shorewall6-4.5.21.6/0000755000175000017500000000000012272556447013747 5ustar teastepteastepshorewall6-4.5.21.6/ipsecvpn0000644000175000017500000001560612272540615015517 0ustar teastepteastep#!/bin/sh ################################################################################ # # ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode # IPSEC connection # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2004,2005 - Tom Eastep (teastep@shorewall.net) # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. RCDLINKS="2,S42 3,S42 6,K42" #### BEGIN INIT INFO # Provides: ipsecvpn # Required-Start: $shorewall # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops a tunnel-mode VPN connection ### END INIT INFO # chkconfig: 2345 26 89 # description: IPSEC tunnel-mode connection # ################################################################################ # # External Interface # INTERFACE=eth0 # # Remote IPSEC Gateway # GATEWAY=1.2.3.4 # # Networks behind the remote gateway (space-separated list) # NETWORKS="192.168.1.0/24" # # Directory where X.509 certificates are stored. # CERTS=/etc/certs # # Certificate to be used for this connection. The cert # directory must contain: # # ${CERT}.pem - the certificate # ${CERT}_key.pem - the certificates's key # CERT=roadwarrior # # The setkey binary # SETKEY=/usr/sbin/setkey # # The racoon binary # RACOON=/usr/sbin/racoon # # Message to stderr # error_message() # $* = Error Message { echo " $@" >&2 } # # Fatal error -- stops the firewall after issuing the error message # fatal_error() # $* = Error Message { echo " Error: $@" >&2 exit 2 } # # Find interface address--returns the first IP address assigned to the passed # device # find_first_interface_address() # $1 = interface { # # get the line of output containing the first IP address # addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) # # If there wasn't one, bail out now # [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line # echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' } # # Create a Racoon configuration file using the variables above # make_racoon_conf() { echo "path certificate \"$CERTS\";" echo echo "listen" echo "{" echo " isakmp $IPADDR;" echo "}" echo echo "remote $GATEWAY" echo "{" echo " exchange_mode main;" echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";" echo " verify_cert on;" echo " my_identifier asn1dn ;" echo " peers_identifier asn1dn ;" echo " verify_identifier on ;" echo " lifetime time 24 hour ;" echo " proposal {" echo " encryption_algorithm blowfish;" echo " hash_algorithm sha1;" echo " authentication_method rsasig ;" echo " dh_group 2 ;" echo " }" echo "}" echo for network in $NETWORKS; do echo "sainfo address $IPADDR/32 any address $network any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" echo echo "sainfo address $network any address $IPADDR/32 any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" done echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" echo echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" } # # Make a setkey configuration file using the variables above # make_setkey_conf() { echo "flush;" echo "spdflush;" echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" for network in $NETWORKS; do echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" done } # # Start the Tunnel # start() { # # Get the first IP address configured on the device in INTERFACE # IPADDR=$(find_first_interface_address $INTERFACE) # # Create the name of the setkey temporary file # TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) [ $? -eq 0 ] || fatal_error "Can't create temporary file name" # # Create the file # make_setkey_conf > $TEMPFILE # # Create the SPD # $SETKEY -f $TEMPFILE # # We can now remove the file # rm -f $TEMPFILE # # Create another name -- make this distict to aid debugging # (just comment out the 'rm' commands) # TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) [ $? -eq 0 ] || fatal_error "Can't create temporary file name" # # Create the file # make_racoon_conf > $TEMPFILE # # Start Racoon Daemon # $RACOON -4 -f $TEMPFILE # # Once the Daemon is running, we can remove the file # rm -f $TEMPFILE } # # Stop the Tunnel # stop() { # # Kill any racoon daemons # killall racoon # # Purge the SAD and SPD # setkey -F -FP } # # Display command syntax and abend # usage() { error_message "usage: $(basename $0) [start|stop|restart]" exit 1 } ################################################################################ # C O D E S T A R T S H E R E ################################################################################ [ $# -eq 1 ] || usage case $1 in start) start ;; stop) stop ;; restart) stop sleep 2 start ;; *) usage ;; esac shorewall6-4.5.21.6/modules0000644000175000017500000000132512272540615015331 0ustar teastepteastep# # Shorewall6 version 4 - Modules File # # /usr/share/shorewall6/modules # # This file loads the modules that may be needed by the firewall. