shorewall-init-5.1.12.2/����������������������������������������������������������������������������0000775�0000000�0000000�00000000000�13243350236�013402� 5����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/lib.uninstaller�������������������������������������������������������������0000664�0000000�0000000�00000004414�13243350236�016435� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
#
# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
#
# (c) 2017 - Tom Eastep (teastep@shorewall.net)
# (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see '
7) Implement 'section' action option
8) Embed BLACKLIST macro logic into the BLACKLIST action.
Changes in 5.1.1 Beta 2
1) Update release documents.
2) Replace USE_DEFAULT_RT=Exact with BALANCE_PROVIDERS=No.
3) Handle optional interfaces correctly in process_a_provider().
Changes in 5.1.1 Beta 1
1) Update release documents.
2) Catch routefilter/provider conflicts.
3) Set 'logmartians' along with 'routefilter'.
4) Implement USE_DEFAULT_RT=Exact.
Changes in 5.1.0.1
1) Update release documents.
2) Correct Shorewall6-lite .service file
3) Propagate PAGER setting to -lite systems.
Changes in 5.1.0 Final
1) Update release documents.
2) Ignore SUBSYSLOCK when $SERVICEDIR is non-empty
3) Correct splitting of IP(6)TABLES options.
4) Allow compact IPv6 addresses in IP6TABLES() parameters.
Changes in 5.1.0 RC 2
1) Update release documents.
2) Eliminate use of 'echo' escape sequences
3) Update kernel module files
Changes in 5.1.0 RC 1
1) Update release documents.
2) Move the action files into their own directory.
3) Add the 'show ipsec' command.
4) Remove rawpost support.
5) Add Stateful IPv6 netmapping
Changes in 5.1.0 Beta 2
1) Update release documents.
2) Fatal error on empty action file and presense of a file with
the same name as the action.
3) Use 'ip xfrm' to dump SPD and SAD
4) Create CLI symlinks
5) Correct intra-zone processing in policies.
Changes in 5.1.0 Beta 1
1) Update release documents.
2) Unify the CLI
3) Extend SOURCE/DEST syntax in the rules files
4) Remove CHAIN_SCRIPT support.
5) Avoid needless duplicate action chains.
6) Implement support for NFQUEUE CPU Fanout.
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/logrotate�������������������������������������������������������������������0000664�0000000�0000000�00000000125�13243347103�015322� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/var/log/shorewall-ifupdown.log {
missingok
notifempty
create 0600 root root
}
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewallrc.apple�����������������������������������������������������������0000664�0000000�0000000�00000002377�13243350236�016763� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Apple OS X Shorewall 5.0 rc file
#
BUILD=apple
HOST=apple
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR= #Unused on OS X
INITFILE= #Unused on OS X
INITSOURCE= #Unused on OS X
ANNOTATED= #Unused on OS X
SERVICEDIR= #Unused on OS X
SERVICEFILE= #Unused on OS X
SYSCONFDIR= #Unused on OS X
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on OS X
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/init.suse.sh����������������������������������������������������������������0000775�0000000�0000000�00000007415�13243347103�015670� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /bin/bash
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
#
### BEGIN INIT INFO
# Provides: shorewall-init
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Short-Description: Initialize the firewall at boot time
# Description: Place the firewall in a safe state at boot time
# prior to bringing up the network.
### END INIT INFO
#Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall \"."
exit 4
fi
# check if shorewall-init is configured or not
if [ -f "/etc/sysconfig/shorewall-init" ]
then
. /etc/sysconfig/shorewall-init
if [ -z "$PRODUCTS" ]
then
echo "No PRODUCTS configured"
exit 6
fi
else
echo "/etc/sysconfig/shorewall-init not found"
exit 6
fi
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
# set the STATEDIR variable
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ -x ${STATEDIR}/firewall ]; then
return 0
elif [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
else
return 6
fi
}
# Initialize the firewall
shorewall_start () {
local PRODUCT
local STATEDIR
printf "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
fi
fi
done
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
ipset -R < "$SAVE_IPSETS"
fi
}
# Clear the firewall
shorewall_stop () {
local PRODUCT
local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
${STATEDIR}/firewall ${OPTIONS} clear
fi
done
if [ -n "$SAVE_IPSETS" ]; then
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
else
rm -f "${SAVE_IPSETS}.tmp"
fi
fi
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
reload|forced-reload)
;;
*)
echo "Usage: /etc/init.d/shorewall-init {start|stop}"
exit 1
;;
esac
exit 0
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/install.sh������������������������������������������������������������������0000775�0000000�0000000�00000036041�13243350236�015413� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Script to install Shoreline Firewall Init
#
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ ]"
echo "where is one of"
echo " -h"
echo " -v"
echo " -n"
exit $1
}
install_file() # $1 = source $2 = target $3 = mode
{
if cp -f $1 $2; then
if chmod $3 $2; then
if [ -n "$OWNER" ]; then
if chown $OWNER:$GROUP $2; then
return
fi
else
return 0
fi
fi
fi
echo "ERROR: Failed to install $2" >&2
exit 1
}
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
#
# Source common functions
#
. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
#
# Parse the run line
#
finished=0
configure=1
while [ $finished -eq 0 ] ; do
option="$1"
case "$option" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
usage 0
;;
v)
echo "$Product Firewall Installer Version $VERSION"
exit 0
;;
n*)
configure=0
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
#
# Read the RC file
#
if [ $# -eq 0 ]; then
if [ -f ./shorewallrc ]; then
file=./shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
elif [ -f ~/.shorewallrc ]; then
file=~/.shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
elif [ -f /usr/share/shorewall/shorewallrc ]; then
file=/usr/share/shorewall/shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
else
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
fi
elif [ $# -eq 1 ]; then
file=$1
case $file in
/*|.*)
;;
*)
file=./$file || exit 1
;;
esac
. $file || fatal_error "Can not load the RC file: $file"
else
usage 1
fi
if [ -z "${VARLIB}" ]; then
VARLIB=${VARDIR}
VARDIR=${VARLIB}/${PRODUCT}
elif [ -z "${VARDIR}" ]; then
VARDIR=${VARLIB}/${PRODUCT}
fi
for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
require $var
done
[ -n "$SANDBOX" ] && configure=0
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
if [ -z "$BUILD" ]; then
case $(uname) in
cygwin*)
BUILD=cygwin
;;
Darwin)
BUILD=apple
;;
*)
if [ -f /etc/os-release ]; then
eval $(cat /etc/os-release | grep ^ID=)
case $ID in
fedora|rhel|centos|foobar)
BUILD=redhat
;;
debian|ubuntu)
BUILD=debian
;;
opensuse)
BUILD=suse
;;
*)
BUILD="$ID"
;;
esac
elif [ -f /etc/debian_version ]; then
BUILD=debian
elif [ -f /etc/ubuntu_version ]; then
BUILD=debian
elif [ -f /etc/gentoo-release ]; then
BUILD=gentoo
elif [ -f /etc/redhat-release ]; then
BUILD=redhat
elif [ -f /etc/SuSE-release ]; then
BUILD=suse
elif [ -f /etc/slackware-version ] ; then
BUILD=slackware
elif [ -f /etc/arch-release ] ; then
BUILD=archlinux
elif [ -f ${CONFDIR}/openwrt_release ]; then
BUILD=openwrt
else
BUILD=linux
fi
;;
esac
fi
case $BUILD in
apple)
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=wheel
;;
cygwin*|CYGWIN*)
OWNER=$(id -un)
GROUP=$(id -gn)
;;
*)
if [ $(id -u) -eq 0 ]; then
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root
fi
;;
esac
[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
[ -n "$HOST" ] || HOST=$BUILD
case "$HOST" in
debian)
echo "Installing Debian-specific configuration..."
;;
gentoo)
echo "Installing Gentoo-specific configuration..."
;;
redhat)
echo "Installing Redhat/Fedora-specific configuration..."
;;
slackware)
echo "Shorewall-init is currently not supported on Slackware" >&2
exit 1
;;
archlinux)
echo "Shorewall-init is currently not supported on Arch Linux" >&2
exit 1
;;
suse)
echo "Installing SuSE-specific configuration..."
;;
openwrt)
echo "Installing Openwrt-specific configuration..."
;;
linux)
fatal_error "Shorewall-init is not supported on this system"
;;
*)
fatal_error "Unsupported HOST distribution: \"$HOST\""
;;
esac
[ -z "$TARGET" ] && TARGET=$HOST
if [ -n "$DESTDIR" ]; then
if [ $(id -u) != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
make_parent_directory ${DESTDIR}${INITDIR} 0755
fi
echo "Installing $Product Version $VERSION"
#
# Check for /usr/share/shorewall-init/version
#
if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
first_install=""
else
first_install="Yes"
fi
[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
#
# Install the Firewall Script
#
if [ -n "$INITFILE" ]; then
make_parent_directory ${DESTDIR}${INITDIR} 0755
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
if [ -n "${AUXINITSOURCE}" ]; then
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
fi
echo "SysV init script $INITSOURCE installed in ${DESTDIR}${INITDIR}/$INITFILE"
fi
#
# Install the .service file
#
if [ -z "${SERVICEDIR}" ]; then
SERVICEDIR="$SYSTEMD"
fi
if [ -n "$SERVICEDIR" ]; then
make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
[ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
[ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
[ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
fi
#
# Create /usr/share/shorewall-init if needed
#
make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
#
# Install logrotate file
#
if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
fi
#
# Create the version file
#
echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
#
# Remove and create the symbolic link to the init script
#
if [ -z "$DESTDIR" ]; then
rm -f ${SHAREDIR}/$PRODUCT/init
ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
fi
if [ $HOST = debian ]; then
if [ -n "${DESTDIR}" ]; then
make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
elif [ $configure -eq 0 ]; then
make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
fi
if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
IFUPDOWN=ifupdown.debian.sh
else
if [ -n "$DESTDIR" ]; then
make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
if [ -z "$RPM" ]; then
if [ $HOST = suse ]; then
make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
elif [ $HOST = gentoo ]; then
# Gentoo does not support if-{up,down}.d
/bin/true
elif [ $HOST = openwrt ]; then
# Not implemented on OpenWRT
/bin/true
else
make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
fi
fi
fi
if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
[ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
fi
#
# Install the ifupdown script
#
if [ $HOST != openwrt ]; then
cp $IFUPDOWN ifupdown
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
fi
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
fi
case $HOST in
debian)
if [ $configure -eq 1 ]; then
install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
else
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
fi
;;
suse)
if [ -z "$RPM" ]; then
if [ $configure -eq 0 ]; then
make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
fi
install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
fi
;;
redhat)
if [ -z "$DESTDIR" ]; then
install_local=
if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
if ! grep -qF Shorewall-based ${SBINDIR}/ifup-local || ! grep -qF Shorewall-based ${SBINDIR}/ifdown-local; then
echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
else
install_local=Yes
fi
else
install_local=Yes
fi
if [ -n "$install_local" ]; then
install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
fi
fi
;;
esac
if [ -z "$DESTDIR" ]; then
if [ $configure -eq 1 -a -n "first_install" ]; then
if [ $HOST = debian ]; then
if [ -n "$SERVICEDIR" ]; then
if systemctl enable ${PRODUCT}.service; then
echo "$Product will start automatically at boot"
fi
elif mywhich insserv; then
if insserv ${INITDIR}/$PRODUCT; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif mywhich update-rc.d ; then
if update-rc.d $PRODUCT enable; then
echo "$Product will start automatically at boot"
echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
else
cant_autostart
fi
else
cant_autostart
fi
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
/etc/init.d/$PRODUCT enable
if /etc/init.d/$PRODUCT enabled; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif [ $HOST = gentoo ]; then
# On Gentoo, a service must be enabled manually by the user,
# not by the installer
/bin/true
else
if [ -n "$SERVICEDIR" ]; then
if systemctl enable ${PRODUCT}.service; then
echo "$Product will start automatically at boot"
fi
elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
if insserv ${INITDIR}/$PRODUCT ; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
if chkconfig --add $PRODUCT ; then
echo "$Product will start automatically at boot"
chkconfig --list $PRODUCT
else
cant_autostart
fi
elif [ -x ${SBINDIR}/rc-update ]; then
if rc-update add $PRODUCT default; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
/etc/init.d/$PRODUCT enable
if /etc/init.d/$PRODUCT enabled; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
else
cant_autostart
fi
fi
fi
else
if [ $configure -eq 1 -a -n "$first_install" ]; then
if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
if [ -n "${DESTDIR}" ]; then
make_parent_directory ${DESTDIR}/etc/rcS.d 0755
fi
ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
echo "$Product will start automatically at boot"
fi
fi
fi
[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
if [ -d ${DESTDIR}/etc/ppp ]; then
case $HOST in
debian|suse)
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
done
;;
redhat)
#
# Must use the dreaded ip_xxx.local file
#
for file in ip-up.local ip-down.local; do
FILE=${DESTDIR}/etc/ppp/$file
if [ -f $FILE ]; then
if grep -qF Shorewall-based $FILE ; then
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
else
echo "$FILE already exists -- ppp devices will not be handled"
break
fi
else
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
fi
done
;;
esac
fi
#
# Report Success
#
echo "shorewall Init Version $VERSION Installed"
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewall-init��������������������������������������������������������������0000664�0000000�0000000�00000006037�13243347103�016273� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
#
# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called
# /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the license or,
# at your option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see
Copyright (C) 19yy
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/init.sh���������������������������������������������������������������������0000775�0000000�0000000�00000006721�13243347103�014711� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /bin/bash
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
#
# (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ ]"
echo "where is one of"
echo " -h"
echo " -v"
echo " -n"
exit $1
}
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
#
# Source common functions
#
. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
#
# Parse the run line
#
finished=0
configure=1
while [ $finished -eq 0 ]; do
option=$1
case "$option" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
usage 0
;;
v)
echo "$Product Firewall Installer Version $VERSION"
exit 0
;;
n*)
configure=0
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
#
# Read the RC file
#
if [ $# -eq 0 ]; then
if [ -f ./shorewallrc ]; then
. ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
elif [ -f ~/.shorewallrc ]; then
. ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
elif [ -f /usr/share/shorewall/shorewallrc ]; then
. /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
else
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
fi
elif [ $# -eq 1 ]; then
file=$1
case $file in
/*|.*)
;;
*)
file=./$file || exit 1
;;
esac
. $file || fatal_error "Can not load the RC file: $file"
else
usage 1
fi
if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
