I did a fresh recompile of both the kernel and iptables-1.2.9. Then
installed Shorewall_2.0.0a from source. There is something that I am
missing! The H323 patch im installing is from the patch-o-matic. That is
the only thing that I patch from patch-o-matic. Could there be something
from pom that im not patching that I should be?
-j
-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep
Sent: Monday, March 22, 2004 11:55 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] All interfaces
Jeffrey J. Karrels wrote:> Hello,
>
> I was recompiling my kernel to add support for H323. This caused problems
> with NAT. I have tracked it down to the all interfaces column in the nat
> file...? When I have All interfaces on "Yes", Shorewall will not
start
due> to a invalid argument in iptables. I am running Shorewall 2.0.0a. Anyone
> have any thoughts? Did i miss something in the kernel when compiling?
>
Trace?
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
-------------- next part --------------
+ shift
+ nolock+ ''['' 1 -gt 1 '']''
+ trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9
+ COMMAND=start
+ ''['' 1 -ne 1 '']''
+ do_initialize
+ export LC_ALL=C
+ LC_ALL=C
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+ terminator=startup_error
+ version+ FW+ SUBSYSLOCK+ STATEDIR+ ALLOWRELATED=Yes
+ LOGRATE+ LOGBURST+ LOGPARMS+ LOGLIMIT+ ADD_IP_ALIASES+ ADD_SNAT_ALIASES+
TC_ENABLED+ BLACKLIST_DISPOSITION+ BLACKLIST_LOGLEVEL+ CLAMPMSS+ ROUTE_FILTER+
DETECT_DNAT_IPADDRS+ MUTEX_TIMEOUT+ NEWNOTSYN+ LOGNEWNOTSYN+ FORWARDPING+
MACLIST_DISPOSITION+ MACLIST_LOG_LEVEL+ TCP_FLAGS_DISPOSITION+
TCP_FLAGS_LOG_LEVEL+ RFC1918_LOG_LEVEL+ MARK_IN_FORWARD_CHAIN+
SHARED_DIR=/usr/share/shorewall
+ FUNCTIONS+ VERSION_FILE+ LOGFORMAT+ LOGRULENUMBERS+ ADMINISABSENTMINDED+
BLACKLISTNEWONLY+ MODULE_SUFFIX+ ACTIONS+ USEDACTIONS+ SMURF_LOG_LEVEL+
DISABLE_IPV6+ stopping+ have_mutex+ masq_seq=1
+ nonat_seq=1
+ aliases_to_add+ TMP_DIR=/tmp/shorewall-13463
+ rm -rf /tmp/shorewall-13463
+ mkdir -p /tmp/shorewall-13463
+ chmod 700 /tmp/shorewall-13463
+ trap ''rm -rf /tmp/shorewall-13463; my_mutex_off; exit 2'' 1 2
3 4 5 6 9
+ FUNCTIONS=/usr/share/shorewall/functions
+ ''['' -f /usr/share/shorewall/functions '']''
+ echo ''Loading /usr/share/shorewall/functions...''
+ . /usr/share/shorewall/functions
++ LEFTSHIFT=<<
+ VERSION_FILE=/usr/share/shorewall/version
+ ''['' -f /usr/share/shorewall/version '']''
++ cat /usr/share/shorewall/version
+ version=2.0.0a
+ run_user_exit params
++ find_file params
++ ''['' -n '''' -a -f /params
'']''
++ ''['' -f /etc/shorewall/params '']''
++ echo /etc/shorewall/params
+ local user_exit=/etc/shorewall/params
+ ''['' -f /etc/shorewall/params '']''
+ echo ''Processing /etc/shorewall/params ...''
+ . /etc/shorewall/params
++ find_file shorewall.conf
++ ''['' -n '''' -a -f /shorewall.conf
'']''
++ ''['' -f /etc/shorewall/shorewall.conf '']''
++ echo /etc/shorewall/shorewall.conf
+ config=/etc/shorewall/shorewall.conf
+ ''['' -f /etc/shorewall/shorewall.conf '']''
+ echo ''Processing /etc/shorewall/shorewall.conf...''
