shorewall-init-5.2.3.4/�����������������������������������������������������������������������������0000775�0000000�0000000�00000000000�13531077635�013336� 5����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.default����������������������������������������������������������0000664�0000000�0000000�00000003643�13531077635�017237� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Default Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=linux #Generic Linux
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR= #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.openwrt����������������������������������������������������������0000664�0000000�0000000�00000003514�13531077635�017306� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# OpenWRT/LEDE Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=openwrt
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR= #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.openwrt.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFDIR=${CONFDIR}/sysconfig #Directory where SysV init parameter files are installed
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/lib.uninstaller��������������������������������������������������������������0000664�0000000�0000000�00000004411�13531077635�016366� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
#
# (c) 2017 - Tom Eastep (teastep@shorewall.net)
# (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see
# Copyright 2015 Tom Eastep
#
[Unit]
Description=Shorewall firewall (bootup security)
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/shorewall-init
StandardOutput=syslog
ExecStart=/sbin/shorewall-init start
ExecStop=/sbin/shorewall-init stop
[Install]
WantedBy=basic.target
������������������shorewall-init-5.2.3.4/shorewallrc.debian.systemd���������������������������������������������������0000664�0000000�0000000�00000003074�13531077635�020522� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Debian Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=debian
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
INITDIR= #Directory where SysV init scripts are installed.
INITFILE= #Name of the product's installed SysV init script
INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-empty, annotated configuration files are installed
SYSCONFFILE=default.debian.systemd #Name of the distributed file to be installed in $SYSCONFDIR
SERVICEFILE=$PRODUCT.service.debian #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.debian.sysvinit��������������������������������������������������0000664�0000000�0000000�00000003532�13531077635�020721� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Debian Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=debian
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/share/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFFILE=default.debian.sysvinit #Name of the distributed file to be installed in $SYSCONFDIR
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed
SERVICEDIR= #Directory where .service files are installed (systems running systemd only)
SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
����������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/configure.pl�����������������������������������������������������������������0000775�0000000�0000000�00000014053�13531077635�015662� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /usr/bin/perl -w
#
# Shorewall Packet Filtering Firewall configuration program - V5.2
#
# (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see = ...
#
#
################################################################################################
use strict;
#
# Build updates this
#
use constant {
VERSION => '5.2.3.4'
};
my %params;
my %options;
my %aliases = ( VENDOR => 'HOST',
SHAREDSTATEDIR => 'VARLIB',
DATADIR => 'SHAREDIR' );
for ( @ARGV ) {
die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
my $pn = uc $1;
my $pv = $2 || '';
$pn = $aliases{$pn} if exists $aliases{$pn};
$params{$pn} = $pv;
}
use File::Basename;
chdir dirname($0);
my $vendor = $params{HOST};
my $rcfile;
my $rcfilename;
unless ( defined $vendor ) {
if ( -f '/etc/os-release' ) {
my $id = `cat /etc/os-release | grep ^ID=`;
chomp $id;
$id =~ s/ID=//;
if ( $id eq 'fedora' || $id eq 'rhel' ) {
$vendor = 'redhat';
} elsif ( $id eq 'opensuse' ) {
$vendor = 'suse';
} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
my $init = `ls -l /sbin/init`;
$vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
$vendor = 'alt';
} else {
$vendor = $id;
}
}
$params{HOST} = $vendor;
$params{HOST} =~ s/\..*//;
}
if ( defined $vendor ) {
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
if ( -l '/sbin/init' ) {
if ( readlink('/sbin/init') =~ /systemd/ ) {
$rcfilename = 'shorewallrc.debian.systemd';
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
}
unless ( -f $rcfilename ) {
die qq("ERROR: $vendor" is not a recognized host type);
} elsif ( $vendor eq 'default' ) {
$params{HOST} = $vendor = 'linux';
} elsif ( $vendor =~ /^debian\./ ) {
$params{HOST} = $vendor = 'debian';
}
} else {
if ( -f '/etc/debian_version' ) {
$vendor = 'debian';
if ( -l '/sbin/init' ) {
if ( readlink( '/sbin/init' ) =~ /systemd/ ) {
$rcfilename = 'shorewallrc.debian.systemd';
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} else {
$rcfilename = 'shorewallrc.debian.sysvinit';
}
} elsif ( -f '/etc/altlinux-release' ){
$vendor = 'alt';
$rcfilename = 'shorewallrc.alt';
} elsif ( -f '/etc/redhat-release' ){
$vendor = 'redhat';
$rcfilename = 'shorewallrc.redhat';
} elsif ( -f '/etc/slackware-version' ) {
$vendor = 'slackware';
$rcfilename = 'shorewallrc.slackware';
} elsif ( -f '/etc/SuSE-release' ) {
$vendor = 'suse';
$rcfilename = 'shorewallrc.suse';
} elsif ( -f '/etc/arch-release' ) {
$vendor = 'archlinux';
$rcfilename = 'shorewallrc.archlinux';
} elsif ( `uname` =~ '^Darwin' ) {
$vendor = 'apple';
$rcfilename = 'shorewallrc.apple';
} elsif ( `uname` =~ /^Cygwin/i ) {
$vendor = 'cygwin';
$rcfilename = 'shorewallrc.cygwin';
} else {
$vendor = 'linux';
$rcfilename = 'shorewallrc.default';
}
$params{HOST} = $vendor;
}
my @localtime = localtime;
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
if ( $vendor eq 'linux' ) {
printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
} else {
printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
}
open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
while ( <$rcfile> ) {
s/\s*#.*//;
unless ( /^\s*$/ ) {
chomp;
die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
$options{$1} = $2;
}
}
close $rcfile;
while ( my ( $p, $v ) = each %params ) {
$options{$p} = ${v};
}
my $outfile;
open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
if ( $ENV{SOURCE_DATE_EPOCH} ) {
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s\n", VERSION, `date --utc --date=\"\@$ENV{SOURCE_DATE_EPOCH}\"`;
} else {
printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
}
print $outfile "# rc file: $rcfilename\n#\n";
print $outfile "# Input: @ARGV\n#\n" if @ARGV;
if ( $options{VARLIB} ) {
unless ( $options{VARDIR} ) {
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
}
} elsif ( $options{VARDIR} ) {
$options{VARLIB} = $options{VARDIR};
$options{VARDIR} = '${VARLIB}/${PRODUCT}';
}
$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
for ( qw/ HOST
PREFIX
SHAREDIR
LIBEXECDIR
PERLLIBDIR
CONFDIR
SBINDIR
MANDIR
INITDIR
INITSOURCE
INITFILE
AUXINITSOURCE
AUXINITFILE
SERVICEDIR
SERVICEFILE
SYSCONFFILE
SYSCONFDIR
SPARSE
ANNOTATED
VARLIB
VARDIR
DEFAULT_PAGER / ) {
my $val = $options{$_} || '';
print "$_=$val\n";
print $outfile "$_=$val\n";
}
close $outfile;
1;
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/ifupdown.suse.sh�������������������������������������������������������������0000664�0000000�0000000�00000005546�13531060406�016501� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# SuSE ifupdown script for Shorewall-based products
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ ! -x $STATEDIR/firewall ]; then
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
fi
fi
}
SuSE_ppp() {
NEWPRODUCTS=
INTERFACE="$1"
case $0 in
/etc/ppp/ip-*)
#
# IPv4
#
for product in $PRODUCTS; do
case $product in
shorewall|shorewall-lite)
NEWPRODUCTS="$NEWPRODUCTS $product";
;;
esac
done
;;
/etc/ppp/ipv6-*)
#
# IPv6
#
for product in $PRODUCTS; do
case $product in
shorewall6|shorewall6-lite)
NEWPRODUCTS="$NEWPRODUCTS $product";
;;
esac
done
;;
*)
exit 0
;;
esac
PRODUCTS="$NEWPRODUCTS"
case $0 in
*up/*)
COMMAND=up
;;
*)
COMMAND=down
;;
esac
}
IFUPDOWN=0
PRODUCTS=
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
if [ -f /etc/default/shorewall-init ]; then
. /etc/default/shorewall-init
elif [ -f /etc/sysconfig/shorewall-init ]; then
. /etc/sysconfig/shorewall-init
fi
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
PHASE=''
case $0 in
/etc/ppp*)
#
# SUSE ppp
#
SuSE_ppp
;;
*)
#
# SuSE ifupdown system
#
INTERFACE="$2"
case $0 in
*dispatcher.d*)
INTERFACE="$1"
COMMAND="$2"
;;
*if-up.d*)
COMMAND=up
;;
*if-down.d*)
COMMAND=down
;;
*)
exit 0
;;
esac
;;
esac
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x $VARLIB/$PRODUCT/firewall ]; then
( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
fi
done
exit 0
����������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/init.openwrt.sh��������������������������������������������������������������0000775�0000000�0000000�00000006614�13531060406�016330� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh /etc/rc.common
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
#
# (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
# (c) 2016 - Matt Darfeuille (matdarf@gmail.com)
#
# On most distributions, this file should be called /etc/init.d/shorewall-init.
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see
#
[Unit]
Description=Shorewall firewall (bootup security)
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall-init
StandardOutput=syslog
ExecStart=/sbin/shorewall-init start
ExecStop=/sbin/shorewall-init stop
[Install]
WantedBy=basic.target
�������������������������������������������shorewall-init-5.2.3.4/COPYING����������������������������������������������������������������������0000664�0000000�0000000�00000043135�13531060406�014363� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
Copyright (C) 19yy
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/ifupdown.debian.sh�����������������������������������������������������������0000664�0000000�0000000�00000005452�13531060406�016740� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Debian ifupdown script for Shorewall-based products
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ ! -x $STATEDIR/firewall ]; then
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
fi
fi
}
Debian_ppp() {
NEWPRODUCTS=
INTERFACE="$1"
case $0 in
/etc/ppp/ip-*)
#
# IPv4
#
for product in $PRODUCTS; do
case $product in
shorewall|shorewall-lite)
NEWPRODUCTS="$NEWPRODUCTS $product";
;;
esac
done
;;
/etc/ppp/ipv6-*)
#
# IPv6
#
for product in $PRODUCTS; do
case $product in
shorewall6|shorewall6-lite)
NEWPRODUCTS="$NEWPRODUCTS $product";
;;
esac
done
;;
*)
exit 0
;;
esac
PRODUCTS="$NEWPRODUCTS"
case $0 in
*up/*)
COMMAND=up
;;
*)
COMMAND=down
;;
esac
}
IFUPDOWN=0
PRODUCTS=
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
if [ -f /etc/default/shorewall-init ]; then
. /etc/default/shorewall-init
elif [ -f /etc/sysconfig/shorewall-init ]; then
. /etc/sysconfig/shorewall-init
fi
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
case $0 in
/etc/ppp*)
#
# Debian ppp
#
Debian_ppp
;;
*)
#
# Debian ifupdown system
#
INTERFACE="$IFACE"
if [ "$MODE" = start ]; then
COMMAND=up
elif [ "$MODE" = stop ]; then
COMMAND=down
else
exit 0
fi
;;
esac
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x $VARLIB/$PRODUCT/firewall ]; then
( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
fi
done
exit 0
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/releasenotes.txt�������������������������������������������������������������0000664�0000000�0000000�00000117477�13531077635�016611� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������----------------------------------------------------------------------------
S H O R E W A L L 5 . 2 . 3 . 4
-------------------------------
A U G U S T 2 5 , 2 0 1 9
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
II. KNOWN PROBLEMS REMAINING
III. NEW FEATURES IN THIS RELEASE
IV. MIGRATION ISSUES
V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
5.2.3.4
1) If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy,
an error such as the following was previously incorrectly raised.
ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
15)
That has been corrected such that no error is raised.
2) If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a
macro, an error such as the following was previously incorrectly
raised:
ERROR: Invalid ACTION (PARAM:1c,bypass)))
/usr/share/shorewall/macro.BitTorrent (line 12)
from /etc/shorewall/rules (line 40)
Now, the NFQUEUE action is correctly substituted for PARAM in
the Macro body.
3) If shorewall[6].conf didn't set AUTOMAKE, the 'update' command
previously produced a new file with 'AUTOMAKE=Yes'. This resulted
in an unexpected change of behavior. Now, the new file contains
'AUTOMAKE=No', which preserves the pre-update behavior.
4) Shorewall-rules(5) incorrectly stated that the 'bypass' option to
NFQUEUE causes the rule to be silently bypassed if there is no
application attached to the queue. The actual behavior is that the
rule acts like ACCEPT in that case. Shorewall-rules(5) has been
corrected.
5.2.3.3
1) Previously, if an ipset was specified in an SPORT column, the
compiler would raise an error similar to:
ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
That has been corrected.
5.2.3.2
1) Shorewall 5.2 automatically converts and existing 'masq' file to an
equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
automatic update, such that the following error message was issued:
Use of uninitialized value $Shorewall::Nat::raw::currentline in
pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
line 511, <$currentfile> line nnn.
and the generted 'masq' file contains only initial comments.
That has been corrected.
5.2.3.1
1) An issue in the implementation of policy file zone exclusion,
released in 5.2.3 has been resolved. In the original release,
if more than one zone was excluded, then the following error was
raised:
ERROR: 'all' is not allowed in a source zone list
etc/shorewall/policy (line ...)
5.2.3
1) To prevent a helper kernel module from being loaded, it was
previously necessary to list both its current name and its
pre-kernel-2.6.20 name in the DONT_LOAD option in
/etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
from being loaded, it was necessary to also list ip_conntrack_sip
in DONT_LOAD. That is no longer necessary.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The 'enable', 'reenable' and 'disable' commands do not work
correctly in configurations with USE_DEFAULT_RT=No and optional
providers listed in the DUPLICATE column.
3) While the 'ip' utility now accepts IPv6 routes with multiple
'nexthop' destinations, these routes are not balanced. They are
rather instantiated as a sequence of single routes with different
metrics. Furthermore, the 'ip route replace' command fails on
such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a
single "replace" command.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
policy file.
2) With the availability of zone exclusion in the rules file, 'all[+]-'
and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
respectively. Beginning with this release, the former are
deprecated in favor of the latter and will result in a warning
message, if used.
3) Internal documentaton of the undocumented 'test' parameter to
compiler.pl has been added (it is used by the regression test
library to suppress versions and date/times from the generated
script).
4) The LOAD_HELPERS_ONLY option has been removed from
shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
LOAD_HELPERS_ONLY=Yes had been specified.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
If you are migrating from Shorewall 4.6.x or earlier, please see
http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
Immediately after installing Shorewall 5.2.x, we recommend that you run
'shorewall[6] update'. This command will handle many of the migration
issues described here.
------------------------------------------------------------------------
I S S U E S M I G R A T I N G T O S H O R E W A L L 5 . 2
F R O M S H O R E W A L L 5 . 0
------------------------------------------------------------------------
If you are migrating from Shorewall 5.0, this section will
familiarize you with the changes in Shorewall 5.1 that may affect
your configuration.
1) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
manpages are now minimal and refer the reader to shorewall(8).
For backward compatibility, Shorewall6, Shorewall-lite and
Shorewall6-lite install symlinks $SBINDIR/shorewall6,
$SBINDIR/shorewall-lite and
$SBINDIR/shorewall6-lite respectively. When the shorewall program
is invoked through one of these symlinks, it adopts the appropriate
personality.
2) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text or to use the
IP[6]TABLES target and/or inline matches.
For the common case where you have an action xxx with an empty
action.xxx file and have perl code in a file named xxx, the
compiler will now generate a fatal error:
ERROR: File action.xxx is empty and file xxx exists - the two
must be combined as described in the Migration
Considerations section of the Shorewall release notes
For information about resolving this error, see
http://www.shorewall.org/Shorewall-5.html#idp41228128.
This issue is not handled by 'shorewall update' and must be
corrected manually.
4) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see
shorewall6-netmap(5)).
This issue is not handled by 'shorewall update' and must be
corrected manually.
5) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed.
6) Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
etc. options may now specify a comma-separated list of actions
rather than just a single action. The actions are invoked in the
order in which they are listed and each action may optionally be
followed by a colon (":") and a log level. The POLICY column in
shorewall[6]-policy can now specify a similar list of actions. In
that file, the list may be preceded by a plus sign ("+"), in which
case the listed actions will be in addition to those listed in the
related _DEFAULT setting in shorewall[6].conf.
With these changes, the Drop and Reject policy actions are now
deprecated in favor of a list of smaller actions. A warning is
issued when these deprecated actions are used; the warning refers
the reader to http://www.shorewall.org/Actions.html#Default.
This issue is partially handled by 'shorewall update' - see
the 5.2 issues below.
7) Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and
Broadcast no longer handle multicast. Multicast is handeled
separately in actions allowMcast, dropMcast and Multicast. The
now-deprecated Drop and Reject policy actions have been modified so
that they continue to silently drop multicast packets.
8) According to the Netfilter team (see
https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
of the NFLOG target has never worked correctly, and they have
deprecated that option in favor of the --nflog-size option.
To accomodate this change, Shorewall 5.1.5 added an "--nflog-size
support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE
option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the
capability is present, Shorewall will use '--nflog-size' in place
of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not
present, an error is raised.
If you don't use NFLOG or if you use NFLOG with omittted second
parameter or with 0 as the second parameter, and 'shorewall show
capabilities' indicated that --nflog-size support is present, you
may safely set USE_NFLOG_SIZE=Yes.
If you pass a non-zero value as the second parameter to NFLOG and
the '--nflog-size support' capability is present, you need to
verify that those NFLOG messages are as you expect with
USE_NFLOG_SIZE=Yes.
This issue is not handled by 'shorewall update' and must be
corrected manually.
9) The MODULE_SUFFIX option in shorewall[6].conf was eliminated in
Shorewall 5.1.7. Shorewall now finds modules, independent of their
filename suffix.
'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
setting.
10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the
default route is only restored when there are no enabled
'balance/primary' providers and no enabled fallback providers.
Also beginning with Shorewall 5.1.8, if the default route(s) have
been restored to the 'main' table, and a fallback provider is
successfully enabled, the default route(s) are removed from the
main table.
11) Because restoring default routes to the main routing table can
break the ability of Foolsm and other link status monitors to
properly detect non-functioning provider links, a warning message
is issued when the 'persistent' provider option is specified and
RESTORE_DEFAULT_ROUTE=Yes.
WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
may not work as expected
This change was released in Shorewall 5.1.8.
This issue is not handled by 'shorewall update' and must be
corrected manually.
12) Most interface OPTIONS have always been ignored when the INTERFACE
name is '+'. Beginning with the Shorewall 5.1.10 release, a warning
is issued when an ignored option is specified with interface name '+'.
Example: The 'sourceroute' option is ignored when used with
interface name '+'
In many cases, this issue can be worked around by a change similar
to the following:
Original:
net + dhcp,routeback,sourceroute=0
Change to:
net all dhcp,physical=+,routeback,sourceroute=0
--- ----------
As part of this change, interfaces that specify a wildcard physical
interface name will generate a warning if any of the following
options are specified:
accept_ra
arp_filter
arp_ignore
forward
logmartians
proxyarp
proxyndp
routefilter
sourceroute
When the warning is issued, the specified option is then ignored
for the interface.
Example:
WARNING: The 'sourceroute' option is ignored when used with a
wildcard physical name
/etc/shorewall6.universal/interfaces (line 14)
This issue is not handled by 'shorewall update' and must be
corrected manually.
13) INLINE_MATCHES=Yes has been documented as deprecated for some
time, but it has not generated a warning. Beginning with the
Shorewall 5.1.12 release, a warning is issued:
WARNING: Option INLINE_MATCHES=Yes is deprecated
Additionally, each line that requires modification to work with
INLINE_MATCHES=No is flagged with the warning:
WARNING: This entry needs to be changed (replace ';' with ';;')
before the INLINE_MATCHES option is removed in
Shorewall 5.2
You can eliminate the warnings by setting INLINE_MATCHES=No and
by replacing the single semicolon (";") separating inline matches
from the column-oriented part of the rule with two semicolons
(";;") in each entry flagged by the second warning.
This issue is mostly handled by 'shorewall update' - see
the 5.2 issues below.
------------------------------------------------------------------------
I S S U E S M I G R A T I N G T O S H O R E W A L L 5 . 2
F R O M S H O R E W A L L 5 . 0 A N D 5 . 1
------------------------------------------------------------------------
1) The MAPOLDACTIONS option in shorewall.conf has been removed. This
option provided compatibility with releases prior to Shorewall 3.0.
'shorewall update' will remove the setting of this option from
shorewall.conf.
2) The INLINE_MATCH option has been removed. Shorewall now behaves as
if INLINE_MATCH=No had been specified:
- A single semicolon (';') is used to separate column-oriented
input from column-name/value input.
- The preferred method of specifying column-name/value input is to
enclose such input in curly braces ("{....}").
- A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
input. This is true in INLINE and IP[6]TABLES rules as well as
rules with other targets.
As part of this change, 'shorewall update' will replace ';' with
';;' in INLINE and IP[6]TABLES rules. It will also replace ';' by
';;', if ';' is followed by '-m', '-j' or '-g'.
3) With the wide availability of ipset-based blacklisting, the need
for the 'refresh' command has been largely eliminated. As a result,
that command has been removed.
Some users may have been using 'refresh' as a lightweight form of
reload. The most common of these uses seem to be for reloading
traffic shaping after an interface has gone down and come back up.
The best way to handle this situation under 5.2 is to make the
interface 'optional' in your /etc/shorewall[6]/interfaces file,
then either:
- Install Shorewall-init and enable IFUPDOWN; or
- Use the 'reenable' command when the interface comes back up
in place of the 'refresh' command.