VERSION="$INSTALLED_VERSION"
fi
else
echo "WARNING: $Product Version $VERSION is not installed"
VERSION=""
fi
echo "Uninstalling $Product $VERSION"
[ -n "$SANDBOX" ] && configure=0
[ -n "${LIBEXEC:=${SHAREDIR}}" ]
remove_file ${SBINDIR}/$PRODUCT
FIREWALL=${CONFDIR}/init.d/$PRODUCT
if [ -f "$FIREWALL" ]; then
if [ $configure -eq 1 ]; then
if [ $HOST = openwrt ] ; then
if /etc/init.d/$PRODUCT enabled; then
/etc/init.d/$PRODUCT disable
fi
elif mywhich insserv ; then
insserv -r $FIREWALL
elif mywhich update-rc.d ; then
update-rc.d ${PRODUCT} remove
elif mywhich chkconfig ; then
chkconfig --del $(basename $FIREWALL)
fi
fi
remove_file $FIREWALL
fi
[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
if [ -n "$SERVICEDIR" ]; then
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
remove_file $SERVICEDIR/${PRODUCT}.service
fi
if [ $HOST = openwrt ]; then
[ "$(readlink -q ${SBINDIR}/ifup-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
[ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
else
[ "$(readlink -m -q ${SBINDIR}/ifup-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
fi
remove_file ${CONFDIR}/default/$PRODUCT
remove_file ${CONFDIR}/sysconfig/$PRODUCT
remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
remove_file ${CONFDIR}/network/if-up.d/shorewall
remove_file ${CONFDIR}/network/if-down.d/shorewall
remove_file ${CONFDIR}/network/if-post-down.d/shorewall
remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
if [ -d ${CONFDIR}/ppp ]; then
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
remove_file ${CONFDIR}/ppp/$directory/shorewall
done
for file in if-up.local if-down.local; do
if [ -f ${CONFDIR}/ppp/$file ]; then
if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
remove_file ${CONFDIR}/ppp/$FILE
fi
fi
done
fi
remove_directory ${SHAREDIR}/$PRODUCT
remove_directory ${LIBEXECDIR}/$PRODUCT
remove_file ${CONFDIR}/logrotate.d/$PRODUCT
#
# Report Success
#
echo "$Product $VERSION Uninstalled"
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewall-init.spec���������������������������������������������������������0000664�0000000�0000000�00000034624�13243350236�017230� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������%define name shorewall-init
%define version 5.1.12
%define release 2
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
Version: %{version}
Release: %{release}
License: GPLv2
Packager: Tom Eastep
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
URL: http://www.shorewall.net/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: shoreline_firewall >= 4.5.0
%description
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
Shorewall Init is a companion product to Shorewall that allows for tigher
control of connections during boot and that integrates Shorewall with
ifup/ifdown and NetworkManager.
%prep
%setup
%build
%install
./configure.pl --host=%{_vendor} \
--prefix=%{_prefix} \
--tmpdir=%{_tmpdir} \
--perllibdir=%{perl_vendorlib} \
--libexecdir=%{_libexecdir} \
--sbindir=%{_sbindir}
DESTDIR=%{buildroot} ./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ $1 -eq 1 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl enable shorewall-init
elif [ -x /usr/bin/systemctl ]; then
/usr/bin/systemctl enable shorewall-init
elif [ -x %{_sbindir}/insserv ]; then
%{_sbindir}/insserv %{_initddir}/shorewall-init
elif [ -x %{_sbindir}/chkconfig ]; then
%{_sbindir}/chkconfig --add shorewall-init;
fi
fi
if [ -f /etc/SuSE-release ]; then
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
if [ -d /etc/ppp ]; then
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
mkdir -p /etc/ppp/$directory
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/ppp/$directory/shorewall
done
fi
else
if [ -f %{_sbindir}/ifup-local -o -f %{_sbindir}/ifdown-local ]; then
if ! grep -q Shorewall %{_sbindir}/ifup-local || ! grep -q Shorewall %{_sbindir}/ifdown-local; then
echo "WARNING: %{_sbindir}/ifup-local and/or %{_sbindir}/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
else
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifup-local
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifdown-local
fi
else
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifup-local
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifdown-local
fi
if [ -d /etc/ppp ]; then
if [ -f /etc/ppp/ip-up.local -o -f /etc/ppp/ip-down.local ]; then
if ! grep -q Shorewall-based /etc/ppp/ip-up.local || ! grep -q Shorewall-based /etc/ppp//ip-down.local; then
echo "WARNING: /etc/ppp/ip-up.local and/or /etc/ppp/ip-down.local already exist; ppp devices will not be handled" >&2
fi
else
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/ppp/ip-up.local
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/ppp/ip-down.local
fi
fi
if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
fi
fi
%preun
if [ $1 -eq 0 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl disable shorewall-init
elif [ -x /usr/bin/systemctl ]; then
/usr/bin/systemctl disable shorewall-init
elif [ -x %{_sbindir}/insserv ]; then
%{_sbindir}/insserv -r %{_initddir}/shorewall-init
elif [ -x %{_sbindir}/chkconfig ]; then
%{_sbindir}/chkconfig --del shorewall-init
fi
[ -f %{_sbindir}/ifup-local ] && grep -q Shorewall %{_sbindir}/ifup-local && rm -f %{_sbindir}/ifup-local
[ -f %{_sbindir}/ifdown-local ] && grep -q Shorewall %{_sbindir}/ifdown-local && rm -f %{_sbindir}/ifdown-local
[ -f /etc/ppp/ip-up.local ] && grep -q Shorewall-based /etc/ppp/ip-up.local && rm -f /etc/ppp/ip-up.local
[ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local
rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
fi
%files
%defattr(0644,root,root,0755)
%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
%attr(0644,root,root) /usr/lib/systemd/system/shorewall-init.service
%attr(0755,root,root) %dir %{_libexecdir}/shorewall-init
%attr(0700,root,root) %{_sbindir}/shorewall-init
%attr(0644,root,root) /etc/logrotate.d/shorewall-init
%attr(0644,root,root) /usr/share/shorewall-init/version
%attr(0544,root,root) %{_libexecdir}/shorewall-init/ifupdown
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Feb 10 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-2
* Fri Feb 09 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-1
* Tue Feb 06 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0base
* Wed Jan 31 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0RC1
* Tue Jan 23 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0Beta2
* Wed Jan 17 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0Beta1
* Wed Jan 10 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0base
* Fri Jan 05 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0RC1
* Sun Dec 31 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0Beta2
* Tue Dec 26 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0Beta1
* Sat Dec 23 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0base
* Mon Dec 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0RC2
* Sat Dec 09 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0RC1
* Fri Dec 01 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0Beta2
* Wed Nov 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0Beta1
* Wed Nov 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0base
* Sat Nov 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0RC1
* Fri Nov 03 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0Beta2
* Thu Oct 19 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0Beta1
* Sun Oct 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0base
* Tue Oct 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0RC1
* Sat Oct 07 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0Beta2
* Mon Sep 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0Beta1
* Mon Sep 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0base
* Sun Sep 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0RC2
* Fri Sep 01 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0RC1
* Wed Aug 23 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0Beta2
* Tue Aug 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0Beta1
* Wed Aug 16 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0base
* Tue Aug 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC2
* Tue Aug 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC1
* Wed Aug 09 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC1
* Thu Aug 03 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0Beta2
* Thu Jul 20 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0Beta1
* Mon Jun 26 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0base
* Wed Jun 21 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0RC1
* Fri Jun 16 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0Beta2
* Thu May 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0Beta1
* Fri May 05 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0base
* Mon Apr 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0RC1
* Fri Mar 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0Beta2
* Mon Mar 13 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0Beta1
* Mon Mar 13 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0base
* Sun Mar 12 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0RC2
* Fri Mar 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0RC1
* Mon Mar 06 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0Beta2
* Wed Feb 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0Beta1
* Fri Feb 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0RC1
* Fri Feb 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0Beta2
* Wed Jan 25 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0Beta1
* Tue Jan 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0base
* Thu Jan 19 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0RC1
* Tue Jan 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0Beta2
* Wed Jan 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0Beta1
* Tue Jan 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-1
* Wed Jan 04 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0base
* Wed Dec 28 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0RC2
* Tue Dec 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0RC1
* Mon Dec 12 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0Beta2
* Sun Dec 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0Beta1
* Fri Dec 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0base
* Thu Dec 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0RC2
* Sun Nov 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0RC1
* Thu Nov 17 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0Beta2
* Sun Nov 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0Beta1
* Mon Oct 31 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC3
* Sat Oct 29 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC2
* Thu Oct 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC1
* Tue Oct 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0Beta2
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0Beta1
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0base
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0RC2
* Sun Oct 09 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0RC1
* Tue Oct 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0Beta2
* Sun Oct 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0Beta1
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0base
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC3
* Tue Sep 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC2
* Tue Sep 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC1
* Tue Sep 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0Beta2
* Sat Aug 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0Beta1
* Sat Aug 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0base
* Sat Jul 30 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0RC1
* Wed Jul 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0Beta2
* Tue Jul 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0Beta1
* Fri Jul 08 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-1
* Sat Jun 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0base
* Tue Jun 21 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0RC1
* Tue Jun 14 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0Beta2
* Mon Jun 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0Beta1
* Thu May 12 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0base
* Thu May 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0RC1
* Thu Apr 28 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0Beta2
* Mon Apr 18 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0Beta1
* Fri Apr 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC2
* Mon Apr 11 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC1
* Thu Apr 07 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta4
* Sat Apr 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta3
* Fri Apr 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta2
* Sun Mar 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta1
* Thu Mar 24 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0base
* Fri Mar 18 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0RC1
* Sun Mar 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta4
* Sun Mar 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta3
* Tue Mar 08 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta2
* Sat Mar 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta1
* Fri Mar 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta6
* Fri Mar 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta5
* Thu Mar 03 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta4
* Sat Feb 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta3
* Sun Feb 21 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta2
* Fri Feb 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta1
* Wed Feb 17 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0base
* Mon Feb 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0RC2
* Wed Feb 03 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0RC1
* Fri Jan 29 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0Beta2
* Wed Jan 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0Beta1
* Wed Jan 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0base
* Tue Jan 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0RC2
* Mon Jan 11 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0RC1
* Tue Jan 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0Beta2
* Sat Jan 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0Beta1
* Sun Dec 27 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0base
* Thu Dec 24 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0RC2
* Sun Dec 13 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0RC1
* Sat Dec 05 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0Beta2
* Sat Nov 28 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0Beta1
* Sat Nov 21 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-1
* Sat Nov 07 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0base
* Sun Nov 01 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0RC1
* Mon Oct 26 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0Beta2
* Mon Oct 26 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0Beta1
* Tue Oct 13 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.1-1
* Mon Oct 12 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.1-0base
* Sat Oct 03 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0base
* Mon Sep 21 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0RC1
* Thu Sep 10 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0Beta2
* Mon Jul 27 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0Beta1
������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/init.debian.sh��������������������������������������������������������������0000775�0000000�0000000�00000010406�13243347103�016125� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
### BEGIN INIT INFO
# Provides: shorewall-init
# Required-Start: $local_fs
# X-Start-Before: $network
# Required-Stop: $local_fs
# X-Stop-After: $network
# Default-Start: S
# Default-Stop: 0 1 6
# Short-Description: Initialize the firewall at boot time
# Description: Place the firewall in a safe state at boot time prior to
# bringing up the network
### END INIT INFO
. /lib/lsb/init-functions
export VERBOSITY=0
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall \"."
