diff --git a/README.md b/README.md index 9d9fcd3..4618c6f 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,4 @@ # shorewall +The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall. + diff --git a/shorewall-conf b/shorewall-conf new file mode 100644 index 0000000..56c09cd --- /dev/null +++ b/shorewall-conf @@ -0,0 +1,174 @@ +############################################################################### +# /etc/shorewall/shorewall.conf V3.4 - Change the following variables to +# match your setup +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) +# +# For information about the settings in this file, type "man shorewall.conf" +# +# Additional information is available at +# http://www.shorewall.net/Documentation.htm#Conf +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# C O M P I L E R +# (setting this to 'perl' requires installation of Shorewall-perl) +############################################################################### + +#SHOREWALL_COMPILER=perl + +############################################################################### +# L O G G I N G +############################################################################### + +LOGFILE=/var/log/messages + +LOGFORMAT="Shorewall:%s:%s:" + +LOGTAGONLY=No + +LOGRATE= + +LOGBURST= + +LOGALLNEW= + +BLACKLIST_LOGLEVEL= + +MACLIST_LOG_LEVEL=info + +TCP_FLAGS_LOG_LEVEL=info + +SMURF_LOG_LEVEL=info + +LOG_MARTIANS=No + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +IPTABLES= + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +SHOREWALL_SHELL=/bin/sh + +SUBSYSLOCK=/var/lock/subsys/shorewall + +MODULESDIR= + +CONFIG_PATH=/etc/shorewall:/usr/share/shorewall + +RESTOREFILE= + +IPSECFILE=zones + +LOCKFILE= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +DROP_DEFAULT="Drop" +REJECT_DEFAULT="Reject" +ACCEPT_DEFAULT="none" +QUEUE_DEFAULT="none" + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +IP_FORWARDING=On + +ADD_IP_ALIASES=Yes + +ADD_SNAT_ALIASES=No + +RETAIN_ALIASES=No + +TC_ENABLED=Internal + +TC_EXPERT=No + +CLEAR_TC=Yes + +MARK_IN_FORWARD_CHAIN=No + +CLAMPMSS=No + +ROUTE_FILTER=No + +DETECT_DNAT_IPADDRS=No + +MUTEX_TIMEOUT=60 + +ADMINISABSENTMINDED=Yes + +BLACKLISTNEWONLY=Yes + +DELAYBLACKLISTLOAD=No + +MODULE_SUFFIX= + +DISABLE_IPV6=Yes + +BRIDGING=No + +DYNAMIC_ZONES=No + +PKTTYPE=Yes + +RFC1918_STRICT=No + +MACLIST_TABLE=filter + +MACLIST_TTL= + +SAVE_IPSETS=No + +MAPOLDACTIONS=No + +FASTACCEPT=No + +IMPLICIT_CONTINUE=Yes + +HIGH_ROUTE_MARKS=No + +USE_ACTIONS=Yes + +OPTIMIZE=0 + +EXPORTPARAMS=Yes + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP + +MACLIST_DISPOSITION=REJECT + +TCP_FLAGS_DISPOSITION=DROP + +#LAST LINE -- DO NOT REMOVE diff --git a/shorewall-interfaces b/shorewall-interfaces new file mode 100644 index 0000000..b7a16a7 --- /dev/null +++ b/shorewall-interfaces @@ -0,0 +1,12 @@ +# +# Shorewall version 3.4 - Interfaces File +# +# For information about entries in this file, type "man shorewall-interfaces" +# +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect dhcp,tcpflags,logmartians +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/shorewall-policy b/shorewall-policy new file mode 100644 index 0000000..8554724 --- /dev/null +++ b/shorewall-policy @@ -0,0 +1,14 @@ +# +# Shorewall version 3.4 - Policy File +# +# For information about entries in this file, type "man shorewall-policy" +# +# See http://shorewall.net/Documentation.htm#Policy for additional information. +# +############################################################################### +#SOURCE DEST POLICY LOG LIMIT:BURST +# LEVEL +fw all ACCEPT +net all DROP info +all all REJECT info +#LAST LINE -- DO NOT REMOVE diff --git a/shorewall-rules b/shorewall-rules new file mode 100644 index 0000000..1fa5091 --- /dev/null +++ b/shorewall-rules @@ -0,0 +1,18 @@ +# +# Shorewall version 3.4 - Rules File +# +# For information on the settings in this file, type "man shorewall-rules" +# +# See http://shorewall.net/Documentation.htm#Rules for additional information. +# +############################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK +# PORT PORT(S) DEST LIMIT GROUP +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW +ACCEPT net $FW tcp 22 +ACCEPT net $FW tcp 10000 +ACCEPT net $FW tcp 20,21,80,443 +ACCEPT net $FW udp 20,21 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/shorewall-zones b/shorewall-zones new file mode 100644 index 0000000..0eeb38c --- /dev/null +++ b/shorewall-zones @@ -0,0 +1,13 @@ +# +# Shorewall version 3.4 - Zones File +# +# For information about this file, type "man shorewall-zones" +# +# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/shorewall.spec b/shorewall.spec new file mode 100644 index 0000000..1ae3da4 --- /dev/null +++ b/shorewall.spec @@ -0,0 +1,150 @@ +%define majver %(echo %version | cut -d. -f1-2) +%define maj3ver %(echo %version | cut -d. -f1-3) +Name: shorewall +Version: 4.5.21.9 +Release: 1mamba +Summary: Shoreline Firewall, a high-level tool for configuring Netfilter +Group: Network/Security +Vendor: openmamba +Distribution: openmamba +Packager: Silvan Calarco +URL: http://www.shorewall.net/index.htm +Source: http://slovakia.shorewall.net/pub/shorewall/%{majver}/shorewall-%{maj3ver}/shorewall-%{version}.tar.bz2 +Source1: shorewall-conf +Source2: shorewall-interfaces +Source3: shorewall-policy +Source4: shorewall-rules +Source5: shorewall-zones +Source6: http://slovakia.shorewall.net/pub/shorewall/%{majver}/shorewall-%{maj3ver}/shorewall-docs-html-%{version}.tar.bz2 +#Source8: http://slovakia.shorewall.net/pub/shorewall/%{majver}/shorewall-%{version}/base/shorewall-perl-%{version}.tar.bz2 +#Source9: http://slovakia.shorewall.net/pub/shorewall/%{majver}/shorewall-%{version}/base/shorewall-shell-%{version}.tar.bz2 +License: GPL +BuildArch: noarch +BuildRequires: shorewall-core >= %{version} +Requires: shorewall-core >= %{version} +Requires: iptables +Requires: iptables-ipv6 +BuildRoot: %{_tmppath}/%{name}-%{version}-root + +%description +The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall. + +%prep +%setup -q -a6 + +%build +./configure \ + --prefix=%{_prefix} \ + --mandir=%{_mandir} \ + --sysconfdir=%{_sysconfdir} \ + --initdir=%{_initrddir} \ + HOST=linux + +%install +[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" +DESTDIR=%{buildroot} ./install.sh + +install %{SOURCE1} %{buildroot}%{_sysconfdir}/shorewall/shorewall.conf +install %{SOURCE2} %{buildroot}%{_sysconfdir}/shorewall/interfaces +install %{SOURCE3} %{buildroot}%{_sysconfdir}/shorewall/policy +install %{SOURCE4} %{buildroot}%{_sysconfdir}/shorewall/rules +install %{SOURCE5} %{buildroot}%{_sysconfdir}/shorewall/zones + +%clean +[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" + +%files +%defattr(-,root,root) +%dir %{_sysconfdir}/shorewall +%config(noreplace) %{_sysconfdir}/shorewall/* +%{_initrddir}/shorewall +%{_sysconfdir}/logrotate.d/shorewall +/sbin/shorewall +%dir %{_datadir}/shorewall +%{_datadir}/shorewall/* +%{_mandir}/man5/shorewall*.5* +%{_mandir}/man8/shorewall*.8* +%dir /var/lib/shorewall +%doc COPYING +#README.txt + +%changelog +* Mon May 12 2014 Automatic Build System 4.5.21.9-1mamba +- automatic version update by autodist + +* Fri Dec 20 2013 Automatic Build System 4.5.21.5-1mamba +- automatic version update by autodist + +* Sun Nov 24 2013 Automatic Build System 4.5.21.4-1mamba +- automatic version update by autodist + +* Sat Oct 26 2013 Automatic Build System 4.5.21.3-1mamba +- automatic version update by autodist + +* Wed Oct 23 2013 Automatic Build System 4.5.21.2-1mamba +- automatic version update by autodist + +* Wed Oct 09 2013 Automatic Build System 4.5.21.1-1mamba +- automatic version update by autodist + +* Sun Oct 06 2013 Automatic Build System 4.5.21-1mamba +- automatic version update by autodist + +* Fri Aug 30 2013 Automatic Build System 4.5.20-1mamba +- automatic version update by autodist + +* Thu Jul 25 2013 Automatic Build System 4.5.19-1mamba +- automatic version update by autodist + +* Sun Jun 30 2013 Automatic Build System 4.5.18-1mamba +- automatic version update by autodist + +* Mon Jun 03 2013 Automatic Build System 4.5.17.1-1mamba +- automatic version update by autodist + +* Sat Jun 01 2013 Automatic Build System 4.5.17-1mamba +- automatic version update by autodist + +* Fri May 03 2013 Automatic Build System 4.5.16.1-1mamba +- update to 4.5.16.1 + +* Sun Apr 28 2013 Automatic Build System 4.5.15-1mamba +- automatic version update by autodist + +* Fri Mar 22 2013 Automatic Build System 4.5.14-1mamba +- automatic version update by autodist + +* Sun Oct 02 2011 Silvan Calarco 4.4.23.3-1mamba +- update to 4.4.23.3 + +* Sun Jun 19 2011 Automatic Build System 4.4.19.4-1mamba +- automatic update by autodist + +* Sun May 15 2011 Silvan Calarco 4.4.19.3-1mamba +- update to 4.4.19.3 + +* Wed May 04 2011 Silvan Calarco 4.4.19.1-1mamba +- update to 4.4.19.1 + +* Mon Jun 21 2010 Automatic Build System 4.4.7.6-1mamba +- automatic update by autodist + +* Mon Mar 08 2010 Silvan Calarco 4.4.7.5-1mamba +- update to 4.4.7.5 +- added requirement for iptables-ipv6 + +* Mon Feb 01 2010 Silvan Calarco 4.4.6-1mamba +- update to 4.4.6 + +* Sat Feb 28 2009 Silvan Calarco 4.2.5-1mamba +- automatic update by autodist + +* Wed Dec 10 2008 Silvan Calarco 4.2.2-1mamba +- update to 4.2.2 + +* Wed Jul 25 2007 Silvan Calarco 3.4.5-1mamba +- update to 3.4.5 +- added a default working configuration for a single host with eth0 + +* Fri Jun 29 2007 Silvan Calarco 3.4.4-1mamba +- package created by autospec