4) The following deprecated macros and actions have been removed:
Action A_AllowICMPs - use AllowICMPs(A_ACCEPT)
Action A_Drop - see below
Action A_Reject - see below
Action Drop - see below
Action Reject - see below
Macro SNMPTrap - use SNMPtrap
The [A_]Drop and [A_]Reject actions are used primarily as policy
actions. As part of this change, 'shorewall update' will update
DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
IPv4
DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
DROP_DEFAULT=A_Drop becomes
Broadcast(A_DROP),Multicast(A_DROP)
REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
REJECT_DEFAULT=A_Reject becomes
Broadcast(A_DROP),Multicast(A_DROP)
IPv6
DROP_DEFAULT=Drop becomes
AllowICMPs,Broadcast(DROP),Multicast(DROP)
DROP_DEFAULT=A_Drop becomes
AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
REJECT_DEFAULT=Reject becomes
AllowICMPs,Broadcast(DROP),Multicast(DROP)
REJECT_DEFAULT=A_Reject becomes
AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
The 'update' commmand will also make similar changes in the policy
file.
'shorewall update' does not handle invocations of 'Drop' and
'Reject' within the rules file, or within actions and macros. Those
instances will generate an error which must be corrected manually.
It should also be noted that, in prior releases, Drop and Reject
silently dropped more traffic than their replacements. As a
consequence, you will see more traffic being logged with Shorewall
5.2 than you did on earlier releases. The translations performed
by 'update' can be extended after the update to drop additional
traffic as desired.
5) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
searched recursively for files newer than the compiled script. That
was changed in Shorewall 5.1.10.2 such that only the listed
directories themselves were searched. That broke some
configurations that played tricks with embedded SHELL such as:
SHELL cat /etc/shorewall/rules.d/loc/*.rules
Prior to 5.1.10.2, a change to a file in or adding a file to
/etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
with 5.1.10.2, such changes would not trigger recompilation.
Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
obtained by setting AUTOMAKE=recursive.
Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
numeric which specifies how deeply each listed directory is
to be searched. AUTOMAKE=1 only searches each directory itself and
is equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each
directory and its immediate sub-directories; AUTOMAKE=3 will search
each diretory, each of its immediate sub-directories, and each of
their immediate sub-directories, etc.
6) Support for the deprecated 'masq' file has been deleted. Any
existing 'masq' file will automatically be converted to the
equivalent 'snat' file.
7) Where two or more providers share a network interface, the
'optional' interface/provider option has never worked correctly.
Beginning with Shorewall 5.2.1, the 'optional' option is disallowed
on such interfaces and providers.
8) With the availability of zone exclusion in the rules file, 'all[+]-'
and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
respectively. Beginning with Shorewall 5.2.3, the former are
deprecated in favor of the latter and will result in a warning
message, if used.
9) Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in
shorewall[6].conf has been removed, and the behavior is as if
LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update'
will remove the option from shorewall[6].conf.
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 2
----------------------------------------------------------------------------
1) This release includes defect repair through Shorewall 5.2.1.4.
2) When processing inline matches, the compiler previously inserted
the matches before the column-generated matches if there was a plus
sign ("+") anywhere in the matches. Now, it only does so if the
first non-blank character in the matches is a plus sign.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 1
----------------------------------------------------------------------------
1) New macros have been contributed by Vincas Dargis:
Bitcoin
Tor
ONCRPC
Additionally, Tuomo Soini has contributed a WUDO (Windows Update
Delivery Optimization) macro.
2) The Perl modules have undergone some cleanup/optimization.
3) Given that recent kernels have dropped ULOG support, use of ULOG in
Shorewall is now deprecated and results in a warning message. The
warning can be eliminated by switching to NFLOG and ulogd2.
4) Shorewall can now detect interface default gateways configured by
Network Manager.
5) Inline matches are now supported in the 'conntrack' file.
6) In the 'accounting' file, Inline matches in an INLINE(...) rule now
allow a leading '+' to cause the matches to be evaluated before
those generated by the column specifications.
7) If view of the fact that some modems take an eternity to recover
from a power failure, the limit of the 'wait' interface option
setting has been increased from 120 seconds (2 minutes) to 300
seconds (5 minutes).
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 1
----------------------------------------------------------------------------
5.2.1.4
1) A change in 5.2.0.5 that corrected an ip[6]tables error in the
UNTRACKED section of the rules file, changed the name of the chain
used to hold UNTRACKED rules. Previously, the chain was named
&z1-z2, where 'z1' is the source zone and 'z2' is the
destination; after the change, the chain was named =z1-z2.
Unfortunately, some log messages generated out of these chains
still referred to &z1-z2; that has been corrected.
2) Some dead/silly code has been removed from two functions in
the Chains.pm Perl module. The two functions have been combined
into a single function.
3) When the RATE column contains both a source and a destination rate,
it was previously impossible to specifiy a netmask (VLSM) on either
rate. Attempting to specify a mask would result in:
ERROR: Invalid rate (...)
That has been corrected. Note that when specifying a
netmask, the leading 's' or 'd' may not be omitted.
4) Several typos in the man pages have been corrected (Roberto
Sánchez).
5.2.1.3
1) When a configuration had optional interfaces but no providers, the
'status -i' command previously would fail to show interface status
for interfaces that had not been disabled or enabled since the
last start, restart or reload. That has been corrected.
5.2.1.2
1) The fix for DOCKER=Yes in 5.2.1.1 inadvertantly results in an
assertion failure when processing a 'check -r' command when
DOCKER=Yes. That has been corrected. As part of that change,
empty 'cat' commands in the generated script were eliminated.
2) When the HELPER target is used with an empty HELPER column, the
error message produced previously incorrectly read:
ERROR: HELPER require requires that ...
That has been corrected so that the message now reads:
ERROR: HELPER requires that ...
3) On Centos 7, the following journal message appeared when Shorewall
attempted to load kernel modules:
nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already
loaded
To eliminate that message, Shorewall no longer attempts to load
ipt_ULOG. Note that most current distributions no longer support
ULOG. Current users of ULOG should convert to using NFLOG at the
earliest opportunity.
5.2.1.1
1) The Perl module versions were not updated for the 5.2.1
release. That has been corrected.
2) The lib.common file previously confused Emacs such that editing the
file in shell mode was awkward. Because lib.common is included in
compiled scripts, this defect also made editing a compiled script
awkward. The issue has been resolved, so that the file now renders
properly in Emacs's shell mode.
3) Previously, if ip6tables-restore failed during Shorewall6 start,
restart or reload, the resulting error message indicated that
iptables-load had failed. That has been corrected.
4) Setting Docker=Yes did not work correctly with Docker version
18.03.1-ce. In that version, the DOCKER-ISOLATION chain was
replaced by a pair of chains: DOCKER-ISOLATION-STAGE-1 and
DOCKER-ISOLATION-STAGE-2. That has been corrected. As part of this
change, Shorewall now correctly handles the DOCKER-USER chain as
well as the two new isolation chains.
5) Previously, if there were multiple 'balance' providers and more
than one of them were experiencing carrier loss, then the 'enable' and
'disable' operations could fail. That has been corrected.
5.2.1
1) This release contains defect repair up through Shorewall 5.2.0.5.
2) Previously, if:
a) IP[6]TABLES was not set in shorewall[6].conf; and
b) The ip[6]tables binary was not found on the PATH.
then a shell 'not found' error on 'fatal-error' was generated. That
has been corrected (Matt Darfeuille)
3) A number of files in the Shorewall-common package have had their
heading version updated to version 5.2 (Matt Darfeuille).
4) Previously, if statistical load balancing ('load=' in
provider OPTIONS) was configured on providers that shared an
interface, then the compiler would die with an assertion
failure. That has been corrected so that this combination now works
as expected.
5) Where two or more providers share a network interface, the
'optional' interface/provider option has never worked correctly.
Beginning with this release, the 'optional' option is disallowed
on such interfaces and providers.
6) Previously, when rate limiting was applied to a DNAT or
REDIRECT rule, rate limiting was applied to the accompanying
ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if
the connection failed the rate limit then the connection attempt
could be logged twice - once in the nat table and once when the
applicable policy was applied. Beginning with this release, rate
limiting is applied to the DNAT/REDIRECT rule so that no nat-table
logging occurs if the connection attempt exceeds the rate limit.
7) Some regular expressions used in Shorewall's Perl code will be
disallowed by Perl version 5.23. These have been changed to be
acceptable to that version of Perl.
8) Previously, if SNAT(detect) was used on an optional interface and
the resulting ip[6]tables rule was unreachable, then invalid shell
code similar to the following was generated:
if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then
fi
That has been corrected such that the above code is not generated
and a warning message is issued, indicating that the entry generated
no ip[6]tables rule.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 1
----------------------------------------------------------------------------
5.2.1.2
1) A new variable SW_CONFDIR has been added. $SW_CONFDIR evaluates to
$CONFDIR/shorewall[6] if no directory name is passed to a compile,
check, start, restart or reload command. If a directory name is
passed to one of these commands, then $SW_CONFDIR expands to that
directory name.
5.2.1
1) New macros for IPFS (https://ipfs.io/) have been contributed by
Răzvan Sandu.
2) Several new man pages have been added:
- shorewall-addresses(5) describes specification of addresses in
shorewall configuration files.
- shorewall-files(5) describes the shorewall configuration files
together with features common to multiple files.
- shorewall-logging(5) describes shorewall's logging facilities.
- shorewall-names(5) describes restrictions on names used in
Shorewall configuration files.
Additional man pages will be included in future 5.2.1 pre-releases.
3) In the SOURCE and DEST columns, it is now possible to exclude an
interface by preceding the interface name with '!'. This is useful
for excluding the loopback interface (lo).
Example from the mangle file:
#ACTION SOURCE DEST
DROP:T 127.0.0.0/8 !lo
4) The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in
the nat table through used of new chain designators in the mangle
file:
NP - nat table PREROUTING chain
NI - nat table INPUT chain
NO - nat table OUTPUT chain
NT - nat table POSTROUTING chain
5) When TC_EXPERT=Yes, it is now possible to specify any mark/mask
values that are displayed by the 'show marks' command, including
the Exclusion and TPROXY values.
6) The configure and install scripts now support ALT Linux (Alexey
Shabalin).
7) The verbosity of the 'remote-*' CLI commands has been increased
(Matt Darfeuille).
8) You may now specify a VLSM in the RATE columns of the policy and
rules files, when per-IP limiting is used. This results in one hash
table entry per subnet rather than one entry per hosts, and applies
the limit to the subnet. See shorewall-policy(5) and
shorewall-rules(5) for details. This provides a means for reducing
the size of the hash tables.
9) You man now specify the number of hash table buckets and the
maximum number of hash table entries in the RATE columns of the
policy and rules files, when per-IP limiting is used. This allows
you to increase the size of the tables to more fully handle DDOS
attacks. See shorewall-policy(5) and shorewall-rules(5) for
details.
10) Eric Teeter has contributed a macro for Cockpit.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 2 . 0
----------------------------------------------------------------------------
5.2.0.1
1) This release includes defect repair through Shorewall 5.1.12.4.
2) The getrc and getcaps commands added in 5.2.0 did not read the
params file. That has been corrected.
3) A shell syntax error in the code that implements the 'ipdecimal'
command has been corrected.
5.2.0
1) This release includes defect repair through Shorewall 5.1.12.3.
2) Previously, optimize category 8 (combine identical chains) was
applied before optimize category 16 (eliminate duplicate rules,
...). This could (and has) resulted in uncombined identical chains
in the final ruleset. Beginning with this release:
a) Optimize category 16 will be applied before optimize category 8.
b) If optimize category 8 combined any chains, then optimize
category 16 will be applied again.