exit 1
fi
echo_notdone () {
echo "not done."
exit 1
}
not_configured () {
echo "#### WARNING ####"
echo "the firewall won't be initialized unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "Please read about Debian specific customization in"
echo "/usr/share/doc/shorewall-init/README.Debian.gz."
fi
echo "#################"
exit 0
}
# set the STATEDIR variable
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ -x ${STATEDIR}/firewall ]; then
return 0
else
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
else
return 1
fi
fi
}
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
# check if shorewall-init is configured or not
if [ -f "$SYSCONFDIR/shorewall-init" ]
then
. $SYSCONFDIR/shorewall-init
if [ -z "$PRODUCTS" ]
then
not_configured
fi
else
not_configured
fi
# Initialize the firewall
shorewall_start () {
local PRODUCT
local STATEDIR
printf "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
#
# Run in a sub-shell to avoid name collisions
#
(
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
${STATEDIR}/firewall ${OPTIONS} stop
fi
)
fi
done
echo "done."
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
printf "Restoring ipsets: "
if ! ipset -R < "$SAVE_IPSETS"; then
echo_notdone
fi
echo "done."
fi
return 0
}
# Clear the firewall
shorewall_stop () {
local PRODUCT
local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
${STATEDIR}/firewall ${OPTIONS} clear
fi
done
echo "done."
if [ -n "$SAVE_IPSETS" ]; then
echo "Saving ipsets: "
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
else
rm -f "${SAVE_IPSETS}.tmp"
echo_notdone
fi
echo "done."
fi
return 0
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
reload|force-reload)
;;
*)
echo "Usage: $0 {start|stop|reload|force-reload}"
exit 1
esac
exit 0
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/configure�������������������������������������������������������������������0000775�0000000�0000000�00000012322�13243350236�015311� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
#
# Shorewall Packet Filtering Firewall RPM configuration program - V4.6
#
# (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see = ] ...
#
#
################################################################################################
#
# Build updates this
#
VERSION=5.1.12.2
case "$BASH_VERSION" in
[4-9].*)
;;
*)
echo "ERROR: This program requires Bash 4.0 or later" >&2
exit 1
;;
esac
declare -A params
declare -A options
getfileparams() {
while read option; do
case $option in
\#*)
;;
*)
on=${option%=*}
ov=${option#*=}
ov=${ov%#*}
[ -n "$on" ] && options[${on}]="${ov}"
;;
esac
done
return 0
}
for p in $@; do
if [ -n "${p}" ]; then
declare -u pn
pn=${p%=*}
pn=${pn#--}
pv=${p#*=}
if [ -n "${pn}" ]; then
case ${pn} in
VENDOR)
pn=HOST
;;
SHAREDSTATEDIR)
pn=VARLIB
;;
DATADIR)
pn=SHAREDIR
;;
esac
params[${pn}]="${pv}"
else
echo "ERROR: Invalid option ($p)" >&2
exit 1
fi
fi
done
cd $(dirname $0)
vendor=${params[HOST]}
if [ -z "$vendor" ]; then
if [ -f /etc/os-release ]; then
eval $(cat /etc/os-release | grep ^ID=)
case $ID in
fedora|rhel)
vendor=redhat
;;
debian|ubuntu)
vendor=debian
;;
opensuse)
vendor=suse
;;
*)
vendor="$ID"
;;
esac
params[HOST]="$vendor"
fi
fi
if [ -z "$vendor" ]; then
case `uname` in
Darwin)
params[HOST]=apple
rcfile=shorewallrc.apple
;;
cygwin*|CYGWIN*)
params[HOST]=cygwin
rcfile=shorewallrc.cygwin
;;
*)
if [ -f /etc/debian_version ]; then
params[HOST]=debian
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
elif [ -f /etc/redhat-release ]; then
params[HOST]=redhat
rcfile=shorewallrc.redhat
elif [ -f /etc/slackware-version ] ; then
params[HOST]=slackware
rcfile=shorewallrc.slackware
elif [ -f /etc/SuSE-release ]; then
params[HOST]=suse
rcfile=shorewallrc.suse
elif [ -f /etc/arch-release ] ; then
params[HOST]=archlinux
rcfile=shorewallrc.archlinux
elif [ -f /etc/openwrt_release ]; then
params[HOST]=openwrt
rcfile=shorewallrc.openwrt
else
params[HOST]=linux
rcfile=shorewallrc.default
fi
;;
esac
vendor=${params[HOST]}
else
if [ $vendor = linux ]; then
rcfile=shorewallrc.default;
elif [ $vendor = debian -a -f /etc/debian_version ]; then
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
else
rcfile=shorewallrc.$vendor
fi
if [ ! -f $rcfile ]; then
echo "ERROR: $vendor is not a recognized host type" >&2
exit 1
elif [ $vendor = default ]; then
params[HOST]=linux
vendor=linux
elif [[ $vendor == debian.* ]]; then
params[HOST]=debian
vendor=debian
fi
fi
if [ $vendor = linux ]; then
echo "INFO: Creating a generic Linux installation - " `date`;
else
echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
fi
echo
getfileparams < $rcfile || exit 1
for p in ${!params[@]}; do
options[${p}]="${params[${p}]}"
done
echo '#' > shorewallrc
echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
echo "# rc file: $rcfile" >> shorewallrc
echo '#' >> shorewallrc
if [ $# -gt 0 ]; then
echo "# Input: $@" >> shorewallrc
echo '#' >> shorewallrc
fi
if [ -n "${options[VARLIB]}" ]; then
if [ -z "${options[VARDIR]}" ]; then
options[VARDIR]='${VARLIB}/${PRODUCT}'
fi
elif [ -n "${options[VARDIR]}" ]; then
if [ -z "{$options[VARLIB]}" ]; then
options[VARLIB]=${options[VARDIR]}
options[VARDIR]='${VARLIB}/${PRODUCT}'
fi
fi
if [ -z "${options[SERVICEDIR]}" ]; then
options[SERVICEDIR]="${options[SYSTEMD]}"
fi
for on in \
HOST \
PREFIX \
SHAREDIR \
LIBEXECDIR \
PERLLIBDIR \
CONFDIR \
SBINDIR \
MANDIR \
INITDIR \
INITSOURCE \
INITFILE \
AUXINITSOURCE \
AUXINITFILE \
SERVICEDIR \
SERVICEFILE \
SYSCONFFILE \
SYSCONFDIR \
SPARSE \
ANNOTATED \
VARLIB \
VARDIR \
DEFAULT_PAGER
do
echo "$on=${options[${on}]}"
echo "$on=${options[${on}]}" >> shorewallrc
done
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewallrc.openwrt���������������������������������������������������������0000664�0000000�0000000�00000003507�13243350236�017354� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# OpenWRT Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=openwrt
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR= #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.openwrt.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFDIR=${CONFDIR}/sysconfig #Directory where SysV init parameter files are installed
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/ifupdown.fedora.sh����������������������������������������������������������0000664�0000000�0000000�00000004757�13243347103�017044� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Redhat/Fedora/Centos/Foobar ifupdown script for Shorewall-based products
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Get startup options (override default)
OPTIONS=
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ ! -x $STATEDIR/firewall ]; then
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
fi
fi
}
IFUPDOWN=0
PRODUCTS=
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
if [ -f /etc/default/shorewall-init ]; then
. /etc/default/shorewall-init
elif [ -f /etc/sysconfig/shorewall-init ]; then
. /etc/sysconfig/shorewall-init
fi
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
PHASE=''
case $0 in
/etc/ppp*)
INTERFACE="$1"
case $0 in
*ip-up.local)
COMMAND=up
;;
*ip-down.local)
COMMAND=down
;;
*)
exit 0
;;
esac
;;
*)
#
# RedHat ifup/down system
#
INTERFACE="$1"
case $0 in
*ifup*)
COMMAND=up
;;
*ifdown*)
COMMAND=down
;;
*dispatcher.d*)
COMMAND="$2"
;;
*)
exit 0
;;
esac
;;
esac
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x "$STATEDIR/firewall" ]; then
echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
fi
done
exit 0
�����������������shorewall-init-5.1.12.2/shorewallrc.archlinux�������������������������������������������������������0000664�0000000�0000000�00000003415�13243350236�017651� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Arch Linux Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=archlinux
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/usr/bin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR= #Directory where SysV init scripts are installed.
INITFILE= #Name of the product's installed SysV init script
INITSOURCE= #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFDIR= #Directory where SysV init parameter files are installed
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewallrc.slackware�������������������������������������������������������0000664�0000000�0000000�00000003766�13243350236�017641� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Slackware Shorewall 5.0 rc file
#
BUILD=slackware
HOST=slackware
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/man #Directory where manpages are installed.
INITDIR=/etc/rc.d #Directory where SysV init scripts are installed.
AUXINITSOURCE=init.slackware.firewall.sh #Name of the distributed file to be installed as the SysV init script
AUXINITFILE=rc.firewall #Name of the product's installed SysV init script
INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script
INITFILE=rc.$PRODUCT #Name of the product's installed second init script
SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR= #Name of the directory where SysV init parameter files are installed.
ANNOTATED= #If non-empty, install annotated configuration files
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
����������shorewall-init-5.1.12.2/shorewallrc.default���������������������������������������������������������0000664�0000000�0000000�00000003643�13243350236�017303� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Default Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=linux #Generic Linux
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR= #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewallrc.redhat����������������������������������������������������������0000664�0000000�0000000�00000003601�13243350236�017120� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# RedHat/FedoraShorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=redhat
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/libexec #Directory for executable scripts.
PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=/etc/rc.d/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewallrc.suse������������������������������������������������������������0000664�0000000�0000000�00000004167�13243350236�016640� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# SuSE Shorewall 5.0 rc file
#
BUILD= #Default is to detect the build system
HOST=suse
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
CONFDIR=/etc #Directory where subsystem configurations are installed
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
SBINDIR=/usr/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE= #Name of the product's SysV init script
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/releasenotes.txt������������������������������������������������������������0000664�0000000�0000000�00000207335�13243350236�016646� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������----------------------------------------------------------------------------
S H O R E W A L L 5 . 1 . 1 2 . 2
-------------------------------
F e b r u a r y 2 1 , 2 0 1 8
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
II. KNOWN PROBLEMS REMAINING
III. NEW FEATURES IN THIS RELEASE
IV. MIGRATION ISSUES
V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
5.1.12.2
1) The 5.1.12 change that emits warnings when INLINE_MATCHES=Yes did
not issue a warning when a single semicolon was used to introduce
inline matches in INLINE, IPTABLES and IP6TABLES rules. That has
been corrected. Additionally, 'shorewall[6] update' now replaces
';' with ';;' in those rules.
As part of that change, the documentation has been modified to
prefer ';;' over ';' to introduce inline matches in those rules.
2) The 'shorewall[6] update' command now replaces a single semicolon
with double semicolons in INLINE, IPTABLES and IP6TABLES rules.
3) A typo has been corrected so that the following error message is
now printed correctly.
ERROR: The REJECT_ACTION () is not terminating
Previously, an "unknown function" Perl diagnostic was issued in its
place.
4) Previously, if a policy action specification in shorewall[6].conf
or in the policy file included a log tag, a garbled error message
was issued. That has been corrected.
5) Under rare rare circumstances, syn flood limiting specified in a
policy was previously not enforced by the generated ruleset. That
has been corrected.
5.1.12.1
1) The macro SSDPServer released in 5.1.12 inadvertently contained the
content of macro.SSDP. The corrected macro is now available as
macro.SSDPserver (note the lower case 's' in 'server').
2) When double semicolons (";;") were used to introduce inline
matches, column/value pairs enclosed in braces ("{...}") were not
recongnized correctly if there was any white space between the
closing brace ("}") and the semicolons. That problem has been
corrected.
5.1.12
1) This release contains defect repair from releases through 5.1.11.2.
2) Many typos in comments in the chains module have been corrected.
3) Dead code was removed.
4) A function that is called only from lib.cli-std had been moved
there from lib.cli.
5) Trailing white space is now omitted from the generated script.
6) Apparently random blank lines in the generated script have been
eliminated.
7) Previously, the output of 'shorewall show capabilties' only
displayed the 'Ipset Match (IPSET_MATCH)' capability if it was
available. Now, it is also displayed when it is not available.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The 'enable', 'reenable' and 'disable' commands do not work
correctly in configurations with USE_DEFAULT_RT=No and optional
providers listed in the DUPLICATE column.
3) While the 'ip' utility now accepts IPv6 routes with multiple
'nexthop' destinations, these routes are not balanced. They are
rather instantiated as a sequence of single routes with different
metrics. Furthermore, the 'ip route replace' command fails on
such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a
single "replace" command.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Beginning with this release, SNAT can be performed on flows
destined for the firewall itself. In this case, SNAT will be
performed in the INPUT chain of the nat table; see
shorewall-snat(5) for details.
This change introduced a new capability:
INPUT chain in the nat table (NAT_INPUT_CHAIN)
2) The undocumented optimize option OPTIMIZE_USE_FIRST (0x1000)
has been removed.
3) Some minor performance enhancements have been make to optimization
category 8.
4) While INLINE_MATCHES=Yes has been documented as deprecated for some
time, it has thus far not generated a warning. Beginning with this
release, a warning is issued:
WARNING: Option INLINE_MATCHES=Yes is deprecated
See the Migration Issues section for additional information.
5) The IPMI macro has been extended to include additional protocols
(Tuomo Soini).
6) Several new macros have been added:
Apcupsd
FreeIPA
Kpasswd
RedisSecure
Rwhois
SSDP
SSDPServer
(Tuomo Soini)
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) If you are migrating from Shorewall 4.6.x or earlier, please see
http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
2) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
manpages are now minimal and refer the reader to shorewall(8).
For backward compatibility, Shorewall6, Shorewall-lite and
Shorewall6-lite install symlinks $SBINDIR/shorewall6,
$SBINDIR/shorewall-lite and
$SBINDIR/shorewall6-lite respectively. When the shorewall program
is invoked through one of these symlinks, it adopts the appropriate
personality.
3) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text or to use the
IP[6]TABLES target and/or inline matches.
For the common case where you have an action xxx with an empty
action.xxx file and have perl code in a file named xxx, the
compiler will now generate a fatal error:
ERROR: File action.xxx is empty and file xxx exists - the two
must be combined as described in the Migration
Considerations section of the Shorewall release notes
For information about resolving this error, see
http://www.shorewall.org/Shorewall-5.html#idp41228128.
4) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see
shorewall6-netmap(5)).
5) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed.
6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
etc. options may now specify a comma-separated list of actions
rather than just a single action. The actions are invoked in the
order in which they are listed and each action may optionally be
followed by a colon (":") and a log level. The POLICY column in
shorewall[6]-policy can now specify a similar list of actions. In
that file, the list may be preceded by a plus sign ("+"), in which
case the listed actions will be in addition to those listed in the
related _DEFAULT setting in shorewall[6].conf.
With these changes, the Drop and Reject policy actions are now
deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
the reader to http://www.shorewall.net/Actions.html#Default.
7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and
Broadcast no longer handle multicast. Multicast is handeled
separately in actions allowMcast, dropMcast and Multicast. The
now-deprecated Drop and Reject policy actions have been modified so
that they continue to silently drop multicast packets.
8) According to the Netfilter team (see
https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
of the NFLOG target has never worked correctly, and they have
deprecated that option in favor of the --nflog-size option.
To accomodate this change, Shorewall 5.1.5 added an "--nflog-size
support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE
option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the
capability is present, Shorewall will use '--nflog-size' in place
of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not
present, an error is raised.
If you don't use NFLOG or if you use NFLOG with omittted second
parameter or with 0 as the second parameter, and 'shorewall show
capabilities' indicated that --nflog-size support is present, you
may safely set USE_NFLOG_SIZE=Yes.
If you pass a non-zero value as the second parameter to NFLOG and
the '--nflog-size support' capability is present, you need to
verify that those NFLOG messages are as you expect with
USE_NFLOG_SIZE=Yes.
9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in
Shorewall 5.1.7. Shorewall now finds modules, independent of their
filename suffix.
'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
setting.
10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the
default route is only restored when there are no enabled
'balance/primary' providers and no enabled fallback providers.
Also beginning with Shorewall 5.1.8, if the default route(s) have
been restored to the 'main' table, and a fallback provider is
successfully enabled, the default route(s) are removed from the
main table.
11) Because restoring default routes to the main routing table can
break the ability of Foolsm and other link status monitors to
properly detect non-functioning provider links, a warning message
is issued when the 'persistent' provider option is specified and
RESTORE_DEFAULT_ROUTE=Yes.
WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
may not work as expected
This change was released in Shorewall 5.1.8.
12) Most interface OPTIONS have always been ignored when the INTERFACE
name is '+'. Beginning with the Shorewall 5.1.10 release, a warning
is issued when an ignored option is specified with interface name '+'.
Example: The 'sourceroute' option is ignored when used with
interface name '+'
In many cases, this issue can be worked around by a change similar
to the following:
Original:
net + dhcp,routeback,sourceroute=0
Change to:
net all dhcp,physical=+,routeback,sourceroute=0
--- ----------
As part of this change, interfaces that specify a wildcard physical
interface name will generate a warning if any of the following
options are specified:
accept_ra
arp_filter
arp_ignore
forward
logmartians
proxyarp
proxyndp
routefilter
sourceroute
When the warning is issued, the specified option is then ignored
for the interface.
Example:
WARNING: The 'sourceroute' option is ignored when used with a
wildcard physical name
/etc/shorewall6.universal/interfaces (line 14)
13) INLINE_MATCHES=Yes has been documented as deprecated for some
time, but it has not generated a warning. Beginning with the
Shorewall 5.1.12 release, a warning is issued:
WARNING: Option INLINE_MATCHES=Yes is deprecated
Additionally, each line that requires modification to work with
INLINE_MATCHES=No is flagged with the warning:
WARNING: This entry needs to be changed (replace ';' with ';;')
before the INLINE_MATCHES option is removed in
Shorewall 5.2
You can eliminate the warnings by setting INLINE_MATCHES=No and
by replacing the single semicolon (";") separating inline matches
from the column-oriented part of the rule with two semicolons
(";;") in each entry flagged by the second warning.
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 1 R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 1
----------------------------------------------------------------------------
5.1.11.1
1) When AUTOMAKE=Yes and the 'find' utility is Busybox-based,
Shorewall 5.1.11 would fail during compilation with the error:
find: unrecognized: -quit
That has been corrected.
5.1.11
1) This release contains defect repair from releases through 5.1.10.2.
2) Previously, if DYNAMIC_BLACKLIST=ipset,disconnect..., the CLI would
verify the existence of the 'conntrack' utility on the local system
when the command was 'remote-start', 'remote-reload' or
'remote-restart'. Now, that verification is only done for the
blacklist-oriented commands ('blacklist', 'allow', 'drop', etc.).
3) Previously, when DYNAMIC_BLACKLIST=ipsec..., the CLI required the
firewall to be started in order to run the 'allow' command. Now,
the command only requires that the dynamic blacklist ipset
exists.
4) Previously, if an address variable was used in the stoppedrules
file, the 'clear' command could fail in two different ways,
depending on whether the related interface was optional or not.
If the interface was optional, the failure message was similar to
the following:
$ shorewall clear
Clearing Shorewall....
Preparing iptables-restore input...
/var/lib/shorewall/firewall: 3064: [: !=: unexpected operator
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
done.
If the interface was not optional, the result was similar to:
$ shorewall debug clear
Clearing Shorewall....
Preparing iptables-restore input...
Running debug_restore_input...
Bad argument `6'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -s
172.17.211.254 -d -p 6 --dport 22 -i enp2s0 -j ACCEPT"
Failed
Terminated
This problem has been corrected.
5) Previously, the 'clear' command enabled forwarding
unconditionally. Beginning with this release, 'clear' will
conditionally enable/disable forwarding in the same manner as
'stop'.
6) In multi-ISP configurations, it is possible for an IPSEC-tunneled
connection from the Internet to be forwarded back out to the
Internet (for example, if all traffic from the remote endpoint is
sent through the tunnel). If the provider handling the tunnel has
the 'track' option (or if TRACK_PROVIDERS=Yes), then the outgoing
tunneled connection is sent back out that interface by
default (since the encapsulated initial packet arrived through that
interface). Since this is not always desirable, Shorewall now
clears the tracking mark on the connection while processing the
first packet, allowing the connection to not match routing rules
that are dependent on the tracking mark.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 1 1
----------------------------------------------------------------------------
1) Previously, the 'show' command was not available to non-root
users. Beginning with this release, non-root users may now
run the following 'show' commands:
show action
show actions
show ip
show macro
show macros
show routing
2) When a RATE is specified on a policy, the rate is enforced in a
chain whose name begins with '@' (e.g., @net-dmz). Previously, log
messages in the chain omitted the '@', leading to possible
confusion. Beginning with this release, the log message will
reflect the chain's actual name (including the '@').
3) To improve efficiency, TCP CT entries in the conntrack file and
TCP entries in the rules file that specify a HELPER will now
assume that 'tcp:syn' had been specified. That way, the generated
ip[6]tables rule will only match on the first packet of the
three-way handshake.
