rpms/shorewall
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update default configuration and systemd service management [release 5.2.8-2mamba;Sun Aug 08 2021]

Browse Source
This commit is contained in:
Silvan Calarco 2024-01-05 17:47:18 +01:00
parent e0a43e9577
commit c6cd94497a
4 changed files with 212 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
shorewall-conf
View File

@ -1,17 +1,10 @@
############################################################################### ###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # Shorewall Version 5 -- /etc/shorewall/shorewall.conf
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
# #
# For information about the settings in this file, type "man shorewall.conf" # For information about the settings in this file, type "man shorewall.conf"
# #
# Additional information is available at # Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
# http://www.shorewall.net/Documentation.htm#Conf
############################################################################### ###############################################################################
# S T A R T U P E N A B L E D # S T A R T U P E N A B L E D
############################################################################### ###############################################################################
@ -25,141 +18,250 @@ STARTUP_ENABLED=Yes
VERBOSITY=1 VERBOSITY=1
############################################################################### ###############################################################################
# C O M P I L E R # P A G E R
# (setting this to 'perl' requires installation of Shorewall-perl)
############################################################################### ###############################################################################
#SHOREWALL_COMPILER=perl PAGER=
###############################################################################
# F I R E W A L L
###############################################################################
FIREWALL=
############################################################################### ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################### ###############################################################################
LOG_LEVEL="info"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=No
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No LOGTAGONLY=No
LOGRATE= LOGLIMIT=
LOGBURST= MACLIST_LOG_LEVEL="info"
LOGALLNEW= RELATED_LOG_LEVEL=
BLACKLIST_LOGLEVEL= RPFILTER_LOG_LEVEL="$LOG_LEVEL"
MACLIST_LOG_LEVEL=info SFILTER_LOG_LEVEL="$LOG_LEVEL"
TCP_FLAGS_LOG_LEVEL=info SMURF_LOG_LEVEL="info"
SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall-init.log
LOG_MARTIANS=No TCP_FLAGS_LOG_LEVEL="info"
UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
ARPTABLES=
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES= IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR= TC=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
############################################################################### ###############################################################################
# D E F A U L T A C T I O N S / M A C R O S # D E F A U L T A C T I O N S / M A C R O S
############################################################################### ###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none" ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="dropBcasts,dropNotSyn,dropInvalid"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none" QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S
############################################################################### ###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
############################################################################### ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################
IP_FORWARDING=On ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=Yes ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No ADMINISABSENTMINDED=Yes
TC_ENABLED=Internal AUTOCOMMENT=Yes
TC_EXPERT=No AUTOHELPERS=Yes
CLEAR_TC=Yes AUTOMAKE=No
MARK_IN_FORWARD_CHAIN=No BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID"
CLAMPMSS=No CLAMPMSS=No
ROUTE_FILTER=No CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes DISABLE_IPV6=Yes
BRIDGING=No DOCKER=No
DYNAMIC_ZONES=No DOCKER_BRIDGE=docker0
PKTTYPE=Yes DONT_LOAD=
RFC1918_STRICT=No DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=No
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On
KEEP_RT_TABLES=No
MACLIST_TABLE=filter MACLIST_TABLE=filter
MACLIST_TTL= MACLIST_TTL=
SAVE_IPSETS=No MANGLE_ENABLED=Yes
MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No
FASTACCEPT=No MINIUPNPD=No
IMPLICIT_CONTINUE=Yes MULTICAST=No
HIGH_ROUTE_MARKS=No MUTEX_TIMEOUT=60
USE_ACTIONS=Yes NULL_ROUTE_RFC1918=No
OPTIMIZE=0 OPTIMIZE=0
EXPORTPARAMS=Yes OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=reload
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=No
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
@ -167,8 +269,32 @@ EXPORTPARAMS=Yes
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE UNTRACKED_DISPOSITION=CONTINUE
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=8
PROVIDER_BITS=8
PROVIDER_OFFSET=0
MASK_BITS=8
ZONE_BITS=0

2
shorewall-rules
View File

@ -10,7 +10,7 @@
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED
SECTION NEW ?SECTION NEW
ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 10000 ACCEPT net $FW tcp 10000
ACCEPT net $FW tcp 20,21,80,443 ACCEPT net $FW tcp 20,21,80,443

4
shorewall-rules6
View File

@ -14,5 +14,5 @@
#SECTION RELATED #SECTION RELATED
#SECTION INVALID #SECTION INVALID
#SECTION UNTRACKED #SECTION UNTRACKED
SECTION NEW ?SECTION NEW
#ACCEPT netv6 all tcp 22 ACCEPT netv6 all tcp 22