This change ensures that the final ruleset has no duplicate chains
and that all combatible adjacent port and state rules are combined.
3) Previously, use of &lo would result in an error:
ERROR: Can't determine the IP address of lo: Firewall state not changed
That problem has been corrected such that &lo always expands to
127.0.0.1 (IPv4) or ::1 (IPv6).
----------------------------------------------------------------------------
N E W F E A T U R E S I N 5 . 2 . 0
----------------------------------------------------------------------------
1) The MAPOLDACTIONS option in shorewall.conf has been removed. This
option provided compatibility with releases prior to Shorewall 3.0.
'shorewall update' will remove the setting of this option from
shorewall.conf.
2) The INLINE_MATCH option has been removed. Shorewall now behaves as
if INLINE_MATCH=No had been specified:
- A single semicolon (';') is used to separate column-oriented
input from column-name/value input.
- The preferred method of specifying column-name/value input is to
enclose such input in curly braces ("{....}").
- A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
input. This is true in INLINE and IP[6]TABLES rules as well as
rules with other targets.
As part of this change, 'shorewall update' will replace ';' with
';;' in INLINE and IP[6]TABLES rules.
3) With the wide availability of ipset-based blacklisting, the need
for the 'refresh' command has been largely eliminated. As a result,
that command has been removed.
Some users may have been using 'refresh' as a lightweight form of
reload. The most common of these uses seem to be for reloading
traffic shaping after an interface has gone down and come back up.
The best way to handle this situation under 5.2 is to make the
interface 'optional' in your /etc/shorewall[6]/interfaces file,
then either:
- Install Shorewall-init and enable IFUPDOWN; or
- Use the 'reenable' command when the interface comes back up
in place of the 'refresh' command.
4) The following deprecated macros and actions have been removed:
Action A_AllowICMPs - use AllowICMPs(A_ACCEPT)
Action A_Drop - see below
Action A_Reject - see below
Action Drop - see below
Action Reject - see below
Macro SNMPTrap - use SNMPtrap
The [A_]Drop and [A_]Reject actions are used primarily as policy
actions. As part of this change, 'shorewall update' will update
DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
IPv4
DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
DROP_DEFAULT=A_Drop becomes
Broadcast(A_DROP),Multicast(A_DROP)
REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
REJECT_DEFAULT=A_Reject becomes
Broadcast(A_DROP),Multicast(A_DROP)
IPv6
DROP_DEFAULT=Drop becomes
AllowICMPs,Broadcast(DROP),Multicast(DROP)
DROP_DEFAULT=A_Drop becomes
AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
REJECT_DEFAULT=Reject becomes
AllowICMPs,Broadcast(DROP),Multicast(DROP)
REJECT_DEFAULT=A_Reject becomes
AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
See the Migration Issues for additional information.
5) A 'show saves' command has been added to list the snapshots
created using the 'save' command.
Example:
root@gateway:~# shorewall show saves
Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018
Saved snapshots are:
Feb 15 10:08 foo
Feb 14 12:34 restore (default)
root@gateway:~#
The snapshots are listed by creation time from latest to
earliest. If the name of one matches the RESTOREFILE setting, that
snapshot is marked as the default for the 'restore' command.
6) For installing into a Sandbox, the file shorewallrc.sandbox has
been added to Shorewall-core. See
http://www.shorewall.org/install.htm#idm327.
7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
and has been deleted. This removal has introduced a new
capabilities version.
8) When a log message is issued from a chain that relates to a pair of
zones (e.g, 'fw-net'), the chain name normally appears in the log
message (unless LOGTAGONLY=Yes and a log tag is specified). This
can prevent OPTIMIZE category 8 from combining chains which are
identical except for chain names in logging rules. The new
LOG_ZONE option in shorewall[6].conf allows for only the source or
destination zone to appear in the messages by setting LOG_ZONE to
'src' or 'dst' respectively. If LOG_ZONE=both (the default), then
the full chain name is included in log messages
Setting LOG_ZONE=src has been shown to decrease the size of the
generated ruleset by more than 10 prcent in some cases. Your
results may vary.
9) Traditionally, when OPTIMIZE category 8 is enabled, identical
chains are combined under a name beginning with '~comb' or
'~blacklist'. Beginning with this release, setting
RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that
behavior. If RENAME_COMBINED=No, identical chains are combined
under the original name of one of the chains.
10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
searched recursively for files newer than the compiled script. That
was changed in Shorewall 5.1.10.2 such that only the listed
directories themselves were searched. That broke some
configurations that played tricks with embedded SHELL such as:
SHELL cat /etc/shorewall/rules.d/loc/*.rules
Prior to 5.1.10.2, a change to a file in or adding a file to
/etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
with 5.1.10.2, such changes would not trigger
recompilation.
Beginning with this release, the pre-5.1.10.2 behavior can be
obtained by setting AUTOMAKE=recursive.
Also beginning with this release, AUTOMAKE may be set to a numeric
which specifies how deeply each listed directory is to be
searched. AUTOMAKE=1 only searches each directory itself and is
equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory
and its immediate sub-directories; AUTOMAKE=3 will search each
diretory, each of its immediate sub-directories, and each of their
immediate sub-directories, etc.
11) Previously, the maximum depth of INCLUDEs was four (although the
documentation gave the limit as three). Beginning with this
release, that limit has been raised to 20.
12) Support for the deprecated 'masq' file has been deleted. Any
existing 'masq' file will automatically be converted to the
equivalent 'snat' file.
13) Three new shorewall commands have been implemented:
a) show rc
Displays the contents of the shorewallrc file
($SHAREDIR/shorewall/shorewallrc).
b) getcaps
Generates a capabilities file on a remote system and copies it
to a directory on the local system.
c) getrc
Copies the shorewallrc file from a remote system to a directory
on the local system.
See shorewall(8) for details.
Implemented by Matt Darfeuille
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/sysconfig��������������������������������������������������������������������0000664�0000000�0000000�00000001127�13531060406�015252� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# List the Shorewall products that Shorewall-init is to
# initialize (space-separated list).
#
# Sample: PRODUCTS="shorewall shorewall6"
#
PRODUCTS=""
#
# Set this to 1 if you want Shorewall-init to react to
# ifup/ifdown and NetworkManager events
#
IFUPDOWN=0
#
# Set this to the name of the file that is to hold
# ipset contents. Shorewall-init will load those ipsets
# during 'start' and will save them there during 'stop'.
#
SAVE_IPSETS=""
#
# Where Up/Down events get logged
#
LOGFILE=/var/log/shorewall-ifupdown.log
# Startup options - set verbosity to 0 (minimal reporting)
OPTIONS="-V0"
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/init.debian.sh���������������������������������������������������������������0000775�0000000�0000000�00000010406�13531060406�016046� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
### BEGIN INIT INFO
# Provides: shorewall-init
# Required-Start: $local_fs
# X-Start-Before: $network
# Required-Stop: $local_fs
# X-Stop-After: $network
# Default-Start: S
# Default-Stop: 0 1 6
# Short-Description: Initialize the firewall at boot time
# Description: Place the firewall in a safe state at boot time prior to
# bringing up the network
### END INIT INFO
. /lib/lsb/init-functions
export VERBOSITY=0
if [ "$(id -u)" != "0" ]
then
echo "You must be root to start, stop or restart \"Shorewall \"."
exit 1
fi
echo_notdone () {
echo "not done."
exit 1
}
not_configured () {
echo "#### WARNING ####"
echo "the firewall won't be initialized unless it is configured"
if [ "$1" != "stop" ]
then
echo ""
echo "Please read about Debian specific customization in"
echo "/usr/share/doc/shorewall-init/README.Debian.gz."
fi
echo "#################"
exit 0
}
# set the STATEDIR variable
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ -x ${STATEDIR}/firewall ]; then
return 0
else
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
else
return 1
fi
fi
}
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
# check if shorewall-init is configured or not
if [ -f "$SYSCONFDIR/shorewall-init" ]
then
. $SYSCONFDIR/shorewall-init
if [ -z "$PRODUCTS" ]
then
not_configured
fi
else
not_configured
fi
# Initialize the firewall
shorewall_start () {
local PRODUCT
local STATEDIR
printf "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
#
# Run in a sub-shell to avoid name collisions
#
(
if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
${STATEDIR}/firewall ${OPTIONS} stop
fi
)
fi
done
echo "done."
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
printf "Restoring ipsets: "
if ! ipset -R < "$SAVE_IPSETS"; then
echo_notdone
fi
echo "done."
fi
return 0
}
# Clear the firewall
shorewall_stop () {
local PRODUCT
local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
${STATEDIR}/firewall ${OPTIONS} clear
fi
done
echo "done."
if [ -n "$SAVE_IPSETS" ]; then
echo "Saving ipsets: "
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
else
rm -f "${SAVE_IPSETS}.tmp"
echo_notdone
fi
echo "done."
fi
return 0
}
case "$1" in
start)
shorewall_start
;;
stop)
shorewall_stop
;;
reload|force-reload)
;;
*)
echo "Usage: $0 {start|stop|reload|force-reload}"
exit 1
esac
exit 0
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/ifupdown.fedora.sh�����������������������������������������������������������0000664�0000000�0000000�00000004757�13531060406�016765� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Redhat/Fedora/Centos/Foobar ifupdown script for Shorewall-based products
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Get startup options (override default)
OPTIONS=
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ ! -x $STATEDIR/firewall ]; then
if [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
fi
fi
}
IFUPDOWN=0
PRODUCTS=
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
if [ -f /etc/default/shorewall-init ]; then
. /etc/default/shorewall-init
elif [ -f /etc/sysconfig/shorewall-init ]; then
. /etc/sysconfig/shorewall-init
fi
[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
PHASE=''
case $0 in
/etc/ppp*)
INTERFACE="$1"
case $0 in
*ip-up.local)
COMMAND=up
;;
*ip-down.local)
COMMAND=down
;;
*)
exit 0
;;
esac
;;
*)
#
# RedHat ifup/down system
#
INTERFACE="$1"
case $0 in
*ifup*)
COMMAND=up
;;
*ifdown*)
COMMAND=down
;;
*dispatcher.d*)
COMMAND="$2"
;;
*)
exit 0
;;
esac
;;
esac
[ -n "$LOGFILE" ] || LOGFILE=/dev/null
for PRODUCT in $PRODUCTS; do
setstatedir
if [ -x "$STATEDIR/firewall" ]; then
echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
fi
done
exit 0
�����������������shorewall-init-5.2.3.4/init.alt.sh������������������������������������������������������������������0000775�0000000�0000000�00000005733�13531060406�015413� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Shorewall init script
#
# chkconfig: - 09 91
# description: Initialize the shorewall firewall at boot time
#
### BEGIN INIT INFO
# Provides: shorewall-init
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Initialize the shorewall firewall at boot time
# Description: Place the firewall in a safe state at boot time
# prior to bringing up the network.
### END INIT INFO
# Do not load RH compatibility interface.
WITHOUT_RC_COMPAT=1
# Source function library.
. /etc/init.d/functions
#
# The installer may alter this
#
. /usr/share/shorewall/shorewallrc
NAME="Shorewall-init firewall"
PROG="shorewall-init"
SHOREWALL="$SBINDIR/$PROG"
LOGGER="logger -i -t $PROG"
# Get startup options (override default)
OPTIONS=
LOCKFILE=/var/lock/subsys/shorewall-init
# check if shorewall-init is configured or not
if [ -f "/etc/sysconfig/shorewall-init" ]; then
. /etc/sysconfig/shorewall-init
if [ -z "$PRODUCTS" ]; then
echo "No PRODUCTS configured"
exit 6
fi
else
echo "/etc/sysconfig/shorewall-init not found"
exit 6
fi
RETVAL=0
# set the STATEDIR variable
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ -x ${STATEDIR}/firewall ]; then
return 0
elif [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
else
return 1
fi
}
start() {
local PRODUCT
local STATEDIR
printf "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
RETVAL=$?
else
RETVAL=6
break
fi
done
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
ipset -R < "$SAVE_IPSETS"
fi
[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
return $RETVAL
}
stop() {
local PRODUCT
local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
if setstatedir; then
${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
RETVAL=$?
else
RETVAL=6
break
fi
done
if [ -n "$SAVE_IPSETS" ]; then
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
else
rm -f "${SAVE_IPSETS}.tmp"
fi
fi
[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|condrestart|condreload)
# "Not implemented"
;;
condstop)
if [ -e "$LOCKFILE" ]; then
stop
fi
;;
status)
status "$PROG"
RETVAL=$?