4) Now that the route caches have been removed from the kernel,
Multi-ISP really doesn't work without the 'track' provider option.
As a consequence, TRACK_PROVIDERS=Yes is now the default. Note that
the 'track' option may still be turned off using 'notrack', when
TRACK_PROVIDERS=Yes.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 1 0
----------------------------------------------------------------------------
5.1.10.2
1) When AUTOMAKE=Yes, the commands 'start', 'restart' and 'reload'
cause the 'find' utility to be run in each entry in the CONFIG_PATH
to look for files that have been modified since the current
firewall script was created.There are two related defects in 5.1.10
and 5.1.10.1 that manifest when AUTOMAKE=Yes.
a) While the compiler only searches in the directories themselves,
'find' was not limited to just those directories, but was rather
searched the entire tree rooted in each path in CONFIG_PATH.
b) If the CONFIG_PATH was prefixed by ":", then there was
effectively an empty path in CONFIG_PATH, which resulted in a
search of the entire tree rooted in the current working
directory.
Both problems have been corrected:
a) Find is run with '-maxdepth 1', to limit the search to just the
files in the directory.
b) Find is not run on empty paths in CONFIG_PATH.
5.1.10.1
1) The Shorewall-core installer previously failed to update the shell library
files correctly when SHAREDIR was not set to /usr/share/. That has
been corrected.
2) Previously, the installer modified the shorewall[6].conf installed
in /etc/shorewall[6] based on the Linux distribution (HOST in
shorewallrc) but installed an unmodified file in
/usr/share/shorewall/configfiles/. Beginning with this release,
the modified file is also installed in the latter directory.
5.1.10
1) Several typos have been corrected in the manpages (Roberto
Sánchez).
2) Regarding Known Problem 3 below, the code added in 5.0.15 could
fail to delete an existing default route if the new default route
was not identical to the one being replaced. Now, the default route
is deleted, even the new route is different.
3) Previously, if the 'ss' utility was not installed but 'netstat' was
installed, the 'dump' command would issue the error message
/sbin/shorewall: line 1: netatat: not found
and the dump would not contain socket information. That problem
has been corrected.
4) Previously, a plain 'reset' command would only reset counters in
the 'filter' and 'mangle' tables. Now, all four tables have their
counters reset.
5) Specifying IN-BANDWIDTH would previously cause a run-time
start/restart/reload failure when a later version of iproute2 was
installed. The problem has been observed on both iproute2 4.13.0
and 4.14.0. The failure message was similar to the following:
Setting up Traffic Control...
"rate" or "avrate" MUST be specified.
Illegal "police"
ERROR: Command "tc filter add dev ppp0 parent ffff: protocol all
prio 10 basic police mpu 64 drop rate 55378kbit burst 10kb" Failed
This problem has been resolved.
6) Previously, Shorewall-init would recompile the firewall script each
time that it ran. Now, it only compiles the script if it doesn't
exist.
7) Most interface OPTIONS have always been ignored when the INTERFACE
name is '+'. Beginning with this release, a warning is issued when
an ignored option is specified with interface name '+'.
Example: The 'sourceroute' option is ignored when used with
interface name '+'
In most cases, this issue can be worked around by a change similar
to the following:
Original:
net + dhcp,routeback,sourceroute=0
Change to:
net all dhcp,physical=+,routeback,sourceroute=0
--- ----------
As part of this change, interfaces that specify a wildcard physical
interface name will generate a warning if any of the following
options are specified:
accept_ra
arp_filter
arp_ignore
forward
logmartians
proxyarp
proxyndp
routefilter
sourceroute
When the warning is issued, the specified option is then ignored
for the interface.
Example:
WARNING: The 'sourceroute' option is ignored when used with a
wildcard physical name
/etc/shorewall6.universal/interfaces (line 14)
8) When the IPv6 Universal sample configuration was used, the
following warning was issued during start/restart/reload:
WARNING: Cannot set Accept Source Routing on +
The Universal interfaces file has been corrected to eliminate that
error.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 1 0
----------------------------------------------------------------------------
1) Previously, it was necessary to remove ${CONFDIR}/shorewall[6] from
the CONFIG_PATH to create a configuration directory for a remote
firewall managed by shorewall[6]-lite. Without this modification,
when the compiler looked for a file that was not present in the
configuration directory, it would attempt to read the file by the
same name residing in ${CONFDIR}/shorewall[6].
Now, if the setting of CONFIG_PATH begins with a colon (":"),
the first directory in the path is ignored when compiling for
export or when the user running the compiler is not root.
The released copies of shorewall[6].conf have all been modified to
set CONFIG_PATH with a leading colon.
2) The documentation surrounding use of DNS names in Shorewall
configuration has been improved.
3) It is now possible to associate a particular protocol with an
action in shorewall[6]-actions(5). When a protocol is specified in
that file, it is not necessary to specify the protocol in the PROTO
column when invoking the action. If a protocol is included in the
PROTO column then it must match the one specified in the actions
file. If an action defined with a protocol is used as a Policy
Action, then only packets with the specified protocol will be
passed to the action.
A number of standard actions definitions in
/usr/share/shorewall[6]/actions.std have had a protocol added.
The protocol has no effect if 'builtin' or 'inline' is also
specified; specifying 'builtin' with a protocol results in a
warning message. No warning is issued when 'inline' is specified
with a protocol, thus allowing 'inline' and a protocol to appear
together in actions.std. Note that 'noinline' in
shorewall-actions(5) can override an 'inline' specification in
actions.std.
4) The FIN action previously included the PSH flag (FIN,ACK,PSH). To
make the action a bit more general, the PSH flag is now removed and
TCP packets with just the FIN and ACK flags set will now match.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 9
----------------------------------------------------------------------------
1) This release includes defect repair through Shorewall 5.1.8.1.
2) Previously, Shorewall6 did not accept square brackets ("[...]")
around the GATEWAY address in a Providers file entry. That has been
corrected, so that the usual convention of enclosing IPv6 addresses
in square brackets is allowed in that context.
3) Previously, if the IP variables was set in a remote firewall's
configuration directory, and the named file did not exist on the
local administrative system, then a fatal error was raised.
Example:
ERROR: The program specified in IP (/usr/bin/ip) does not exist
or is not executable
Beginning with this release, the contents of the IP option will not
be verified at compile time when compiling for export.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 9
----------------------------------------------------------------------------
1) The mangle file now supports a TCPMSS action for setting the MSS
value in TCP SYN packets. See shorewall-mangle(5) for details. As
part of this change, the TCPMSS rule generated by the CLAMPMSS
option has been moved from the filter table FOWARD chain to the
mangle table FORWARD chain.
2) The Broadcast and Multicast actions are now inlined when the
Address Type Match capability is available.
3) It is now possible to specify 'noinline' in an entry in
/etc/shorewall[6]/actions to override the 'inline' option
specified in /usr/share/shorewall/actions.std.
4) Logging is now supported in the snat file.
- Log levels may be specified on SNAT, MASQUERADE and CONTINUE
rules.
- The NFLOG, ULOG and LOG actions are now supported.
See shorewall-snat(5) for details.
5) A logging manpage (shorewall-logging(5)) has been added.
6) The IPMI macro now includes support for Redfish remote consoles.
7) The Sample configuration files now use logical interface names to
simplify adapting them to fit the newer interface naming
convention adopted by the kernel.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 8
----------------------------------------------------------------------------
1) This release includes defect repair through Shorewall 5.1.7.2.
2) The copyright dates and product version comments have been updated
in a number of files.
3) The undocumented and unmaintained Makefile files for Shorewall-lite
and Shorewall6-lite have been removed from Shorewall and Shorewall6
respectively.
4) The 'dump' command logic now does a better job of detecting
and suppressing the printing of empty IPSec SPD entries.
5) A number of issues with persistent providers that resulted in
'ip rule add' and 'ip route add' failures have been corrected. The
most common senario involved a 'reload' while a persistent
interface was disabled.
6) Previously, the generated script contained incorrect logic for
deleting default routes with metric zero ('balanced' routes and
routes generated by 'fallback=nn'); the logic only worked correctly
when applied to the 'main' routing table. It now works correctly
for all routing tables.
7) The 'ip xfrm policy' command ignores the -4 and -6 options and
dumps the policies for both address families. This release contains
a workaround that suppresses entries for the other family.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 8
----------------------------------------------------------------------------
1) For historical reasons, Shorewall has always assumed that LOG target
support is present unless proven otherwise. While this has worked
correctly when a capabilities file is used and when
LOAD_HELPERS_ONLY=No, it can generate an unworkable firewall
script when LOAD_HELPERS_ONLY=Yes.
Beginning with this release, Shorewall will treat LOG target like
any other capability and will verify its presense in all cases
where the target is used.
2) The level 4 optimizer now does a better job of handling small
chains with rules specifying an IPSEC policy. This can result in
elimination of these chains.
3) Beginning with this release, when RESTORE_DEFAULT_ROUTE=Yes the
default route is only restored when there are no enabled
'balance/primary' providers and no enabled fallback providers.
Also beginning with this release, if the default route(s) have been
restored to the 'main' table, and a fallback provider is
successfully enabled, the default route(s) are removed from the
main table.
4) Because restoring default routes to the main routing table can
break the ability of Foolsm and other link status monitors to
properly detect non-functioning provider links, a warning message
is now issued when the 'persistent' provider option is specified
and RESTORE_DEFAULT_ROUTE=Yes.
WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
may not work as expected
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 7
----------------------------------------------------------------------------
5.1.7.2
1) Previously during the opening of a configuration file, if SELinux
denied the "getattr" (stat) request, then the compiler would skip
processing of the file as if it did not exist. Now, if "getattr"
fails for any reason other than that the file does not exist, an
error is raised.
ERROR: Unable to access :
2) Previously, when a range was passed to the MARK() action (mangle
file), any specified protocol, port and time restrictions were
ignored. Now these elements are included in the rule.
5.1.7.1
1) Previously, the 'reenable' command failed on a persistent provider
interface with a message similar to the following:
RTNETLINK answers: File exists
ERROR: Command "/sbin/ip -4 rule add from 10.2.10.2 pref 20000
table IPv6Beta" Failed
That problem has been corrected and the 'reenable' command now
works properly on both persistant and non-persistant interfaces.
Note: The firewall script must be recompiled in order for this
change to become effective.
5.1.7
1) This release includes defect repair through Shorewall 5.1.6.1.
2) Previously, there was a typo in IPv4 Example 5 in the
shorewall-snat(5) manpage. The DEST column contained
eth0+myset[dst]
which should have been
eth0:+myset[dst]
That has been corrected.
3) Previously, specifying an ipset name in the DEST column of the IPv4
snat file had no effect. That has been corrected so that only
connections whose destination matches the ipset are affected by the
rule.
4) Previously, passing an invalid vlsm to the 'ipcalc' command coult
result in a series of shell diagnostics beginning with:
shorewall: 3730: /home/teastep/bin/shorewall: Invalid VLSM: not
found
That has been corrected so that the correct message is issued:
ERROR: Invalid VLSM
(Tuomo Soini)
5) ADD_IP_ALIASES has defaulted to Yes for both Shorewall and
Shorewall6, leading to 'not found' errors during
start/reload/restart. Now, ADD_IP_ALIASES=No is the default for
IPv6 and may not be changed.
6) When Shorewall-init was configured to save ipsets, it could leave
behind an empty or useless .tmp file if no ipsets were saved. Now
that file is removed automatically.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 7
----------------------------------------------------------------------------
1) Loading of kernel modules has been streamlined (Tuomo Soini).
2) The MODULE_SUFFIX option in shorewall[6].conf has been
eliminated. Shorewall now finds modules, independent of their
filename suffix.
'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
setting.
