From c6cd94497a2e1eefce4ac55aaece8a7b98baec5d Mon Sep 17 00:00:00 2001
From: Silvan Calarco <silvan.calarco@mambasoft.it>
Date: Fri, 5 Jan 2024 17:47:18 +0100
Subject: [PATCH] update default configuration and systemd service management
 [release 5.2.8-2mamba;Sun Aug 08 2021]

---
 shorewall-conf   | 254 +++++++++++++++++++++++++++++++++++------------
 shorewall-rules  |   2 +-
 shorewall-rules6 |   4 +-
 shorewall.spec   |  32 +++---
 4 files changed, 212 insertions(+), 80 deletions(-)

diff --git a/shorewall-conf b/shorewall-conf
index 56c09cd..db75496 100644
--- a/shorewall-conf
+++ b/shorewall-conf
@@ -1,17 +1,10 @@
 ###############################################################################
-#  /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
-#  match your setup
 #
-#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Additional information is available at 
-#  http://www.shorewall.net/Documentation.htm#Conf
+#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -19,147 +12,256 @@
 STARTUP_ENABLED=Yes
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
 
 ###############################################################################
-#                              C O M P I L E R
-#      (setting this to 'perl' requires installation of Shorewall-perl)
+#			        P A G E R
 ###############################################################################
 
-#SHOREWALL_COMPILER=perl
+PAGER=
+
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
 
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
 
+LOG_LEVEL="info"
+
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
+
+LOG_BACKEND=
+
+LOG_MARTIANS=No
+
+LOG_VERBOSITY=2
+
+LOG_ZONE=Both
+
+LOGALLNEW=
+
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
+LOGLIMIT=
 
-LOGBURST=
+MACLIST_LOG_LEVEL="info"
 
-LOGALLNEW=
+RELATED_LOG_LEVEL=
 
-BLACKLIST_LOGLEVEL=
+RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-MACLIST_LOG_LEVEL=info
+SFILTER_LOG_LEVEL="$LOG_LEVEL"
 
-TCP_FLAGS_LOG_LEVEL=info
+SMURF_LOG_LEVEL="info"
 
-SMURF_LOG_LEVEL=info
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_MARTIANS=No
+TCP_FLAGS_LOG_LEVEL="info"
+
+UNTRACKED_LOG_LEVEL=
 
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
+ARPTABLES=
+
+CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
+
+GEOIPDIR=/usr/share/xt_geoip/LE
+
 IPTABLES=
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+IP=
+
+IPSET=
+
+LOCKFILE=
+
+MODULESDIR=
+
+NFACCT=
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
+
+PERL=/usr/bin/perl
+
+RESTOREFILE=
 
 SHOREWALL_SHELL=/bin/sh
 
 SUBSYSLOCK=/var/lock/subsys/shorewall
 
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
+TC=
 
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="dropBcasts,dropNotSyn,dropInvalid"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
 
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=On
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
 
 ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
-RETAIN_ALIASES=No
+ADMINISABSENTMINDED=Yes
 
-TC_ENABLED=Internal
+AUTOCOMMENT=Yes
 
-TC_EXPERT=No
+AUTOHELPERS=Yes
 
-CLEAR_TC=Yes
+AUTOMAKE=No
 
-MARK_IN_FORWARD_CHAIN=No
+BALANCE_PROVIDERS=No
+
+BASIC_FILTERS=No
+
+BLACKLIST="NEW,INVALID"
 
 CLAMPMSS=No
 
-ROUTE_FILTER=No
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DEFER_DNS_RESOLUTION=Yes
+
+DELETE_THEN_ADD=Yes
 
 DETECT_DNAT_IPADDRS=No
 
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-DELAYBLACKLISTLOAD=No
-
-MODULE_SUFFIX=
-
 DISABLE_IPV6=Yes
 
-BRIDGING=No
+DOCKER=No
 
-DYNAMIC_ZONES=No
+DOCKER_BRIDGE=docker0
 
-PKTTYPE=Yes
+DONT_LOAD=
 
-RFC1918_STRICT=No
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=No
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+HELPERS=
+
+IGNOREUNKNOWNVARIABLES=No
+
+IMPLICIT_CONTINUE=Yes
+
+IPSET_WARNINGS=Yes
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
 
 MACLIST_TABLE=filter
 
 MACLIST_TTL=
 
-SAVE_IPSETS=No
+MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
+MARK_IN_FORWARD_CHAIN=No
 
-FASTACCEPT=No
+MINIUPNPD=No
 
-IMPLICIT_CONTINUE=Yes
+MULTICAST=No
 
-HIGH_ROUTE_MARKS=No
+MUTEX_TIMEOUT=60
 
-USE_ACTIONS=Yes
+NULL_ROUTE_RFC1918=No
 
 OPTIMIZE=0
 
-EXPORTPARAMS=Yes
+OPTIMIZE_ACCOUNTING=No
+
+PERL_HASH_SEED=0
+
+REJECT_ACTION=
+
+RENAME_COMBINED=Yes
+
+REQUIRE_INTERFACE=No
+
+RESTART=reload
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+RESTORE_ROUTEMARKS=Yes
+
+RETAIN_ALIASES=No
+
+ROUTE_FILTER=No
+
+SAVE_ARPTABLES=No
+
+SAVE_IPSETS=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+TRACK_PROVIDERS=Yes
+
+TRACK_RULES=No
+
+USE_DEFAULT_RT=No
+
+USE_NFLOG_SIZE=No
+
+USE_PHYSICAL_NAMES=No
+
+USE_RT_NAMES=No
+
+VERBOSE_MESSAGES=Yes
+
+WARNOLDCAPVERSION=Yes
+
+WORKAROUNDS=No
+
+ZERO_MARKS=No
+
+ZONE2ZONE=-
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -167,8 +269,32 @@ EXPORTPARAMS=Yes
 