;;
*)
echo $"Usage: ${0##*/} {start|stop|restart|reload|condrestart|condstop|status}"
RETVAL=1
esac
exit $RETVAL
�������������������������������������shorewall-init-5.2.3.4/configure��������������������������������������������������������������������0000775�0000000�0000000�00000012473�13531077635�015254� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
#
# Shorewall Packet Filtering Firewall configuration program - V5.2
#
# (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://www.shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see = ] ...
#
#
################################################################################################
#
# Build updates this
#
VERSION=5.2.3.4
case "$BASH_VERSION" in
[4-9].*)
;;
*)
echo "ERROR: This program requires Bash 4.0 or later" >&2
exit 1
;;
esac
declare -A params
declare -A options
getfileparams() {
while read option; do
case $option in
\#*)
;;
*)
on=${option%=*}
ov=${option#*=}
ov=${ov%#*}
[ -n "$on" ] && options[${on}]="${ov}"
;;
esac
done
return 0
}
for p in $@; do
if [ -n "${p}" ]; then
declare -u pn
pn=${p%=*}
pn=${pn#--}
pv=${p#*=}
if [ -n "${pn}" ]; then
case ${pn} in
VENDOR)
pn=HOST
;;
SHAREDSTATEDIR)
pn=VARLIB
;;
DATADIR)
pn=SHAREDIR
;;
esac
params[${pn}]="${pv}"
else
echo "ERROR: Invalid option ($p)" >&2
exit 1
fi
fi
done
cd $(dirname $0)
vendor=${params[HOST]}
if [ -z "$vendor" ]; then
if [ -f /etc/os-release ]; then
eval $(cat /etc/os-release | grep ^ID=)
case $ID in
fedora|rhel)
vendor=redhat
;;
debian|ubuntu)
vendor=debian
;;
opensuse)
vendor=suse
;;
alt|basealt|altlinux)
vendor=alt
;;
*)
vendor="$ID"
;;
esac
params[HOST]="$vendor"
fi
fi
if [ -z "$vendor" ]; then
case `uname` in
Darwin)
params[HOST]=apple
rcfile=shorewallrc.apple
;;
cygwin*|CYGWIN*)
params[HOST]=cygwin
rcfile=shorewallrc.cygwin
;;
*)
if [ -f /etc/debian_version ]; then
params[HOST]=debian
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
elif [ -f /etc/altlinux-release ] ; then
params[HOST]=alt
elif [ -f /etc/redhat-release ]; then
params[HOST]=redhat
rcfile=shorewallrc.redhat
elif [ -f /etc/slackware-version ] ; then
params[HOST]=slackware
rcfile=shorewallrc.slackware
elif [ -f /etc/SuSE-release ]; then
params[HOST]=suse
rcfile=shorewallrc.suse
elif [ -f /etc/arch-release ] ; then
params[HOST]=archlinux
rcfile=shorewallrc.archlinux
elif [ -f /etc/openwrt_release ]; then
params[HOST]=openwrt
rcfile=shorewallrc.openwrt
else
params[HOST]=linux
rcfile=shorewallrc.default
fi
;;
esac
vendor=${params[HOST]}
else
if [ $vendor = linux ]; then
rcfile=shorewallrc.default;
elif [ $vendor = debian -a -f /etc/debian_version ]; then
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
else
rcfile=shorewallrc.$vendor
fi
if [ ! -f $rcfile ]; then
echo "ERROR: $vendor is not a recognized host type" >&2
exit 1
elif [ $vendor = default ]; then
params[HOST]=linux
vendor=linux
elif [[ $vendor == debian.* ]]; then
params[HOST]=debian
vendor=debian
fi
fi
if [ $vendor = linux ]; then
echo "INFO: Creating a generic Linux installation - " `date`;
else
echo "INFO: Creating a ${params[HOST]}-specific installation - " `date`;
fi
echo
getfileparams < $rcfile || exit 1
for p in ${!params[@]}; do
options[${p}]="${params[${p}]}"
done
echo '#' > shorewallrc
echo "# Created by Shorewall Core version $VERSION configure - " `date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"` >> shorewallrc
echo "# rc file: $rcfile" >> shorewallrc
echo '#' >> shorewallrc
if [ $# -gt 0 ]; then
echo "# Input: $@" >> shorewallrc
echo '#' >> shorewallrc
fi
if [ -n "${options[VARLIB]}" ]; then
if [ -z "${options[VARDIR]}" ]; then
options[VARDIR]='${VARLIB}/${PRODUCT}'
fi
elif [ -n "${options[VARDIR]}" ]; then
if [ -z "{$options[VARLIB]}" ]; then
options[VARLIB]=${options[VARDIR]}
options[VARDIR]='${VARLIB}/${PRODUCT}'
fi
fi
if [ -z "${options[SERVICEDIR]}" ]; then
options[SERVICEDIR]="${options[SYSTEMD]}"
fi
for on in \
HOST \
PREFIX \
SHAREDIR \
LIBEXECDIR \
PERLLIBDIR \
CONFDIR \
SBINDIR \
MANDIR \
INITDIR \
INITSOURCE \
INITFILE \
AUXINITSOURCE \
AUXINITFILE \
SERVICEDIR \
SERVICEFILE \
SYSCONFFILE \
SYSCONFDIR \
SPARSE \
ANNOTATED \
VARLIB \
VARDIR \
DEFAULT_PAGER
do
echo "$on=${options[${on}]}"
echo "$on=${options[${on}]}" >> shorewallrc
done
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/init.fedora.sh���������������������������������������������������������������0000775�0000000�0000000�00000006345�13531060406�016073� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /bin/bash
#
# chkconfig: - 09 91
# description: Initialize the shorewall firewall at boot time
#
### BEGIN INIT INFO
# Provides: shorewall-init
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: Initialize the shorewall firewall at boot time
# Description: Place the firewall in a safe state at boot time
# prior to bringing up the network.
### END INIT INFO
#determine where the files were installed
. /usr/share/shorewall/shorewallrc
prog="shorewall-init"
logger="logger -i -t $prog"
lockfile="/var/lock/subsys/shorewall-init"
# Source function library.
. /etc/rc.d/init.d/functions
# Get startup options (override default)
OPTIONS=
# check if shorewall-init is configured or not
if [ -f "/etc/sysconfig/shorewall-init" ]; then
. /etc/sysconfig/shorewall-init
else
echo "/etc/sysconfig/shorewall-init not found"
exit 6
fi
# set the STATEDIR variable
setstatedir() {
local statedir
if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
fi
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ -x ${STATEDIR}/firewall ]; then
return 0
elif [ $PRODUCT = shorewall ]; then
${SBINDIR}/shorewall compile
elif [ $PRODUCT = shorewall6 ]; then
${SBINDIR}/shorewall -6 compile
else
return 1
fi
}
# Initialize the firewall
start () {
local PRODUCT
local STATEDIR
if [ -z "$PRODUCTS" ]; then
echo "No firewalls configured for shorewall-init"
failure
return 6 #Not configured
fi
printf "Initializing \"Shorewall-based firewalls\": "
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
ipset -R < "$SAVE_IPSETS"
fi
for PRODUCT in $PRODUCTS; do
setstatedir
retval=$?
if [ $retval -eq 0 ]; then
${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
else
retval=6 #Product not configured
break
fi
done
if [ $retval -eq 0 ]; then
touch $lockfile
success
else
failure
fi
echo
return $retval
}
# Clear the firewall
stop () {
local PRODUCT
local STATEDIR
printf "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
setstatedir
retval=$?
if [ $retval -eq 0 ]; then
${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
retval=${PIPESTATUS[0]}
[ $retval -ne 0 ] && break
else
retval=6 #Product not configured
break
fi
done
if [ $retval -eq 0 ]; then
if [ -n "$SAVE_IPSETS" ]; then
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
else
rm -f "${SAVE_IPSETS}.tmp"
fi
fi
rm -f $lockfile
success
else
failure
fi
echo
return $retval
}
status_q() {
status > /dev/null 2>&1
}
case "$1" in
start)
status_q && exit 0
$1
;;
stop)
status_q || exit 0
$1
;;
restart|reload|force-reload|condrestart|try-restart)
echo "Not implemented"
exit 3
;;
status)
status $prog
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac
exit 0
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/init.sh����������������������������������������������������������������������0000775�0000000�0000000�00000006721�13531060406�014632� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#! /bin/bash
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
#
# (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see
Changes in 5.2.0 Beta 2
1) Update release documents.
2) Correct two-chain case with LOG_ZONE != 'Both'.
3) Implement RENAME_COMBINED.
4) Replace ${VARDIR}/firewall with $g_firewall throughout CLI.
5) Reverse the order of optimize 8 and optimize 16 application.
Changes in 5.2.0 Beta 1
1) Update release documents.
2) Remove the MAPOLDACTIONS option.
3) Remove INLINE_MATCHES.
4) Remove the 'refresh' command.
5) Remove deprecated actions and macros.
6) Update DROP_DEFAULT and REJECT_DEFAULT if Drop and Reject
respectively.
7) Convert ';' to ';;' in INLINE and IP[6]TABLES rules.
8) Add 'show saves' command.
9) Add shorewallrc.sandbox
10) Implement LOG_ZONE.
�����������shorewall-init-5.2.3.4/shorewall-init.spec����������������������������������������������������������0000664�0000000�0000000�00000037342�13531077635�017164� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������%define name shorewall-init
%define version 5.2.3
%define release 4
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
Version: %{version}
Release: %{release}
License: GPLv2
Packager: Tom Eastep
Group: Networking/Utilities
Source: %{name}-%{version}.tgz
URL: http://www.shorewall.org/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: shoreline_firewall >= 4.5.0
%description
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.
Shorewall Init is a companion product to Shorewall that allows for tigher
control of connections during boot and that integrates Shorewall with
ifup/ifdown and NetworkManager.