3) When 'detect' is specified in the GATEWAY column for a provider,
the generated script now looks for an existing default route in
the provider's routing table to obtain the provider's default
gateway. This is useful when dhcpcd5 is installed, since the .lease
files created by dhcpcd5 are binary coded and are hence not usable
for learning the configured gateway.
4) The Shorewall Event actions (IfEvent, SetEvent and ResetEvent) now
accept DNAT and REDIRECT as the argument. For DNAT, a
server address must be specified in the DEST column. A server port
may NOT be specified in the DEST column, so the port number cannot
be changed by the action.
5) Shorewall now supports Docker configuration that create the
DOCKER-INGRESS chain in the filter table.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 6
----------------------------------------------------------------------------
1) This release contains defect repair through Shorewall 5.1.5.2.
2) http://www.shorewall.net/shorewall_extension_scripts.htm states
that $SHAREDIR and $CONFDIR can be used in extension scripts, that
has not been true for some time. Beginning with this release, those
variables are once again available in the generated script.
3) Under very rare circumstances, when OPTIMIZE level 8 was used,
messages such as the following could be issued during compilation:
Use of uninitialized value in hash element at
/usr/share/shorewall/Shorewall/Rules.pm line 818.
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Rules.pm line 823.
That has been corrected.
4) Previously, Shorewall's treatment of wildcard interfaces differed
from Netfilter's. Shorewall did not consider 'eth' to match 'eth+'
while Netfilter did. Beginning with this release, Shorewall is
consistent with Netfilter.
5) Previously, systemd could attempt to start the IPv4 and IPv6
firewalls simultaneously, which might lead to iptables-restore and
ip6tables-restore being run at the same time resulting in a failure
to start one of the firewalls.
Beginning with this release, Shorewall and Shorwall6 will be
started serially as will Shorewall-lite and Shorewall6-lite.
6) To prevent other init systems from starting the IPv4 and IPv6
firewalls in parallel, the ip[6]-tables-restore '--wait' option, if
available, is used. This change introduces a new
RESTORE_WAIT_OPTION capability.
Note: If the new capability is not available on your system, and
you don't run systemd, you can still avoid the parallel start
problem by configuring the same LOCKFILE in both your
shorewall.conf and shorewall6.conf files.
7) Previously, the RDP macro only allowed TCP traffic, even though RDP
also requires UDP. That has been corrected so that both protocols
are allowed.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 6
----------------------------------------------------------------------------
1) The SPARSE option in shorewallrc originally caused only
shorewall[6].conf to be installed in /etc/shorewall[6], but later
the conntrack and params files were also installed. To prevent
these additional files from being installed, SPARSE may now be set
to 'Very', either by editing the file directly or by using the
configure or configure.pl scripts.
This setting is recommended if you wish to use a single set of
configuration files for both IPv4 and IPv6 as described at
http://www.shorewall.org/SharedConfig.html.
2) Two new run-time extensions scripts have been added:
- enabled
Invoked when an optional interface has been successfully enabled
using the 'enable' command.
- disabled
Invoked when an optional interface has been successfully disabled
using the 'disable' command.
Like all run-time extension scripts, the contents of each script
are placed in a function body. In the case of these new scripts,
the function is passed arguments:
$1 = the physical name of the interface
$2 = the logical name of the interface
$3 = the name of the Provider, if any, associated with the
interface.
3) When a zone (z1) is defined to be a sub-zone of another zone (z2),
the compiler now verifies that the two zones have at least one
interface in common. If they do not, a warning message is
generated:
WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two
zones have no interface in common
4) Runtime address variables may now be used as the server IP address
and Runtime port variables may be used as the server port in DNAT
rules.
Example:
DNAT net $FW:ð1:%{PORT} tcp 9999
5) Previously, systemd could attempt to start the IPv4 and IPv6
firewalls simultaneously, which might lead to iptables-restore and
ip6tables-restore being run at the same time resulting in a failure
to start one of the firewalls.
Beginning with this release, Shorewall and Shorwall6 will be
started serially as will Shorewall-lite and Shorewall6-lite.
6) To prevent problems when other init systems start the IPv4 and IPv6
firewalls in parallel, the ip[6]-tables '--wait' option, if
available, is used. The amount of time to wait is determined by the
setting of MUTEX_TIMEOUT (default 60 seconds). This change
introduces a new RESTORE_WAIT_OPTION capability.
Note: If the new capability is not available on your system, and
you don't run systemd, you can still avoid the parallel start
problem by configuring the same LOCKFILE in both your
shorewall.conf and shorewall6.conf files.
7) Previously, the sample configuration files specified
MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified
MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based
systems. Beginning with this release, the default .conf files also
specify MODULE_SUFFIX="ko ko.xz".
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 5
----------------------------------------------------------------------------
5.1.5.2
1) Previously, Specifying a USER in the OUTPUT section of the
accounting file caused the compilter to incorrectly generate the
following error message:
ERROR: USER/GROUP may only be specified in the OUTPUT section
That has been corrected, and no error message is generated in this
case.
2) When BASIC_FILTERS=Yes, the compiler previously generated an
invalid tc command when when a source port was specified in a
tcfilters entry. The compiler now generates correct input in this
case.
3) Previously, a MAC address could be specified in the OUTPUT
section of the accounting file and no error would be generated at
compile time. A failure would occur, however, at run-time. Now, an
error is raised during compilation.
5.1.5.1
1) To compensate for the presence of a masq file with no entries,
the compiler will now attempt to process the snat file when such a
masq file is found. Previously, if a masq file with no entries was
found, the snat file, if any, was ignored.
2) Previously, maintainers could not create reproducible packages
because the 'configure' and 'configure.pl' scripts inserted the
current date and time into the generated shorewallrc file.
To support reproducible package builds, the scripts now recognize
the SOURCE_DATE_EPOCH environmental variable (see
https://reproducible-builds.org/specs/source-date-epoch/).
The change to 'configure' was supplied by Bernhard M. Wiedemann.
5.1.5
1) This release contains defect repair through Shorewall 5.1.4.4.
2) Previously, when 0 was used as a port number or when a port number
> 65535 was specified, an 'uninitialized variable' Perl exception
occurred when the compiler attempted to issue an error
message. That has been corrected.
3) When running with Perl 5.26, messages such at the following could
be issued:
Unescaped left brace in regex is deprecated here (and will be
fatal in Perl 5.30), passed through in regex; marked by <-- HERE
in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at
/usr/share/shorewall/Shorewall/Config.pm line 2343.
That problem has been corrected.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 5
----------------------------------------------------------------------------
1) Run-time port variables are now supported. See
http://www.shorewall.org/configuration_file_basics.htm#Port_Variables
for details.
2) The Shorewall and Shorewall6 manpages are now consolidated. Almost
all of the Shorewall6 manpages are manpage aliases for the
corresponding Shorewall manpages which describe the files for both
products.
3) There is now a FIN standard action which handles TCP packets with
the FIN, ACK and PSH flags set.
4) According to the Netfilter team (see
https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
of the NFLOG target has never worked correctly, and they have
deprecated that option in favor of the --nflog-size option. To
accomodate this change, there is now an "--nflog-size support"
(NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE option in
shorewall[6].conf.
For further information, see the Migrations Issues item number 8.
5) The RESTORE_DEFAULT_ROUTE option has now been added to
shorewall6.conf. Prior to this release, RESTORE_DEFAULT_ROUTE=Yes
has always been assumed for Shorewall6 configurations.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 4
----------------------------------------------------------------------------
5.1.4.4
1) A defect in 5.1.4.3 caused a startup failure when two or more
'fallback' providers were configured. That has been corrected.
5.1.4.3
1) When running on prior-generation distributions such as RHEL6,
IPv6 multi-ISP configurations failed to start due to an error such as
the following:
ERROR: Command "ip -6 -6 route replace default scope global
table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1"
Failed
Such configurations now start successfully.
5.1.4.2
1) Many broken links in the manpages have been corrected.
2) Support for the NFQUEUE '--queue-cpu-fanout' option, introduced in
Shorewall 5.1.0, contained a defect which could result in the
following compile-time error:
Use of uninitialized value $fanout in concatenation (.) or string
at /usr/share/shorewall/Shorewall/Rules.pm line 643,
<$currentfile> line 2.
That has been corrected.
5.1.4.1
1) The introductory material in shorewall-rules(5) has been cleaned
up.
2) The information about LOGFORMAT in shorewall[6].conf(5) and
shorewall[6]-zones(5) has been expanded.
In Shorewall 5.1.0, the setting of LOGFORMAT in the default and
sample .conf files was changed to "%s:%s " to enable 10-character
zone names (up from 5 characters using the default
"Shorewall:%s:%s:" setting). As part of this change, if a
shorewall.conf file which did not set LOGFORMAT is updated using
"shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to
preserve the existing behavior.
This can have an effect on new installations, however in that
scipts or log analyzers can no longer be configured to simply look
for "Shorewall:" in log messages unless the setting of LOGFORMAT is
changed. The manpages (and the Migration Considerations below) have
been updated to describe how to locate these messages using the new
"%s:%s " setting.
3) The BLACKLIST action was inadvertently omitted from Shorewall6 in
Shorewall 5.1.1. That has been corrected.
5.1.4.1
1) The introductory material in shorewall-rules(5) has been cleaned
up.
2) The information about LOGFORMAT in shorewall[6].conf(5) and
shorewall[6]-zones(5) has been expanded.
In Shorewall 5.1.0, the setting of LOGFORMAT in the default and
sample .conf files was changed to "%s:%s " to enable 10-character
zone names (up from 5 characters using the default
"Shorewall:%s:%s:" setting). As part of this change, if a
shorewall.conf file which did not set LOGFORMAT is updated using
"shorewall update", LOGFORMAT is set to "Shorewall:%s:%s:" to
preserve the existing behavior.
This can have an effect on new installations, however in that
scipts or log analyzers can no longer be configured to simply look
for "Shorewall:" in log messages unless the setting of LOGFORMAT is
changed. The manpages (and the Migration Considerations below) have
been updated to describe how to locate these messages using the new
"%s:%s " setting.
3) The BLACKLIST action was inadvertently omitted from Shorewall6 in
Shorewall 5.1.1. That has been corrected.
5.1.4
1) This release contains defect repair through Shorewall 5.1.3.1.
2) Previously, if a Shorewall Variable ( e.g., @chain ) was the target
of a conditional ?RESET directive (one that was enclosed in ?if...
?else...?endif logic), the compiler could incorrectly use an
existing chain created from the action rather than creating a new
(and different) chain. That has been corrected.
3) Previously, if alternate input format specified a column that had
already been specified, the contents of that column were silently
overwritten. Now, a warning message is issued stating that the
prior value has been replaced by the newer value.
4) Previously, a string-valued interface option, such as
'physical', could be given an empty value (e.g., "physical=,"), and
the compiler would fail to flag it. Now, this usage raises an
error.
5) Previously, the 'tunnel-src' and 'tunnel-dst' zone options would
generate an error under Shorewall6. That has been corrected.
6) A number of small documentation corrections have been made.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 4
----------------------------------------------------------------------------
1) All IPv6 standard actions have been deleted and their logic
has been added to their IPv4 counterparts who can now handle
both address families.
2) Previously, ?error and ?require messages as well as verbose ?info
and ?warning messages (those that report the file and line numbers)
generated from an action file would report the action file name and
line number rather than the file and line number where the action
was invoked. The file and line number where the action was invoked
were listed second. Beginning with this release, the invoking file
and line number are listed first and the action file and line number
are not reported. This allows for creation of clearer messages.
Example:
Previously, when an invalid value was passed for the 'bricks'
parameter to the GlusterFS action on line 45 of the rules file, a
message such as the following was issued (folded to 76 columns):
ERROR: Invalid value for Bricks (2000)
/usr/share/shorewall/action.GlusterFS (line 15)
from /etc/shorewall/rules (line 45)
Note that the message seems to imply that the error is in
action.GlusterFS rather than in the rules file.