 BLACKLIST_DISPOSITION=DROP
 
+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT
 
+RELATED_DISPOSITION=ACCEPT
+
+RPFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP
 
-#LAST LINE -- DO NOT REMOVE
+UNTRACKED_DISPOSITION=CONTINUE
+
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=0
+
+MASK_BITS=8
+
+ZONE_BITS=0
diff --git a/shorewall-rules b/shorewall-rules
index 1fa5091..4272079 100644
--- a/shorewall-rules
+++ b/shorewall-rules
@@ -10,7 +10,7 @@
 #                                               PORT    PORT(S)         DEST        LIMIT           GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
-SECTION NEW
+?SECTION NEW
 ACCEPT  net     $FW     tcp     22
 ACCEPT  net     $FW     tcp     10000
 ACCEPT  net     $FW     tcp     20,21,80,443
diff --git a/shorewall-rules6 b/shorewall-rules6
index baeae90..1d13dfb 100644
--- a/shorewall-rules6
+++ b/shorewall-rules6
@@ -14,5 +14,5 @@
 #SECTION RELATED
 #SECTION INVALID
 #SECTION UNTRACKED
-SECTION NEW
-#ACCEPT  netv6   all     tcp     22
+?SECTION NEW
+ACCEPT  netv6   all     tcp     22
diff --git a/shorewall.spec b/shorewall.spec
index dbe56de..3ce3b4f 100644
--- a/shorewall.spec
+++ b/shorewall.spec
@@ -2,13 +2,13 @@
 %define maj3ver %(echo %version | cut -d. -f1-3)
 Name:          shorewall
 Version:       5.2.8
-Release:       1mamba
+Release:       2mamba
 Summary:       Shoreline Firewall, a high-level tool for configuring Netfilter
 Group:         Network/Security
 Vendor:        openmamba
 Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
-URL:           http://www.shorewall.net/index.htm
+URL:           https://shorewall.org/index.htm
 Source:        https://shorewall.org/pub/shorewall/%{majver}/shorewall-%{maj3ver}/shorewall-%{version}.tar.bz2
 Source1:       shorewall-conf
 Source2:       shorewall-interfaces
@@ -34,7 +34,6 @@ Requires:      shorewall-core >= %{version}
 Requires:      iptables
 Requires:      iptables-ipv6
 Requires:      perl-Socket6
-BuildRoot:     %{_tmppath}/%{name}-%{version}-root
 
 %description
 The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall.
@@ -46,6 +45,8 @@ The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool
 cd shorewall6-%{version}
 ./configure \
    --prefix=%{_prefix} \
+   --bindir=%{_bindir} \
+   --sbindir=%{_sbindir} \
    --mandir=%{_mandir} \
    --sysconfdir=%{_sysconfdir} \
    --systemd=%{_unitdir} \
@@ -54,6 +55,8 @@ cd shorewall6-%{version}
 cd ..
 ./configure \
    --prefix=%{_prefix} \
+   --bindir=%{_bindir} \
+   --sbindir=%{_sbindir} \
    --mandir=%{_mandir} \
    --sysconfdir=%{_sysconfdir} \
    --systemd=%{_unitdir} \
@@ -85,18 +88,18 @@ rm -f %{buildroot}%{_sysconfdir}/init.d/shorewall6
 [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
 
 %post
-if [ $1 -ge 1 ]; then
-   systemctl -q daemon-reload
-   systemctl -q reload-or-try-restart shorewall
-   systemctl -q reload-or-try-restart shorewall6
-fi
+%systemd_post shorewall
+%systemd_post shorewall6
 :
 
 %preun
-if [ $1 -eq 0 ]; then
-   systemctl -q stop shorewall
-   systemctl -q stop shorewall6
-fi
+%systemd_preun shorewall
+%systemd_preun shorewall6
+:
+
+%postun
+%systemd_postun_with_restart shorewall
+%systemd_postun_with_restart shorewall6
 :
 
 %files
@@ -108,7 +111,7 @@ fi
 %{_sysconfdir}/logrotate.d/shorewall
 %{_sysconfdir}/logrotate.d/shorewall6
 #/sbin/shorewall
-/sbin/shorewall6
+%{_sbindir}/shorewall6
 %{_unitdir}/shorewall.service
 %{_unitdir}/shorewall6.service
 %dir %{_datadir}/shorewall
@@ -123,6 +126,9 @@ fi
 #README.txt
 
 %changelog
+* Sun Aug 08 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 5.2.8-2mamba
+- update default configuration and systemd service management
+
 * Fri Sep 25 2020 Automatic Build System <autodist@mambasoft.it> 5.2.8-1mamba
 - automatic version update by autodist