%prep
%setup
%build
%install
./configure.pl --host=%{_vendor} \
--prefix=%{_prefix} \
--tmpdir=%{_tmpdir} \
--perllibdir=%{perl_vendorlib} \
--libexecdir=%{_libexecdir} \
--sbindir=%{_sbindir}
DESTDIR=%{buildroot} ./install.sh
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ $1 -eq 1 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl enable shorewall-init
elif [ -x /usr/bin/systemctl ]; then
/usr/bin/systemctl enable shorewall-init
elif [ -x %{_sbindir}/insserv ]; then
%{_sbindir}/insserv %{_initddir}/shorewall-init
elif [ -x %{_sbindir}/chkconfig ]; then
%{_sbindir}/chkconfig --add shorewall-init;
fi
fi
if [ -f /etc/SuSE-release ]; then
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
if [ -d /etc/ppp ]; then
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
mkdir -p /etc/ppp/$directory
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/ppp/$directory/shorewall
done
fi
else
if [ -f %{_sbindir}/ifup-local -o -f %{_sbindir}/ifdown-local ]; then
if ! grep -q Shorewall %{_sbindir}/ifup-local || ! grep -q Shorewall %{_sbindir}/ifdown-local; then
echo "WARNING: %{_sbindir}/ifup-local and/or %{_sbindir}/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
else
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifup-local
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifdown-local
fi
else
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifup-local
cp -pf %{_libexecdir}/shorewall-init/ifupdown %{_sbindir}/ifdown-local
fi
if [ -d /etc/ppp ]; then
if [ -f /etc/ppp/ip-up.local -o -f /etc/ppp/ip-down.local ]; then
if ! grep -q Shorewall-based /etc/ppp/ip-up.local || ! grep -q Shorewall-based /etc/ppp//ip-down.local; then
echo "WARNING: /etc/ppp/ip-up.local and/or /etc/ppp/ip-down.local already exist; ppp devices will not be handled" >&2
fi
else
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/ppp/ip-up.local
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/ppp/ip-down.local
fi
fi
if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
cp -pf %{_libexecdir}/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
fi
fi
%preun
if [ $1 -eq 0 ]; then
if [ -x %{_sbindir}/systemctl ]; then
%{_sbindir}/systemctl disable shorewall-init
elif [ -x /usr/bin/systemctl ]; then
/usr/bin/systemctl disable shorewall-init
elif [ -x %{_sbindir}/insserv ]; then
%{_sbindir}/insserv -r %{_initddir}/shorewall-init
elif [ -x %{_sbindir}/chkconfig ]; then
%{_sbindir}/chkconfig --del shorewall-init
fi
[ -f %{_sbindir}/ifup-local ] && grep -q Shorewall %{_sbindir}/ifup-local && rm -f %{_sbindir}/ifup-local
[ -f %{_sbindir}/ifdown-local ] && grep -q Shorewall %{_sbindir}/ifdown-local && rm -f %{_sbindir}/ifdown-local
[ -f /etc/ppp/ip-up.local ] && grep -q Shorewall-based /etc/ppp/ip-up.local && rm -f /etc/ppp/ip-up.local
[ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local
rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
fi
%files
%defattr(0644,root,root,0755)
%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
%attr(0644,root,root) /usr/lib/systemd/system/shorewall-init.service
%attr(0755,root,root) %dir %{_libexecdir}/shorewall-init
%attr(0700,root,root) %{_sbindir}/shorewall-init
%attr(0644,root,root) /etc/logrotate.d/shorewall-init
%attr(0644,root,root) /usr/share/shorewall-init/version
%attr(0544,root,root) %{_libexecdir}/shorewall-init/ifupdown
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Aug 25 2019 Tom Eastep
- Updated to 5.2.3-4
* Thu Apr 11 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-3
* Sun Mar 17 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-2
* Tue Feb 26 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-1
* Mon Feb 11 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0base
* Wed Feb 06 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0RC1
* Sun Feb 03 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0Beta2
* Tue Jan 22 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.3-0Beta1
* Wed Jan 16 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.2-0base
* Tue Jan 08 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.2-0RC1
* Fri Jan 04 2019 Tom Eastep tom@shorewall.net
- Updated to 5.2.2-0Beta2
* Tue Oct 02 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.2-0Beta1
* Fri Sep 28 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.1-0base
* Thu Aug 23 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.1-0RC1
* Tue Jul 03 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.1-0Beta3
* Mon Jul 02 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.1-0Beta2
* Sat Apr 21 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.1-0Beta1
* Wed Apr 11 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.0-1
* Wed Mar 28 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.0-0base
* Mon Mar 26 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.0-0RC2
* Tue Feb 27 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.0-0RC1
* Wed Feb 21 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.0-0Beta2
* Wed Jan 24 2018 Tom Eastep tom@shorewall.net
- Updated to 5.2.0-0Beta1
* Tue Jan 23 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0Beta2
* Wed Jan 17 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.12-0Beta1
* Wed Jan 10 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0base
* Fri Jan 05 2018 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0RC1
* Sun Dec 31 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0Beta2
* Tue Dec 26 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.11-0Beta1
* Sat Dec 23 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0base
* Mon Dec 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0RC2
* Sat Dec 09 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0RC1
* Fri Dec 01 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0Beta2
* Wed Nov 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.10-0Beta1
* Wed Nov 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0base
* Sat Nov 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0RC1
* Fri Nov 03 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0Beta2
* Thu Oct 19 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.9-0Beta1
* Sun Oct 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0base
* Tue Oct 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0RC1
* Sat Oct 07 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0Beta2
* Mon Sep 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.8-0Beta1
* Mon Sep 18 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0base
* Sun Sep 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0RC2
* Fri Sep 01 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0RC1
* Wed Aug 23 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0Beta2
* Tue Aug 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.7-0Beta1
* Wed Aug 16 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0base
* Tue Aug 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC2
* Tue Aug 15 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC1
* Wed Aug 09 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0RC1
* Thu Aug 03 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0Beta2
* Thu Jul 20 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.6-0Beta1
* Mon Jun 26 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0base
* Wed Jun 21 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0RC1
* Fri Jun 16 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0Beta2
* Thu May 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.5-0Beta1
* Fri May 05 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0base
* Mon Apr 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0RC1
* Fri Mar 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0Beta2
* Mon Mar 13 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.4-0Beta1
* Mon Mar 13 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0base
* Sun Mar 12 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0RC2
* Fri Mar 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0RC1
* Mon Mar 06 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0Beta2
* Wed Feb 22 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.3-0Beta1
* Fri Feb 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0RC1
* Fri Feb 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0Beta2
* Wed Jan 25 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.2-0Beta1
* Tue Jan 24 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0base
* Thu Jan 19 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0RC1
* Tue Jan 17 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0Beta2
* Wed Jan 11 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.1-0Beta1
* Tue Jan 10 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-1
* Wed Jan 04 2017 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0base
* Wed Dec 28 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0RC2
* Tue Dec 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0RC1
* Mon Dec 12 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0Beta2
* Sun Dec 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.1.0-0Beta1
* Fri Dec 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0base
* Thu Dec 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0RC2
* Sun Nov 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0RC1
* Thu Nov 17 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0Beta2
* Sun Nov 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.15-0Beta1
* Mon Oct 31 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC3
* Sat Oct 29 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC2
* Thu Oct 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0RC1
* Tue Oct 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0Beta2
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.14-0Beta1
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0base
* Sun Oct 16 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0RC2
* Sun Oct 09 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0RC1
* Tue Oct 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0Beta2
* Sun Oct 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.13-0Beta1
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0base
* Sat Oct 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC3
* Tue Sep 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC2
* Tue Sep 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0RC1
* Tue Sep 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0Beta2
* Sat Aug 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.12-0Beta1
* Sat Aug 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0base
* Sat Jul 30 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0RC1
* Wed Jul 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0Beta2
* Tue Jul 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.11-0Beta1
* Fri Jul 08 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-1
* Sat Jun 25 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0base
* Tue Jun 21 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0RC1
* Tue Jun 14 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0Beta2
* Mon Jun 06 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.10-0Beta1
* Thu May 12 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0base
* Thu May 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0RC1
* Thu Apr 28 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0Beta2
* Mon Apr 18 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.9-0Beta1
* Fri Apr 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC2
* Mon Apr 11 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC1
* Thu Apr 07 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta4
* Sat Apr 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta3
* Fri Apr 01 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta2
* Sun Mar 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0Beta1
* Thu Mar 24 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0base
* Fri Mar 18 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0RC1
* Sun Mar 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta4
* Sun Mar 13 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta3
* Tue Mar 08 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta2
* Sat Mar 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.7-0Beta1
* Fri Mar 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta6
* Fri Mar 04 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta5
* Thu Mar 03 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta4
* Sat Feb 27 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta3
* Sun Feb 21 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta2
* Fri Feb 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.6-0Beta1
* Wed Feb 17 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0base
* Mon Feb 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0RC2
* Wed Feb 03 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0RC1
* Fri Jan 29 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0Beta2
* Wed Jan 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.5-0Beta1
* Wed Jan 20 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0base
* Tue Jan 19 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0RC2
* Mon Jan 11 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0RC1
* Tue Jan 05 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0Beta2
* Sat Jan 02 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.4-0Beta1
* Sun Dec 27 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0base
* Thu Dec 24 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0RC2
* Sun Dec 13 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0RC1
* Sat Dec 05 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0Beta2
* Sat Nov 28 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.3-0Beta1
* Sat Nov 21 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-1
* Sat Nov 07 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0base
* Sun Nov 01 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0RC1
* Mon Oct 26 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0Beta2
* Mon Oct 26 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.2-0Beta1
* Tue Oct 13 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.1-1
* Mon Oct 12 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.1-0base
* Sat Oct 03 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0base
* Mon Sep 21 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0RC1
* Thu Sep 10 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0Beta2
* Mon Jul 27 2015 Tom Eastep tom@shorewall.net
- Updated to 5.0.0-0Beta1
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.sandbox����������������������������������������������������������0000664�0000000�0000000�00000003012�13531077635�017237� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Shorewall 5.2 rc file for installing into a Sandbox
#
BUILD= # Default is to detect the build system
HOST=linux
INSTALLDIR= # Set this to the directory where you want Shorewall installed
PREFIX=${INSTALLDIR}/usr # Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share # Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share # Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall # Directory to install Shorewall Perl module directory
CONFDIR=${INSTALLDIR}/etc # Directory where subsystem configurations are installed
SBINDIR=${INSTALLDIR}/sbin # Directory where system administration programs are installed
MANDIR= # Leave empty
INITDIR= # Leave empty
INITSOURCE= # Leave empty
INITFILE= # Leave empty
AUXINITSOURCE= # Leave empty
AUXINITFILE= # Leave empty
SERVICEDIR= # Leave empty
SERVICEFILE= # Leave empty
SYSCONFFILE= # Leave empty
SYSCONFDIR= # Leave empty
SPARSE= # Leave empty
ANNOTATED= # If non-empty, annotated configuration files are installed
VARLIB=${INSTALLDIR}/var/lib # Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT # Directory where product variable data is stored.