Beginning with this release, the message will be:
ERROR: Invalid value (2000) for the GlusterFS Bricks argument
/etc/shorewall/rules (line 45)
Note: This change only affects actions, including inline actions.
Macros will continue to report the old way.
3) IPv6 UPnP support (including MINIUPNPD) is now available.
4) A PERL_HASH_SEED option has been added to allow the Perl hash seed
to be specified. See shorewall.conf(5) and perlsec(1) for details.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 3
----------------------------------------------------------------------------
5.1.3.1
1) There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3
sample config files, which resulted in a compilation error.
That typo has been corrected.
2) There was also a typo in the two-interface IPv4 sample snat file;
192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has
been corrected.
3) Previously, when processing the policy file, 'all+' was incorrectly
treated the same as 'all'. That has been corrected so that 'all+'
causes intra-zone traffic to be included in the policy.
5.1.3
1) This release includes defect repair for releases through 5.1.2.4.
2) The documentation for 'reload' has been corrected:
- A command synopsis has been added in shorewall(8).
- The command synopsis in the 'help' output has been corrected.
3) The CONFIG_PATH setting has been corrected in the IPv6 Universal
sample configuration.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 3
----------------------------------------------------------------------------
1) The tarball installers and uninstallers have been unified and
now use a common library that is included in each tarball (Matt
Darfuille).
2) The installers now print a diagnostic if the relevant shorewallrc
file cannot be loaded (Matt Darfuille).
3) The /etc/default/... files installed on Debian are now dependent on
whether systemd is used or not (Matt Darfuille).
4) In Perl 5.8.1 and again in 5.18.0, the Perl developers altered the
behavior of the hash function used in the implementation of
hashes. The hash key is now chosen randomly as a defense against
DOS attacks targeting Perl programs. Such attacks supply input data
that causes a single hash bucket to be used. While those changes
improved security, they cause non-deterministic program behavior
when the 'keys', 'values' and 'each' functions are used.
Prior to this release, Shorewall sorted the lists produced by those
functions to ensure that consecutive compilations of the same
configuration produced the same ruleset. In this release,
compilation speed has been improved by removing the sort calls and
by instructing Perl to use a constant hash key.
Note: The ruleset produced by this release will be equivalent
to that produced by 5.1.2, but will likely be different.
5) All builtin actions have been replaced with standard actions. In
some cases. the standard action produces different but equivalent
rules when compared to those produced by the corresponding builtin
action.
6) The PROTO columns may now specify tcp:!syn (6:!syn) which matches
TCP packets with the SYN flag reset or one or more of ACK, RST or
FIN set. The dropNotSyn and rejNotSyn actions have been modified to
use this feature.
7) During 'update', the settings of all _LEVEL and _DEFAULT options
are now enclosed in quotes. This is done because these settings
often contain parentheses and the .conf files are process by
the shell. The sample configurations also have these settings
enclosed in quotes.
Update will continue to also enclose in quotes any settings that
contains characters other than alphanumeric, '/', and '.'.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 2
----------------------------------------------------------------------------
1) Previously, when the 5.1 CLI program was run with no command given,
a shell exception was raised. That has been corrected (Tuomo
Soini).
2) A caution has been added in shorewall[6]-rtrules regarding
similar rules at the same priority.
3) The 'dropBcasts' builtin action now works with
Shorewall6. Previously, an attempt to use that action failed with a
'missing action file' error.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 2
----------------------------------------------------------------------------
1) Terminology change. What we've previously referred to as "default
actions" are now called "policy actions" to better describe their
purpose.
2) The DROP_DEFAULT, REJECT_DEFAULT, etc. options may now specify a
comma-separated list of actions rather than just a single
action. The actions are invoked in the order in which they are
listed and each action may optionally be followed by a colon (":")
and a log level.
The POLICY column in shorewall[6]-policy can now specify a
similar list of actions. In that file, the list may be preceded by
a plus sign ("+"), in which case the listed actions will be in
addition to those listed in the related _DEFAULT setting in
shorewall[6].conf.
3) With the preceding change, the Drop and Reject policy actions are
now deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
the reader to http://www.shorewall.net/Actions.html#Default.
4) A LOG_LEVEL option has been added to shorewall[6].conf with default
value 'info'. The sample config files have been updated to use
$LOG_LEVEL rather than 'info' so that changing this option's
setting will change all default packet logging. Like with any
option, $LOG_LEVEL can be used throughout the configuration (with
the exception of shorewall[6]-params).
5) The LIMIT column in shorewall[6]-policy has been renamed RATE for
consistency with shorewall[6]-rules. No change is required to
existing configurations, including those that specify 'limit' in
alternate input format.
6) Beginning with this release, the allowBcast, dropBcast, and
Broadcast no longer handling multicast. Multicast is handeled
separately in actions allowMcast, dropMcast and Multicast. The
now-deprecated Drop and Reject actions have been modified so that
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 1
----------------------------------------------------------------------------
1) This release contains defect repair up through Shorewall 5.1.0.1.
2) Previously, expanded variables would be enclosed in single quotes
in ?ERROR, ?WARNING and ?INFO directive output. That has been
corrected.
3) The obsolete Drop and Reject macros have been removed (Drop and
Reject are now actions rather than macros).
4) A typo has been corrected in the parameter descriptions in
action.Drop and action.Reject.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 1
----------------------------------------------------------------------------
1) Previously, the compiler did not check for routefilter/provider
issues. Now, a fatal compilation error is raised in the following
cases:
a) USE_DEFAULT_RT=Yes, ROUTE_FILTER=Yes in shorewall.conf and a
regular provider (not tproxy) is defined in the
providers file.
b) USE_DEFAULT_RT=Yes and a provider interface specifies a
non-zero value for the 'routefilter' option in the interfaces
file.
c) USE_DEFAULT_RT=No, ROUTE_FILTER=Yes in shorewall.conf, and
a provider interface doesn't specify the 'balance' or 'primary'
option in the providers file.
d) USE_DEFAULT_RT=No, a provider interface specifies the non-zero
value for the 'routefilter' option in the interfaces file but
does not specify the 'balance' or 'primary' option in the
providers file.
2) When 'routefilter' is specified by itself or with a non-zero value
(e.g., routefilter=1), the 'logmartians' option is now also set
implicitly when LOG_MARTIANS=No. If you actually want route
filtering without logging, then you must also include
'logmartians=0'.
3) Since the creation of the USE_DEFAULT_RT option, when
USE_DEFAULT_RT=Yes, 'balance=1' is assumed on all provider
interfaces unless 'fallback', 'load', 'primary', 'loose' or
'tproxy' is specified. This makes it awkward to define a provider
that does not generate a default route in either the 'balance' or
'default' routing tables; it is necessary to specify 'loose' then
add the routing rules that are suppressed by that option.
To address this issue, it is now possible to specify
BALANCE_PROVIDERS=No. When BALANCE_PROVIDERS=No and none of the
above-listed options is specified, the provider will generate no
entry in the 'balance' or 'default routing tables irrespective of
the setting of USE_DEFAULT_RT.
All of the released shorewall[6].conf files now specify
BALANCE_PROVIDERS=No. The default value is the effective setting of
USE_DEFAULT_RT to provide backward compatibility with earlier
releases.
4) When using ipset-based dynamic blacklisting, it is now possible to
specify BLACKLIST in the POLICY column of policy files. When
BLACKLIST is specified, the source IP address is automatically
added to the dynamic blacklist ipset and then the packet is
dropped. This new policy adds BLACKLIST_DEFAULT to
shorewall[6].conf; the default setting is "Drop".
5) A BLACKLIST action has been added; the action adds the sender to
the dynamic blacklist IPSET.
BLACKLIST accepts two optional argument:
1 - Action to take after adding the sender to the ipset. Default is
DROP.
2 - specifies the timeout for the added/updated entry.
If no timeout is passed, the one specified in
DYNAMIC_BLACKLIST, if any, is used. Otherwise, the one specified
when the ipset was created, if any, is used.
6) Given that there was already a BLACKLIST macro which implemented
the BLACKLIST action in blrules, the preceding change required that
BLACKLIST behave differently when invoked from the blrules file and
when invoked from the rules file. Because BLACKLIST invoked from
the rules file normally generates two rules, an action (not
inlined) is more appropriate there than is a macro. When it is
invoked from the blrules file, it only generates a single rule so
the optimizer will inline it anyway.
For historical reasons, the compiler treats the blrules file as if
it were the section BLACKLIST in the rules file. So, to implement
this dual behavior in the BLACKLIST action, a new 'section' option
has been added in the action file. When 'section' is specified, the
name of the current section and a comma are prepended to the
argument list passed when invoking the action. The action.BLACKLIST
file then has the following structure:
?if @1 eq 'BLACKLIST'
?else
?endif
7) There is now a 'show action ' command for Shorewall and
Shorewall6. The command displays the action file for the specified
.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 1 . 0
----------------------------------------------------------------------------
5.1.0.1
1) Shorewall6-lite 5.1.0 failed to start under systemd. That has
been corrected.
2) Previously, the setting of PAGER in shorewall[6].conf was not
propagated to a remote configuration during 'export',
'remote-start', 'remote-reload' and 'remote-restart'. That has been
corrected.
5.1.0
1) This release includes defect repair through Shorewall 5.0.15.2.
2) A defect associated with CHAIN_SCRIPTS=Yes previously prevented
some of the optimizations associated with optimize level 4 from
being applied. Removal of the CHAIN_SCRIPT option (see below) has
eliminated the defect.
3) The install.sh and uninstall.sh have had some minor cleanup (Matt
Darfeuille).
4) Previously, when SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4, the restore
phase of a rejected safe-restart would fail. That has been
corrected.
5) It is now possible to include compact IPv6 addresses (those with
"::") in IP6TABLES() parameters. Previously, such addresses
resulted in an "INVALID ACTION..." error.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 1 . 0
----------------------------------------------------------------------------
1) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
manpages are now minimal and refer the reader to shorewall(8).
For backward compatibility, Shorewall6, Shorewall-lite and
Shorewall6-lite install symlinks $SBINDIR/shorewall6,
$SBINDIR/shorewall-lite and
$SBINDIR/shorewall6-lite respectively. When the shorewall program
is invoked through one of these symlinks, it adopts the appropriate
personality.
2) Several settings in the default/sample .conf files have been
modified:
a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:"
to "%s %s " to enable longer zone names.
b) The LOGLIMIT setting has been changed from empty to
"s:1/sec:10", to enable log trottling by default.
c) The AUTOMAKE setting has been changed from "No" to "Yes", to
avoid unnecessary recompilation.
d) The IP_FORWARDING setting has been changed from "On" to "Keep"
in shorewall.conf to accomodate cases where forwarding has been
configured before installing Shorewall.
e) The OPTIMIZE setting has been changed to "All", to create more
compact rulesets by default.
f) TC_CLEAR has been set to "No" in the shorewall6.conf files.
3) The allowed syntax in the SOURCE and DEST columns in the rules file
has been extended to allow multiple comma-separated
:[:][] tupples in a single
rule. Where the lists mulitiple addresses separated
by commas, the must be enclosed in parentheses.
Example: net:(1.2.3.4,2.3.4.5),dmz:(5.6.7.8,6.7.8.9)
See shorewall[6]-rules(5) for details.
A similar change has been made to the conntrack and mangle files,
where multiple : groups can be specified:
Example: eth0:(1.2.3.4,2.3.4.5),eth1(5.6.7.8,6.7.8.9)
See shorewall[6]-conntrack(5) and shorewall[6]-mangle(5) for
details.
5) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text or to use the
IP[6]TABLES target and/or inline matches.
See http://www.shorewall.org/Shorewall-5.html#idp41228128.
