firewall RPM configuration program - V4.5
#
# (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see = ...
#
#
################################################################################################
use strict;
#
# Build updates this
#
use constant {
VERSION => '5.1.12.2'
};
my %params;
my %options;
my %aliases = ( VENDOR => 'HOST',
SHAREDSTATEDIR => 'VARLIB',
DATADIR => 'SHAREDIR' );
for ( @ARGV ) {
die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
my $pn = uc $1;
my $pv = $2 || '';
$pn = $aliases{$pn} if exists $aliases{$pn};
$params{$pn} = $pv;
}
use File::Basename;
chdir dirname($0);
my $vendor = $params{HOST};
my $rcfile;
my $rcfilename;
unless ( defined $vendor ) {
if ( -f '/etc/os-release' ) {
my $id = `cat /etc/os-release | grep ^ID=`;
chomp $id;
$id =~ s/ID=//;
if ( $id eq 'fedora' || $id eq 'rhel' ) {
$vendor = 'redhat';
} elsif ( $id eq 'opensuse' ) {
$vendor = 'suse';
} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
my $init = `ls -l /sbin/init`;
$vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
} else {
$vendor = $id;
}
}
$params{HOST} = $vendor;
$params{HOST} =~ s/\..*//;
}
if ( defined $vendor ) {
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
if ( -l '/sbin/init' ) {
if ( readlink('/sbin/init') =~ /systemd/ ) {
$rcfilename = 'shorewallrc.debian.systemd';
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
}
unless ( -f $rcfilename ) {
die qq("ERROR: $vendor" is not a recognized host type);
} elsif ( $vendor eq 'default' ) {
$params{HOST} = $vendor = 'linux';
} elsif ( $vendor =~ /^debian\./ ) {
$params{HOST} = $vendor = 'debian';
}
} else {
if ( -f '/etc/debian_version' ) {
$vendor = 'debian';
if ( -l '/sbin/init' ) {
if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
$rcfilename = 'shorewallrc.debian.systemd';
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} elsif ( -f '/etc/redhat-release' ){
$vendor = 'redhat';
$rcfilename = 'shorewallrc.redhat';
} elsif ( -f '/etc/slackware-version' ) {
$vendor = 'slackware';
$rcfilename = 'shorewallrc.slackware';
} elsif ( -f '/etc/SuSE-release' ) {
$vendor = 'suse';
$rcfilename = 'shorewallrc.suse';
} elsif ( -f '/etc/arch-release' ) {
$vendor = 'archlinux';
$rcfilename = 'shorewallrc.archlinux';
} elsif ( `uname` =~ '^Darwin' ) {
$vendor = 'apple';
$rcfilename = 'shorewallrc.apple';
} elsif ( `uname` =~ /^Cygwin/i ) {
$vendor = 'cygwin';
$rcfilename = 'shorewallrc.cygwin';
} else {
$vendor = 'linux';
$rcfilename = 'shorewallrc.default';
}
$params{HOST} = $vendor;
}
my @localtime = localtime;
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
if ( $vendor eq 'linux' ) {
printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
} else {
printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
}
open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
while ( <$rcfile> ) {
s/\s*#.*//;
unless ( /^\s*$/ ) {
chomp;
die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
$options{$1} = $2;
}
}
close $rcfile;
while ( my ( $p, $v ) = each %params ) {
$options{$p} = ${v};
}
my $outfile;
open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
if ( $ENV{SOURCE_DATE_EPOCH} ) {
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
} else {
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
}
print $outfile "# rc file: $rcfilename\n#\n";
print $outfile "# Input: @ARGV\n#\n" if @ARGV;
if ( $options{VARLIB} ) {
unless ( $options{VARDIR} ) {
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
}
} elsif ( $options{VARDIR} ) {
$options{VARLIB} = $options{VARDIR};
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
}
$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
for ( qw/ HOST
PREFIX
SHAREDIR
LIBEXECDIR
PERLLIBDIR
CONFDIR
SBINDIR
MANDIR
INITDIR
INITSOURCE
INITFILE
AUXINITSOURCE
AUXINITFILE
SERVICEDIR
SERVICEFILE
SYSCONFFILE
SYSCONFDIR
SPARSE
ANNOTATED
VARLIB
VARDIR
DEFAULT_PAGER / ) {
my $val = $options{$_} || '';
print "$_=$val\n";
print $outfile "$_=$val\n";
}
close $outfile;
1;
�������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/shorewallrc.cygwin���������������������������������������������������������0000664�0000000�0000000�00000002374�13243350236�017237� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Cygwin Shorewall 5.0 rc file
#
BUILD=cygwin
HOST=cygwin
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/bin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Unused on Cygwin
INITFILE= #Unused on Cygwin
INITSOURCE= #Unused on Cygwin
ANNOTATED= #Unused on Cygwin
SERVICEDIR= #Unused on Cygwin
SERVICEFILE= #Unused on Cygwin
SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on Cygwin
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall6-lite-5.1.12.2/default.debian.sysvinit����������������������������������������������������0000664�0000000�0000000�00000002025�13243347103�020137� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# prevent startup with default configuration
# set the following variable to 1 in order to allow Shorewall6-lite to start
startup=0
# If your Shorewall6-lite configuration requires detection of the ip address of
# a ppp interface, you must list such interfaces in "wait_interface" to get
# Shorewall6-lite to wait until the interface is configured. Otherwise the
# script will fail because it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall6-lite/params
# wait_interface=
#
# Global start/restart/reload/stop options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Reload options
#
RELOADOPTIONS=""
#
# Stop options
#
STOPOPTIONS=""
#
# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
#
INITLOG=/dev/null
#
# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
# a safe state rather than to open it
#
SAFESTOP=0
# EOF
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������