DEFAULT_PAGER=/usr/bin/less # Pager to use if none specified in shorewall[6].conf
SANDBOX=Yes # Indicates SANDBOX installation
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/default.debian.systemd�������������������������������������������������������0000664�0000000�0000000�00000000645�13531060406�017606� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# List the Shorewall products that Shorewall-init is to
# initialize (space-separated list).
#
# Sample: PRODUCTS="shorewall shorewall6"
#
PRODUCTS=""
#
# Set this to 1 if you want Shorewall-init to react to
# ifup/ifdown and NetworkManager events
#
IFUPDOWN=0
#
# Where Up/Down events get logged
#
LOGFILE=/var/log/shorewall-ifupdown.log
# Startup options - set verbosity to 0 (minimal reporting)
OPTIONS="-V0"
# IOF
�������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.apple������������������������������������������������������������0000664�0000000�0000000�00000002377�13531077635�016717� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Apple OS X Shorewall 5.2 rc file
#
BUILD=apple
HOST=apple
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR= #Unused on OS X
INITFILE= #Unused on OS X
INITSOURCE= #Unused on OS X
ANNOTATED= #Unused on OS X
SERVICEDIR= #Unused on OS X
SERVICEFILE= #Unused on OS X
SYSCONFDIR= #Unused on OS X
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on OS X
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/uninstall.sh�����������������������������������������������������������������0000775�0000000�0000000�00000012407�13531077635�015712� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Script to back uninstall Shoreline Firewall Init
#
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ ]"
echo "where is one of"
echo " -h"
echo " -v"
echo " -n"
exit $1
}
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
#
# Source common functions
#
. ./lib.uninstaller || { echo "ERROR: Can not load common functions." >&2; exit 1; }
#
# Parse the run line
#
finished=0
configure=1
while [ $finished -eq 0 ]; do
option=$1
case "$option" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
usage 0
;;
v)
echo "$Product Firewall Installer Version $VERSION"
exit 0
;;
n*)
configure=0
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
#
# Read the RC file
#
if [ $# -eq 0 ]; then
if [ -f ./shorewallrc ]; then
. ./shorewallrc || fatal_error "Can not load the RC file: ./shorewallrc"
elif [ -f ~/.shorewallrc ]; then
. ~/.shorewallrc || fatal_error "Can not load the RC file: ~/.shorewallrc"
elif [ -f /usr/share/shorewall/shorewallrc ]; then
. /usr/share/shorewall/shorewallrc || fatal_error "Can not load the RC file: /usr/share/shorewall/shorewallrc"
else
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
fi
elif [ $# -eq 1 ]; then
file=$1
case $file in
/*|.*)
;;
*)
file=./$file || exit 1
;;
esac
. $file || fatal_error "Can not load the RC file: $file"
else
usage 1
fi
if [ -f ${SHAREDIR}/$PRODUCT/version ]; then
INSTALLED_VERSION="$(cat ${SHAREDIR}/$PRODUCT/version)"
if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
echo "WARNING: $Product Version $INSTALLED_VERSION is installed"
echo " and this is the $VERSION uninstaller."
VERSION="$INSTALLED_VERSION"
fi
else
echo "WARNING: $Product Version $VERSION is not installed"
VERSION=""
fi
echo "Uninstalling $Product $VERSION"
[ -n "$SANDBOX" ] && configure=0
[ -n "${LIBEXEC:=${SHAREDIR}}" ]
remove_file ${SBINDIR}/$PRODUCT
FIREWALL=${CONFDIR}/init.d/$PRODUCT
if [ -f "$FIREWALL" ]; then
if [ $configure -eq 1 ]; then
if [ $HOST = openwrt ] ; then
if /etc/init.d/$PRODUCT enabled; then
/etc/init.d/$PRODUCT disable
fi
elif mywhich insserv ; then
insserv -r $FIREWALL
elif mywhich update-rc.d ; then
update-rc.d ${PRODUCT} remove
elif mywhich chkconfig ; then
chkconfig --del $(basename $FIREWALL)
fi
fi
remove_file $FIREWALL
fi
[ -z "${SERVICEDIR}" ] && SERVICEDIR="$SYSTEMD"
if [ -n "$SERVICEDIR" ]; then
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}.service
remove_file $SERVICEDIR/${PRODUCT}.service
fi
if [ $HOST = openwrt ]; then
[ "$(readlink -q ${SBINDIR}/ifup-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
[ "$(readlink -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
else
[ "$(readlink -m -q ${SBINDIR}/ifup-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifup-local
[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/$PRODUCT ] && remove_file ${SBINDIR}/ifdown-local
fi
remove_file ${CONFDIR}/default/$PRODUCT
remove_file ${CONFDIR}/sysconfig/$PRODUCT
remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
remove_file ${CONFDIR}/network/if-up.d/shorewall
remove_file ${CONFDIR}/network/if-down.d/shorewall
remove_file ${CONFDIR}/network/if-post-down.d/shorewall
remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
if [ -d ${CONFDIR}/ppp ]; then
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
remove_file ${CONFDIR}/ppp/$directory/shorewall
done
for file in if-up.local if-down.local; do
if [ -f ${CONFDIR}/ppp/$file ]; then
if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
remove_file ${CONFDIR}/ppp/$FILE
fi
fi
done
fi
remove_directory ${SHAREDIR}/$PRODUCT
remove_directory ${LIBEXECDIR}/$PRODUCT
remove_file ${CONFDIR}/logrotate.d/$PRODUCT
#
# Report Success
#
echo "$Product $VERSION Uninstalled"
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.alt��������������������������������������������������������������0000664�0000000�0000000�00000004026�13531077635�016367� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=alt
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/libexec #Directory for executable scripts.
PERLLIBDIR=${SHAREDIR}/perl5 #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=${CONFDIR}/rc.d/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.alt.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER=/usr/bin/less #Pager to use if none specified in shorewall[6].conf
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/default.debian.sysvinit������������������������������������������������������0000664�0000000�0000000�00000001134�13531060406�020000� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# List the Shorewall products that Shorewall-init is to
# initialize (space-separated list).
#
# Sample: PRODUCTS="shorewall shorewall6"
#
PRODUCTS=""
#
# Set this to 1 if you want Shorewall-init to react to
# ifup/ifdown and NetworkManager events
#
IFUPDOWN=0
#
# Set this to the name of the file that is to hold
# ipset contents. Shorewall-init will load those ipsets
# during 'start' and will save them there during 'stop'.
#
SAVE_IPSETS=""
#
# Where Up/Down events get logged
#
LOGFILE=/var/log/shorewall-ifupdown.log
# Startup options - set verbosity to 0 (minimal reporting)
OPTIONS="-V0"
# IOF
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.cygwin�����������������������������������������������������������0000664�0000000�0000000�00000002374�13531077635�017113� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Cygwin Shorewall 5.2 rc file
#
BUILD=cygwin
HOST=cygwin
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/bin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=/etc/init.d #Unused on Cygwin
INITFILE= #Unused on Cygwin
INITSOURCE= #Unused on Cygwin
ANNOTATED= #Unused on Cygwin
SERVICEDIR= #Unused on Cygwin
SERVICEFILE= #Unused on Cygwin
SYSCONFDIR= #Unused on Cygwin
SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
VARLIB=/var/lib #Unused on Cygwin
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.slackware��������������������������������������������������������0000664�0000000�0000000�00000003766�13531077635�017575� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Slackware Shorewall 5.2 rc file
#
BUILD=slackware
HOST=slackware
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${PREFIX}/man #Directory where manpages are installed.
INITDIR=/etc/rc.d #Directory where SysV init scripts are installed.
AUXINITSOURCE=init.slackware.firewall.sh #Name of the distributed file to be installed as the SysV init script
AUXINITFILE=rc.firewall #Name of the product's installed SysV init script
INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script
INITFILE=rc.$PRODUCT #Name of the product's installed second init script
SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR= #Name of the directory where SysV init parameter files are installed.
ANNOTATED= #If non-empty, install annotated configuration files
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
����������shorewall-init-5.2.3.4/shorewallrc.archlinux��������������������������������������������������������0000664�0000000�0000000�00000003415�13531077635�017605� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Arch Linux Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=archlinux
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/share #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/usr/bin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR= #Directory where SysV init scripts are installed.
INITFILE= #Name of the product's installed SysV init script
INITSOURCE= #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SYSCONFDIR= #Directory where SysV init parameter files are installed
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.redhat�����������������������������������������������������������0000664�0000000�0000000�00000003601�13531077635�017054� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# RedHat/FedoraShorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=redhat
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/libexec #Directory for executable scripts.
PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
CONFDIR=/etc #Directory where subsystem configurations are installed
SBINDIR=/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man #Directory where manpages are installed.
INITDIR=/etc/rc.d/init.d #Directory where SysV init scripts are installed.
INITFILE=$PRODUCT #Name of the product's installed SysV init script
INITSOURCE=init.fedora.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR=/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SYSCONFFILE=sysconfig #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where product variable data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
�������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/install.sh�������������������������������������������������������������������0000775�0000000�0000000�00000036307�13531077635�015354� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# Script to install Shoreline Firewall Init
#
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
#
# Shorewall documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 2 of the license or, at your
# option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see ] [ ]"
echo "where is one of"
echo " -h"
echo " -v"
echo " -n"
exit $1
}
install_file() # $1 = source $2 = target $3 = mode
{
if cp -f $1 $2; then
if chmod $3 $2; then
if [ -n "$OWNER" ]; then
if chown $OWNER:$GROUP $2; then
return
fi
else
return 0
fi
fi
fi
echo "ERROR: Failed to install $2" >&2
exit 1
}
#
# Change to the directory containing this script
#
cd "$(dirname $0)"
#
# Source common functions
#
. ./lib.installer || { echo "ERROR: Can not load common functions." >&2; exit 1; }
#
# Parse the run line
#
finished=0
configure=1
while [ $finished -eq 0 ] ; do
option="$1"
case "$option" in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
h)
usage 0
;;
v)
echo "$Product Firewall Installer Version $VERSION"
exit 0
;;
n*)
configure=0
option=${option#n}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
#
# Read the RC file
#
if [ $# -eq 0 ]; then
if [ -f ./shorewallrc ]; then
file=./shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
elif [ -f ~/.shorewallrc ]; then
file=~/.shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
elif [ -f /usr/share/shorewall/shorewallrc ]; then
file=/usr/share/shorewall/shorewallrc
. $file || fatal_error "Can not load the RC file: $file"
else
fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
fi
elif [ $# -eq 1 ]; then
file=$1
case $file in
/*|.*)
;;
*)
file=./$file || exit 1
;;
esac
. $file || fatal_error "Can not load the RC file: $file"
else
usage 1
fi
if [ -z "${VARLIB}" ]; then
VARLIB=${VARDIR}
VARDIR=${VARLIB}/${PRODUCT}
elif [ -z "${VARDIR}" ]; then
VARDIR=${VARLIB}/${PRODUCT}
fi
for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
require $var
done
[ -n "$SANDBOX" ] && configure=0
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
if [ -z "$BUILD" ]; then
case $(uname) in
cygwin*)
BUILD=cygwin
;;
Darwin)
BUILD=apple
;;
*)
if [ -f /etc/os-release ]; then
eval $(cat /etc/os-release | grep ^ID=)
case $ID in
fedora|rhel|centos|foobar)
BUILD=redhat
;;
debian|ubuntu)
BUILD=debian
;;
opensuse)
BUILD=suse
;;
alt|basealt|altlinux)
BUILD=alt
;;
*)
BUILD="$ID"
;;
esac
elif [ -f /etc/debian_version ]; then
BUILD=debian
elif [ -f /etc/ubuntu_version ]; then
BUILD=debian
elif [ -f /etc/gentoo-release ]; then
BUILD=gentoo
elif [ -f /etc/altlinux-release ]; then
BUILD=alt
elif [ -f /etc/redhat-release ]; then
BUILD=redhat
elif [ -f /etc/SuSE-release ]; then
BUILD=suse
elif [ -f /etc/slackware-version ] ; then
BUILD=slackware
elif [ -f /etc/arch-release ] ; then
BUILD=archlinux
elif [ -f ${CONFDIR}/openwrt_release ]; then
BUILD=openwrt
else
BUILD=linux
fi
;;
esac
fi
case $BUILD in
apple)
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=wheel
;;
cygwin*|CYGWIN*)
OWNER=$(id -un)
GROUP=$(id -gn)
;;
*)
if [ $(id -u) -eq 0 ]; then
[ -z "$OWNER" ] && OWNER=root
[ -z "$GROUP" ] && GROUP=root
fi
;;
esac
[ -n "$OWNER" ] && OWNERSHIP="$OWNER:$GROUP"
[ -n "$HOST" ] || HOST=$BUILD
case "$HOST" in
debian)
echo "Installing Debian-specific configuration..."