5) The --queue-cpu-fanout NFQUEUE option is now supported in NFQUEUE
rules and policies. It is enabled by following the high queue
number with the letter 'c' (e.g., NFQUEUE(0:3c)). This option
requires 'NFQUEUE CPU Fanout' support in your kernel and
ip[6]tables.
6) A SWITCH column has been added to the mangle files. See
shorewall[6]-mangle(5) for details.
7) A 'show ipsec' command has been added. This command displays the
contents of the IPSEC "Security Policy Database" (SPD) and
"Security Association Database" (SAD). SAD keys are not shown.
8) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see
shorewall6-netmap(5)).
9) In the released tarballs, the action.* files now reside in a
separate Actions/ directory.
10) The 'echo' builtin in recent versions of the dash shell does not
support the -n option. To accomodate that version, Shorewall no
longer uses either the -e or -n options.
11) When LOAD_HELPERS_ONLY=No, additional modules required for NAT are
now loaded.
12) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed.
1
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewall-init.service������������������������������������������������������0000664�0000000�0000000�00000000725�13243347103�017730� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood
#
[Unit]
Description=Shorewall firewall (bootup security)
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall-init
StandardOutput=syslog
ExecStart=/sbin/shorewall-init start
ExecStop=/sbin/shorewall-init stop
[Install]
WantedBy=basic.target
�������������������������������������������shorewall-init-5.1.12.2/ifupdown.debian.sh����������������������������������������������������������0000664�0000000�0000000�00000005452�13243347103�017017� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Debian ifupdown script for Shorewall-based products
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ ! -x $STATEDIR/firewall ]; then
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
fi
fi
}
Debian_ppp() {
NEWPRODUCTS=
INTERFACE="$1"
case $0 in
/etc/ppp/ip-*)
#
# IPv4
#
for product in $PRODUCTS; do
case $product in
shorewall|shorewall-lite)
NEWPRODUCTS="$NEWPRODUCTS $product";
;;
esac
done
;;
/etc/ppp/ipv6-*)
#
# IPv6
#
for product in $PRODUCTS; do
case $product in
shorewall6|shorewall6-lite)
NEWPRODUCTS="$NEWPRODUCTS $product";
;;
esac
done
;;
*)
exit 0
;;
esac
PRODUCTS="$NEWPRODUCTS"
case $0 in
*up/*)
COMMAND=up
;;
*)
COMMAND=down
;;
esac
}
IFUPDOWN=0
PRODUCTS=
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
if [ -f /etc/default/shorewall-init ]; then
. /etc/default/shorewall-init
elif [ -f /etc/sysconfig/shorewall-init ]; then
. /etc/sysconfig/shorewall-init
fi
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
case $0 in
/etc/ppp*)
#
# Debian ppp
#
Debian_ppp
;;
*)
#
# Debian ifupdown system
#
INTERFACE="$IFACE"
if [ "$MODE" = start ]; then
COMMAND=up
elif [ "$MODE" = stop ]; then
COMMAND=down
else
exit 0
fi
;;
esac
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x $VARLIB/$PRODUCT/firewall ]; then
( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
fi
done
exit 0
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/init.fedora.sh��������������������������������������������������������������0000775�0000000�0000000�00000006345�13243347103�016152� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /bin/bash
#
# chkconfig: - 09 91
# description: Initialize the shorewall firewall at boot time
#
### BEGIN INIT INFO
# Provides: shorewall-init
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: Initialize the shorewall firewall at boot time
# Description: Place the firewall in a safe state at boot time
# prior to bringing up the network.
### END INIT INFO
#determine where the files were installed
. /usr/share/shorewall/shorewallrc
prog="shorewall-init"
logger="logger -i -t $prog"
lockfile="/var/lock/subsys/shorewall-init"
# Source function library.
. /etc/rc.d/init.d/functions
# Get startup options (override default)
OPTIONS=
# check if shorewall-init is configured or not
if [ -f "/etc/sysconfig/shorewall-init" ]; then
. /etc/sysconfig/shorewall-init
else
echo "/etc/sysconfig/shorewall-init not found"
exit 6
fi
# set the STATEDIR variable
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ -x ${STATEDIR}/firewall ]; then
return 0
elif [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
else
return 1
fi
}
# Initialize the firewall
start () {
local PRODUCT
local STATEDIR
if [ -z "$PRODUCTS" ]; then
echo "No firewalls configured for shorewall-init"
failure
return 6 #Not configured
fi
printf "Initializing \"Shorewall-based firewalls\": "
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
ipset -R < "$SAVE_IPSETS"
fi
for PRODUCT in $PRODUCTS; do
setstatedir
retval=$?
if [ $retval -eq 0 ]; then
${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
else
retval=6 #Product not configured
break
fi
done
if [ $retval -eq 0 ]; then
touch $lockfile
success
else
failure
fi
echo
return $retval
}
# Clear the firewall
stop () {
local PRODUCT
local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
setstatedir
retval=$?
if [ $retval -eq 0 ]; then
${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
else
retval=6 #Product not configured
break
fi
done
if [ $retval -eq 0 ]; then
if [ -n "$SAVE_IPSETS" ]; then
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
else
rm -f "${SAVE_IPSETS}.tmp"
fi
fi
rm -f $lockfile
success
else
failure
fi
echo
return $retval
}
status_q() {
status > /dev/null 2>&1
}
case "$1" in
start)
status_q && exit 0
$1
;;
stop)
status_q || exit 0
$1
;;
restart|reload|force-reload|condrestart|try-restart)
echo "Not implemented"
exit 3
;;
status)
status $prog
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac
exit 0
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/configure.pl����������������������������������������������������������������0000775�0000000�0000000�00000013565�13243350236�015735� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /usr/bin/perl -w
#
# Shorewall Packet Filtering Firewall RPM configuration program - V4.5
#
# (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see = ...
#
#
################################################################################################
use strict;
#
# Build updates this
#
use constant {
VERSION => '5.1.12.2'
};
my %params;
my %options;
my %aliases = ( VENDOR => 'HOST',
SHAREDSTATEDIR => 'VARLIB',
DATADIR => 'SHAREDIR' );
for ( @ARGV ) {
die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
my $pn = uc $1;
my $pv = $2 || '';
$pn = $aliases{$pn} if exists $aliases{$pn};
$params{$pn} = $pv;
}
use File::Basename;
chdir dirname($0);
my $vendor = $params{HOST};
my $rcfile;
my $rcfilename;
unless ( defined $vendor ) {
if ( -f '/etc/os-release' ) {
my $id = `cat /etc/os-release | grep ^ID=`;
chomp $id;
$id =~ s/ID=//;
if ( $id eq 'fedora' || $id eq 'rhel' ) {
$vendor = 'redhat';
} elsif ( $id eq 'opensuse' ) {
$vendor = 'suse';
} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
my $init = `ls -l /sbin/init`;
$vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
} else {
$vendor = $id;
}
}
$params{HOST} = $vendor;
$params{HOST} =~ s/\..*//;
}
if ( defined $vendor ) {
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
if ( -l '/sbin/init' ) {
if ( readlink('/sbin/init') =~ /systemd/ ) {
$rcfilename = 'shorewallrc.debian.systemd';
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
}
unless ( -f $rcfilename ) {
die qq("ERROR: $vendor" is not a recognized host type);
} elsif ( $vendor eq 'default' ) {
$params{HOST} = $vendor = 'linux';
} elsif ( $vendor =~ /^debian\./ ) {
$params{HOST} = $vendor = 'debian';
}
} else {
if ( -f '/etc/debian_version' ) {
$vendor = 'debian';
if ( -l '/sbin/init' ) {
if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
$rcfilename = 'shorewallrc.debian.systemd';
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} elsif ( -f '/etc/redhat-release' ){
$vendor = 'redhat';
$rcfilename = 'shorewallrc.redhat';
} elsif ( -f '/etc/slackware-version' ) {
$vendor = 'slackware';
$rcfilename = 'shorewallrc.slackware';
} elsif ( -f '/etc/SuSE-release' ) {
$vendor = 'suse';
$rcfilename = 'shorewallrc.suse';
} elsif ( -f '/etc/arch-release' ) {
$vendor = 'archlinux';
$rcfilename = 'shorewallrc.archlinux';
} elsif ( `uname` =~ '^Darwin' ) {
$vendor = 'apple';
$rcfilename = 'shorewallrc.apple';
} elsif ( `uname` =~ /^Cygwin/i ) {
$vendor = 'cygwin';
$rcfilename = 'shorewallrc.cygwin';
} else {
$vendor = 'linux';
$rcfilename = 'shorewallrc.default';
}
$params{HOST} = $vendor;
}
my @localtime = localtime;
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
if ( $vendor eq 'linux' ) {
printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
} else {
printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
}
open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
while ( <$rcfile> ) {
s/\s*#.*//;
unless ( /^\s*$/ ) {
chomp;
die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
$options{$1} = $2;
}
}
close $rcfile;
while ( my ( $p, $v ) = each %params ) {
$options{$p} = ${v};
}
my $outfile;
open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
if ( $ENV{SOURCE_DATE_EPOCH} ) {
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
} else {
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
}
print $outfile "# rc file: $rcfilename\n#\n";
print $outfile "# Input: @ARGV\n#\n" if @ARGV;
if ( $options{VARLIB} ) {
unless ( $options{VARDIR} ) {
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
}
} elsif ( $options{VARDIR} ) {
$options{VARLIB} = $options{VARDIR};
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
}
$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
for ( qw/ HOST
PREFIX
SHAREDIR
LIBEXECDIR
PERLLIBDIR
CONFDIR
SBINDIR
MANDIR
INITDIR
INITSOURCE
INITFILE
AUXINITSOURCE
AUXINITFILE
SERVICEDIR
SERVICEFILE
SYSCONFFILE
SYSCONFDIR
SPARSE
ANNOTATED
VARLIB
VARDIR
DEFAULT_PAGER / ) {
my $val = $options{$_} || '';
print "$_=$val\n";
print $outfile "$_=$val\n";
}
close $outfile;
1;
�������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/shorewall-init.service.debian�����������������������������������������������0000664�0000000�0000000�00000000756�13243347103�021155� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
# Copyright 2011 Jonathan Underwood
# Copyright 2015 Tom Eastep
#
[Unit]
Description=Shorewall firewall (bootup security)
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/shorewall-init
StandardOutput=syslog
ExecStart=/sbin/shorewall-init start
ExecStop=/sbin/shorewall-init stop
[Install]
WantedBy=basic.target
������������������shorewall-init-5.1.12.2/shorewallrc.cygwin����������������������������������������������������������0000664�0000000�0000000�00000002374�13243350236�017157� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Cygwin Shorewall 5.0 rc file
#
BUILD=cygwin
HOST=cygwin
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/bin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Unused on Cygwin
INITFILE= #Unused on Cygwin
INITSOURCE= #Unused on Cygwin
ANNOTATED= #Unused on Cygwin
SERVICEDIR= #Unused on Cygwin
SERVICEFILE= #Unused on Cygwin
SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on Cygwin
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.1.12.2/default.debian.sysvinit�����������������������������������������������������0000664�0000000�0000000�00000001134�13243347103�020057� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# List the Shorewall products that Shorewall-init is to
# initialize (space-separated list).
#
# Sample: PRODUCTS="shorewall shorewall6"
#
PRODUCTS=""
#
# Set this to 1 if you want Shorewall-init to react to
# ifup/ifdown and NetworkManager events
#
IFUPDOWN=0
#
# Set this to the name of the file that is to hold
# ipset contents. Shorewall-init will load those ipsets
# during 'start' and will save them there during 'stop'.
#
SAVE_IPSETS=""
#
# Where Up/Down events get logged
#
LOGFILE=/var/log/shorewall-ifupdown.log
# Startup options - set verbosity to 0 (minimal reporting)
OPTIONS="-V0"
# IOF
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������