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 # before you load M2. # # If you need to modify this file, copy it to /etc/shorewall and modify the # copy. # ############################################################################### # # Essential Modules # INCLUDE modules.essential # # Other xtables modules # INCLUDE modules.xtables # # Helpers # INCLUDE helpers # # Ipset # INCLUDE modules.ipset # # Traffic Shaping # INCLUDE modules.tc # # Extensions # INCLUDE modules.extensions shorewall6-4.5.21.6/Makefile0000644000175000017500000000102112272540615015367 0ustar teastepteastep# Shorewall6 Makefile to restart if config-files are newer than last restart VARDIR=$(shell /sbin/shorewall6 show vardir) CONFDIR=/etc/shorewall6 RESTOREFILE?=firewall all: $(VARDIR)/$(RESTOREFILE) $(VARDIR)/$(RESTOREFILE): $(CONFDIR)/* @/sbin/shorewall6 -q save >/dev/null; \ if \ /sbin/shorewall6 -q restart >/dev/null 2>&1; \ then \ /sbin/shorewall6 -q save >/dev/null; \ else \ /sbin/shorewall6 -q restart 2>&1 | tail >&2; exit 1; \ fi clean: @rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~ .PHONY: clean # EOF shorewall6-4.5.21.6/helpers0000644000175000017500000000206412272540615015324 0ustar teastepteastep# # Shorewall6 version 4 - Helpers File # # /usr/share/shorewall6/helpers # # This file loads the modules that may be needed by the firewall. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 # before you load M2. # # If you need to modify this file, copy it to /etc/shorewall and modify the # copy. # ############################################################################### # # Helpers # loadmodule nf_conntrack_amanda loadmodule nf_conntrack_ftp loadmodule nf_conntrack_h323 loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_conntrack_pptp loadmodule nf_conntrack_proto_sctp loadmodule nf_conntrack_proto_udplite loadmodule nf_conntrack_sane loadmodule nf_conntrack_sip sip_direct_media=0 loadmodule nf_conntrack_pptp loadmodule nf_conntrack_proto_gre loadmodule nf_conntrack_proto_sctp loadmodule nf_conntrack_sip loadmodule nf_conntrack_tftp loadmodule nf_conntrack_sane shorewall6-4.5.21.6/Macros/0000755000175000017500000000000012272540615015161 5ustar teastepteastepshorewall6-4.5.21.6/Macros/macro.Ping0000644000175000017500000000046112272540615017102 0ustar teastepteastep# # Shorewall6 version 4 - Ping Macro # # /usr/share/shorewall6/macro.Ping # # This macro handles 'ping' requests. # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - ipv6-icmp 128 shorewall6-4.5.21.6/Macros/macro.Trcrt0000644000175000017500000000060112272540615017277 0ustar teastepteastep# # Shorewall version 4 -Trcrt Macro # # /usr/share/shorewall/macro.Trcrt # # This macro handles Traceroute (for up to 30 hops). # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 33434:33524 # UDP Traceroute PARAM - - ipv6-icmp 128 # ICMP Traceroute shorewall6-4.5.21.6/Macros/macro.mDNS0000644000175000017500000000067512272540615017015 0ustar teastepteastep# # Shorewall version 4 - Multicast DNS Macro # # /usr/share/shorewall6/macro.mDNS # # This macro handles multicast DNS traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - udp 5353 PARAM - - udp 32768: 5353 PARAM - 2 PARAM DEST SOURCE: udp 5353 PARAM DEST SOURCE: 2 shorewall6-4.5.21.6/action.AllowICMPs0000644000175000017500000000317212272540615017051 0ustar teastepteastep# # Shorewall6 version 4 - AllowICMPs Action # # /usr/share/shorewall6/action.AllowICMPs # # This action ACCEPTs needed ICMP types # ############################################################################### #TARGET SOURCE DEST PROTO DEST # PORT(S) ?format 2 DEFAULTS ACCEPT ?COMMENT Needed ICMP types (RFC4890) $1 - - ipv6-icmp destination-unreachable $1 - - ipv6-icmp packet-too-big $1 - - ipv6-icmp time-exceeded $1 - - ipv6-icmp parameter-problem # The following should have a ttl of 255 and must be allowed to transit a bridge $1 - - ipv6-icmp router-solicitation $1 - - ipv6-icmp router-advertisement $1 - - ipv6-icmp neighbour-solicitation $1 - - ipv6-icmp neighbour-advertisement $1 - - ipv6-icmp 137 # Redirect $1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation $1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement # The following should have a link local source address and must be allowed to transit a bridge $1 fe80::/10 - ipv6-icmp 130 # Listener query $1 fe80::/10 - ipv6-icmp 131 # Listener report $1 fe80::/10 - ipv6-icmp 132 # Listener done $1 fe80::/10 - ipv6-icmp 143 # Listener report v2 # The following should be received with a ttl of 255 and must be allowed to transit a bridge $1 - - ipv6-icmp 148 # Certificate path solicitation $1 - - ipv6-icmp 149 # Certificate path advertisement # The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge $1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement $1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation $1 fe80::/10 - ipv6-icmp 153 # Multicast router termination shorewall6-4.5.21.6/configure.pl0000755000175000017500000001130112272556447016264 0ustar teastepteastep#! /usr/bin/perl -w # # Shorewall Packet Filtering Firewall RPM configuration program - V4.5 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2012 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Usage: ./configure.pl