;;
gentoo)
echo "Installing Gentoo-specific configuration..."
;;
redhat)
echo "Installing Redhat/Fedora-specific configuration..."
;;
slackware)
echo "Shorewall-init is currently not supported on Slackware" >&2
exit 1
;;
archlinux)
echo "Shorewall-init is currently not supported on Arch Linux" >&2
exit 1
;;
suse)
echo "Installing SuSE-specific configuration..."
;;
openwrt)
echo "Installing Openwrt-specific configuration..."
;;
alt)
echo "Installing ALT-specific configuration...";
;;
linux)
fatal_error "Shorewall-init is not supported on this system"
;;
*)
fatal_error "Unsupported HOST distribution: \"$HOST\""
;;
esac
[ -z "$TARGET" ] && TARGET=$HOST
if [ -n "$DESTDIR" ]; then
if [ $(id -u) != 0 ] ; then
echo "Not setting file owner/group permissions, not running as root."
OWNERSHIP=""
fi
make_parent_directory ${DESTDIR}${INITDIR} 0755
fi
echo "Installing $Product Version $VERSION"
#
# Check for /usr/share/shorewall-init/version
#
if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then
first_install=""
else
first_install="Yes"
fi
[ -n "$DESTDIR" ] && make_parent_directory ${DESTDIR}${CONFDIR}/logrotate.d 0755
#
# Install the Firewall Script
#
if [ -n "$INITFILE" ]; then
make_parent_directory ${DESTDIR}${INITDIR} 0755
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
if [ -n "${AUXINITSOURCE}" ]; then
install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
fi
echo "SysV init script $INITSOURCE installed in ${DESTDIR}${INITDIR}/$INITFILE"
fi
#
# Install the .service file
#
if [ -z "${SERVICEDIR}" ]; then
SERVICEDIR="$SYSTEMD"
fi
if [ -n "$SERVICEDIR" ]; then
make_parent_directory ${DESTDIR}${SERVICEDIR} 0755
[ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
install_file $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service 0644
[ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
[ -n "$DESTDIR" -o $configure -eq 0 ] && make_parent_directory ${DESTDIR}${SBINDIR} 0755
install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0700
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT
echo "CLI installed as ${DESTDIR}${SBINDIR}/$PRODUCT"
fi
#
# Create /usr/share/shorewall-init if needed
#
make_parent_directory ${DESTDIR}${SHAREDIR}/$PRODUCT 0755
#
# Install logrotate file
#
if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
install_file logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT 0644
echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
fi
#
# Create the version file
#
echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/$PRODUCT/version
chmod 0644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
#
# Remove and create the symbolic link to the init script
#
if [ -z "$DESTDIR" ]; then
rm -f ${SHAREDIR}/$PRODUCT/init
ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
fi
if [ $HOST = debian ]; then
if [ -n "${DESTDIR}" ]; then
make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
elif [ $configure -eq 0 ]; then
make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
fi
if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
[ -n "${DESTDIR}" ] && make_parent_directory ${DESTDIR}${ETC}/default 0755
[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/default 0755
install_file ${SYSCONFFILE} ${DESTDIR}${ETC}/default/$PRODUCT 0644
echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
IFUPDOWN=ifupdown.debian.sh
else
if [ -n "$DESTDIR" ]; then
make_parent_directory ${DESTDIR}${SYSCONFDIR} 0755
if [ -z "$RPM" ]; then
if [ $HOST = suse ]; then
make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-up.d 0755
make_parent_directory ${DESTDIR}${ETC}/sysconfig/network/if-down.d 0755
elif [ $HOST = gentoo ]; then
# Gentoo does not support if-{up,down}.d
/bin/true
elif [ $HOST = openwrt ]; then
# Not implemented on OpenWRT
/bin/true
else
make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
fi
fi
fi
if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT 0644
echo "${SYSCONFFILE} file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
fi
[ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
fi
#
# Install the ifupdown script
#
if [ $HOST != openwrt ]; then
cp $IFUPDOWN ifupdown
[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
make_parent_directory ${DESTDIR}${LIBEXECDIR}/$PRODUCT 0755
install_file ifupdown ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown 0544
fi
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
fi
case $HOST in
debian)
if [ $configure -eq 1 ]; then
install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
else
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
fi
;;
suse)
if [ -z "$RPM" ]; then
if [ $configure -eq 0 ]; then
make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-up.d 0755
make_parent_directory ${DESTDIR}${SYSCONFDIR}/network/if-down.d 0755
fi
install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
fi
;;
redhat)
if [ -z "$DESTDIR" ]; then
install_local=
if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
if ! grep -qF Shorewall-based ${SBINDIR}/ifup-local || ! grep -qF Shorewall-based ${SBINDIR}/ifdown-local; then
echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
else
install_local=Yes
fi
else
install_local=Yes
fi
if [ -n "$install_local" ]; then
install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
fi
fi
;;
esac
if [ -z "$DESTDIR" ]; then
if [ $configure -eq 1 -a -n "first_install" ]; then
if [ $HOST = debian ]; then
if [ -n "$SERVICEDIR" ]; then
if systemctl enable ${PRODUCT}.service; then
echo "$Product will start automatically at boot"
fi
elif mywhich insserv; then
if insserv ${INITDIR}/$PRODUCT; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif mywhich update-rc.d ; then
if update-rc.d $PRODUCT enable; then
echo "$Product will start automatically at boot"
echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
else
cant_autostart
fi
else
cant_autostart
fi
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
/etc/init.d/$PRODUCT enable
if /etc/init.d/$PRODUCT enabled; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif [ $HOST = gentoo ]; then
# On Gentoo, a service must be enabled manually by the user,
# not by the installer
/bin/true
else
if [ -n "$SERVICEDIR" ]; then
if systemctl enable ${PRODUCT}.service; then
echo "$Product will start automatically at boot"
fi
elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
if insserv ${INITDIR}/$PRODUCT ; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
if chkconfig --add $PRODUCT ; then
echo "$Product will start automatically at boot"
chkconfig --list $PRODUCT
else
cant_autostart
fi
elif [ -x ${SBINDIR}/rc-update ]; then
if rc-update add $PRODUCT default; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
elif [ $HOST = openwrt -a -f ${CONFDIR}/rc.common ]; then
/etc/init.d/$PRODUCT enable
if /etc/init.d/$PRODUCT enabled; then
echo "$Product will start automatically at boot"
else
cant_autostart
fi
else
cant_autostart
fi
fi
fi
else
if [ $configure -eq 1 -a -n "$first_install" ]; then
if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
if [ -n "${DESTDIR}" ]; then
make_parent_directory ${DESTDIR}/etc/rcS.d 0755
fi
ln -sf ../init.d/$PRODUCT ${DESTDIR}${CONFDIR}/rcS.d/S38${PRODUCT}
echo "$Product will start automatically at boot"
fi
fi
fi
[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
if [ -d ${DESTDIR}/etc/ppp ]; then
case $HOST in
debian|suse)
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
make_parent_directory ${DESTDIR}/etc/ppp/$directory 0755 #SuSE doesn't create the IPv6 directories
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
done
;;
redhat)
#
# Must use the dreaded ip_xxx.local file
#
for file in ip-up.local ip-down.local; do
FILE=${DESTDIR}/etc/ppp/$file
if [ -f $FILE ]; then
if grep -qF Shorewall-based $FILE ; then
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
else
echo "$FILE already exists -- ppp devices will not be handled"
break
fi
else
cp -fp ${DESTDIR}${LIBEXECDIR}/$PRODUCT/ifupdown $FILE
fi
done
;;
esac
fi
#
# Report Success
#
echo "shorewall Init Version $VERSION Installed"
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewallrc.suse�������������������������������������������������������������0000664�0000000�0000000�00000004167�13531077635�016574� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# SuSE Shorewall 5.2 rc file
#
BUILD= #Default is to detect the build system
HOST=suse
PREFIX=/usr #Top-level directory for shared files, libraries, etc.
CONFDIR=/etc #Directory where subsystem configurations are installed
SHAREDIR=${PREFIX}/share #Directory for arch-neutral files.
LIBEXECDIR=${PREFIX}/lib #Directory for executable scripts.
PERLLIBDIR=${PREFIX}/lib/perl5/site-perl #Directory to install Shorewall Perl module directory
SBINDIR=/usr/sbin #Directory where system administration programs are installed
MANDIR=${SHAREDIR}/man/ #Directory where manpages are installed.
INITDIR=/etc/init.d #Directory where SysV init scripts are installed.
INITFILE= #Name of the product's SysV init script
INITSOURCE=init.suse.sh #Name of the distributed file to be installed as the SysV init script
ANNOTATED= #If non-zero, annotated configuration files are installed
SERVICEDIR=/usr/lib/systemd/system #Directory where .service files are installed (systems running systemd only)
SERVICEFILE=$PRODUCT.service #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR
SYSCONFDIR=/etc/sysconfig/ #Directory where SysV init parameter files are installed
SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
VARLIB=/var/lib #Directory where persistent product data is stored.
VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored.
DEFAULT_PAGER= #Pager to use if none specified in shorewall[6].conf
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/logrotate��������������������������������������������������������������������0000664�0000000�0000000�00000000125�13531060406�015243� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������/var/log/shorewall-ifupdown.log {
missingok
notifempty
create 0600 root root
}
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-init-5.2.3.4/shorewall-init���������������������������������������������������������������0000664�0000000�0000000�00000006037�13531060406�016214� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
#
# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called
# /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the license or,
# at your option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see