32
shorewall.spec
View File

@ -2,13 +2,13 @@
%define maj3ver %(echo %version | cut -d. -f1-3) %define maj3ver %(echo %version | cut -d. -f1-3)
Name: shorewall Name: shorewall
Version: 5.2.8 Version: 5.2.8
Release: 1mamba Release: 2mamba
Summary: Shoreline Firewall, a high-level tool for configuring Netfilter Summary: Shoreline Firewall, a high-level tool for configuring Netfilter
Group: Network/Security Group: Network/Security
Vendor: openmamba Vendor: openmamba
Distribution: openmamba Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it> Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: http://www.shorewall.net/index.htm URL: https://shorewall.org/index.htm
Source: https://shorewall.org/pub/shorewall/%{majver}/shorewall-%{maj3ver}/shorewall-%{version}.tar.bz2 Source: https://shorewall.org/pub/shorewall/%{majver}/shorewall-%{maj3ver}/shorewall-%{version}.tar.bz2
Source1: shorewall-conf Source1: shorewall-conf
Source2: shorewall-interfaces Source2: shorewall-interfaces
@ -34,7 +34,6 @@ Requires: shorewall-core >= %{version}
Requires: iptables Requires: iptables
Requires: iptables-ipv6 Requires: iptables-ipv6
Requires: perl-Socket6 Requires: perl-Socket6
BuildRoot: %{_tmppath}/%{name}-%{version}-root
%description %description
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall. The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall.
@ -46,6 +45,8 @@ The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool
cd shorewall6-%{version} cd shorewall6-%{version}
./configure \ ./configure \
--prefix=%{_prefix} \ --prefix=%{_prefix} \
--bindir=%{_bindir} \
--sbindir=%{_sbindir} \
--mandir=%{_mandir} \ --mandir=%{_mandir} \
--sysconfdir=%{_sysconfdir} \ --sysconfdir=%{_sysconfdir} \
--systemd=%{_unitdir} \ --systemd=%{_unitdir} \
@ -54,6 +55,8 @@ cd shorewall6-%{version}
cd .. cd ..
./configure \ ./configure \
--prefix=%{_prefix} \ --prefix=%{_prefix} \
--bindir=%{_bindir} \
--sbindir=%{_sbindir} \
--mandir=%{_mandir} \ --mandir=%{_mandir} \
--sysconfdir=%{_sysconfdir} \ --sysconfdir=%{_sysconfdir} \
--systemd=%{_unitdir} \ --systemd=%{_unitdir} \
@ -85,18 +88,18 @@ rm -f %{buildroot}%{_sysconfdir}/init.d/shorewall6
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
%post %post
if [ $1 -ge 1 ]; then %systemd_post shorewall
systemctl -q daemon-reload %systemd_post shorewall6
systemctl -q reload-or-try-restart shorewall
systemctl -q reload-or-try-restart shorewall6
fi
: :
%preun %preun
if [ $1 -eq 0 ]; then %systemd_preun shorewall
systemctl -q stop shorewall %systemd_preun shorewall6
systemctl -q stop shorewall6 :
fi
%postun
%systemd_postun_with_restart shorewall
%systemd_postun_with_restart shorewall6
: :
%files %files
@ -108,7 +111,7 @@ fi
%{_sysconfdir}/logrotate.d/shorewall %{_sysconfdir}/logrotate.d/shorewall
%{_sysconfdir}/logrotate.d/shorewall6 %{_sysconfdir}/logrotate.d/shorewall6
#/sbin/shorewall #/sbin/shorewall
/sbin/shorewall6 %{_sbindir}/shorewall6
%{_unitdir}/shorewall.service %{_unitdir}/shorewall.service
%{_unitdir}/shorewall6.service %{_unitdir}/shorewall6.service
%dir %{_datadir}/shorewall %dir %{_datadir}/shorewall
@ -123,6 +126,9 @@ fi
#README.txt #README.txt
%changelog %changelog
* Sun Aug 08 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 5.2.8-2mamba
- update default configuration and systemd service management
* Fri Sep 25 2020 Automatic Build System <autodist@mambasoft.it> 5.2.8-1mamba * Fri Sep 25 2020 Automatic Build System <autodist@mambasoft.it> 5.2.8-1mamba
- automatic version update by autodist - automatic version update by autodist