rpms/shorewall
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update default configuration and systemd service management [release 5.2.8-2mamba;Sun Aug 08 2021]

Browse Source
This commit is contained in:
Silvan Calarco 2024-01-05 17:47:18 +01:00
parent e0a43e9577
commit c6cd94497a
4 changed files with 212 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
shorewall-conf
View File

@ -1,17 +1,10 @@
###############################################################################
# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
# Shorewall Version 5 -- /etc/shorewall/shorewall.conf
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/Documentation.htm#Conf
# Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
@ -25,141 +18,250 @@ STARTUP_ENABLED=Yes
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
# P A G E R
###############################################################################
#SHOREWALL_COMPILER=perl
PAGER=
###############################################################################
# F I R E W A L L
###############################################################################
FIREWALL=
###############################################################################
# L O G G I N G
###############################################################################
LOG_LEVEL="info"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=No
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGLIMIT=
LOGBURST=
MACLIST_LOG_LEVEL="info"
LOGALLNEW=
RELATED_LOG_LEVEL=
BLACKLIST_LOGLEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL="$LOG_LEVEL"
TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL="info"
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
LOG_MARTIANS=No
TCP_FLAGS_LOG_LEVEL="info"
UNTRACKED_LOG_LEVEL=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
ARPTABLES=
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="dropBcasts,dropNotSyn,dropInvalid"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
ADMINISABSENTMINDED=Yes
TC_ENABLED=Internal
AUTOCOMMENT=Yes
TC_EXPERT=No
AUTOHELPERS=Yes
CLEAR_TC=Yes
AUTOMAKE=No
MARK_IN_FORWARD_CHAIN=No
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID"
CLAMPMSS=No
ROUTE_FILTER=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DOCKER=No
DYNAMIC_ZONES=No
DOCKER_BRIDGE=docker0
PKTTYPE=Yes
DONT_LOAD=
RFC1918_STRICT=No
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=No
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=On
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
FASTACCEPT=No
MINIUPNPD=No
IMPLICIT_CONTINUE=Yes
MULTICAST=No
HIGH_ROUTE_MARKS=No
MUTEX_TIMEOUT=60
USE_ACTIONS=Yes
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
EXPORTPARAMS=Yes
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=reload
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=No
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################
# P A C K E T D I S P O S I T I O N
@ -167,8 +269,32 @@ EXPORTPARAMS=Yes
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
UNTRACKED_DISPOSITION=CONTINUE
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=8
PROVIDER_BITS=8
PROVIDER_OFFSET=0
MASK_BITS=8
ZONE_BITS=0

2
shorewall-rules
View File

@ -10,7 +10,7 @@
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
?SECTION NEW
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 10000
ACCEPT net $FW tcp 20,21,80,443

4
shorewall-rules6
View File

@ -14,5 +14,5 @@
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
#ACCEPT netv6 all tcp 22
?SECTION NEW
ACCEPT netv6 all tcp 22

32
shorewall.spec
View File

@ -2,13 +2,13 @@
%define maj3ver %(echo %version | cut -d. -f1-3)
Name: shorewall
Version: 5.2.8
Release: 1mamba
Release: 2mamba
Summary: Shoreline Firewall, a high-level tool for configuring Netfilter
Group: Network/Security
Vendor: openmamba
Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: http://www.shorewall.net/index.htm
URL: https://shorewall.org/index.htm
Source: https://shorewall.org/pub/shorewall/%{majver}/shorewall-%{maj3ver}/shorewall-%{version}.tar.bz2
Source1: shorewall-conf
Source2: shorewall-interfaces
@ -34,7 +34,6 @@ Requires: shorewall-core >= %{version}
Requires: iptables
Requires: iptables-ipv6
Requires: perl-Socket6
BuildRoot: %{_tmppath}/%{name}-%{version}-root
%description
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall.
@ -46,6 +45,8 @@ The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool
cd shorewall6-%{version}
./configure \
--prefix=%{_prefix} \
--bindir=%{_bindir} \
--sbindir=%{_sbindir} \
--mandir=%{_mandir} \
--sysconfdir=%{_sysconfdir} \
--systemd=%{_unitdir} \
@ -54,6 +55,8 @@ cd shorewall6-%{version}
cd ..
./configure \
--prefix=%{_prefix} \
--bindir=%{_bindir} \
--sbindir=%{_sbindir} \
--mandir=%{_mandir} \
--sysconfdir=%{_sysconfdir} \
--systemd=%{_unitdir} \
@ -85,18 +88,18 @@ rm -f %{buildroot}%{_sysconfdir}/init.d/shorewall6
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
%post
if [ $1 -ge 1 ]; then
systemctl -q daemon-reload
systemctl -q reload-or-try-restart shorewall
systemctl -q reload-or-try-restart shorewall6
fi
%systemd_post shorewall
%systemd_post shorewall6
:
%preun
if [ $1 -eq 0 ]; then
systemctl -q stop shorewall
systemctl -q stop shorewall6
fi
%systemd_preun shorewall
%systemd_preun shorewall6
:
%postun
%systemd_postun_with_restart shorewall
%systemd_postun_with_restart shorewall6
:
%files
@ -108,7 +111,7 @@ fi
%{_sysconfdir}/logrotate.d/shorewall
%{_sysconfdir}/logrotate.d/shorewall6
#/sbin/shorewall
/sbin/shorewall6
%{_sbindir}/shorewall6
%{_unitdir}/shorewall.service
%{_unitdir}/shorewall6.service
%dir %{_datadir}/shorewall
@ -123,6 +126,9 @@ fi
#README.txt
%changelog
* Sun Aug 08 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 5.2.8-2mamba
- update default configuration and systemd service management
* Fri Sep 25 2020 Automatic Build System <autodist@mambasoft.it> 5.2.8-1mamba
- automatic version update by autodist