+ . /etc/shorewall/shorewall.conf
++ LOGFILE=/var/log/messages
++ LOGFORMAT=Shorewall:%s:%s:
++ LOGRATE++ LOGBURST++ BLACKLIST_LOGLEVEL++ LOGNEWNOTSYN=info
++ MACLIST_LOG_LEVEL=info
++ TCP_FLAGS_LOG_LEVEL=info
++ RFC1918_LOG_LEVEL=info
++ SMURF_LOG_LEVEL=info
++ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
++ SHOREWALL_SHELL=/bin/sh
++ SUBSYSLOCK=/var/lock/subsys/shorewall
++ STATEDIR=/var/lib/shorewall
++ MODULESDIR++ FW=fw
++ IP_FORWARDING=On
++ ADD_IP_ALIASES=Yes
++ ADD_SNAT_ALIASES=No
++ TC_ENABLED=No
++ CLEAR_TC=Yes
++ MARK_IN_FORWARD_CHAIN=No
++ CLAMPMSS=No
++ ROUTE_FILTER=No
++ DETECT_DNAT_IPADDRS=No
++ MUTEX_TIMEOUT=60
++ NEWNOTSYN=Yes
++ ADMINISABSENTMINDED=Yes
++ BLACKLISTNEWONLY=Yes
++ MODULE_SUFFIX++ DISABLE_IPV6=no
++ BLACKLIST_DISPOSITION=DROP
++ MACLIST_DISPOSITION=REJECT
++ TCP_FLAGS_DISPOSITION=DROP
+ determine_capabilities
+ qt iptables -t nat -L -n
+ iptables -t nat -L -n
+ NAT_ENABLED=Yes
+ qt iptables -t mangle -L -n
+ iptables -t mangle -L -n
+ MANGLE_ENABLED=Yes
+ CONNTRACK_MATCH+ MULTIPORT+ qt iptables -N fooX1234
+ iptables -N fooX1234
+ qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ CONNTRACK_MATCH=Yes
+ qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ MULTIPORT=Yes
+ qt iptables -F fooX1234
+ iptables -F fooX1234
+ qt iptables -X fooX1234
+ iptables -X fooX1234
+ ''['' -z /var/lib/shorewall '']''
+ ''['' -d /var/lib/shorewall '']''
+ ''['' -z fw '']''
++ added_param_value_yes ALLOWRELATED Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ ALLOWRELATED=Yes
+ ''['' -n Yes '']''
++ added_param_value_yes ADD_IP_ALIASES Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ ADD_IP_ALIASES=Yes
++ added_param_value_yes TC_ENABLED No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ TC_ENABLED+ ''['' -n ''''
'']''
+ ''['' -n On '']''
+ ''['' -n '''' -a -z Yes '']''
+ ''['' -z DROP '']''
++ added_param_value_no CLAMPMSS No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ CLAMPMSS++ added_param_value_no ADD_SNAT_ALIASES No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ ADD_SNAT_ALIASES++ added_param_value_no ROUTE_FILTER No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ ROUTE_FILTER++ added_param_value_no DETECT_DNAT_IPADDRS No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ DETECT_DNAT_IPADDRS++ added_param_value_no FORWARDPING
++ local val++ ''['' -z ''''
'']''
++ echo ''''
+ FORWARDPING+ ''['' -n ''''
'']''
++ added_param_value_yes NEWNOTSYN Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ NEWNOTSYN=Yes
+ maclist_target=reject
+ ''['' -n REJECT '']''
+ ''['' -n DROP '']''
+ ''['' -z info '']''
++ added_param_value_no MARK_IN_FORWARD_CHAIN No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ MARK_IN_FORWARD_CHAIN+ ''['' -n ''''
'']''
+ marking_chain=tcpre
+ ''['' -n '''' '']''
+ CLEAR_TC+ ''['' -n Shorewall:%s:%s: '']''
++ echo Shorewall:%s:%s:
++ grep %d
+ ''['' -n '''' '']''
++ printf Shorewall:%s:%s: fooxx barxx
+ temp=Shorewall:fooxx:barxx:
+ ''['' 0 -ne 0 '']''
+ ''['' 22 -gt 29 '']''
++ added_param_value_no ADMINISABSENTMINDED Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ ADMINISABSENTMINDED=Yes
++ added_param_value_no BLACKLISTNEWONLY Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ BLACKLISTNEWONLY=Yes
++ added_param_value_no DISABLE_IPV6 no
++ local val=no
++ ''['' -z no '']''
++ echo ''''
+ DISABLE_IPV6+ ''['' -n ''''
'']''
+ MODULE_SUFFIX=o gz ko o.gz
+ strip_file interfaces
+ local fname
+ ''['' 1 = 1 '']''
++ find_file interfaces
++ ''['' -n '''' -a -f /interfaces
'']''
++ ''['' -f /etc/shorewall/interfaces '']''
++ echo /etc/shorewall/interfaces
+ fname=/etc/shorewall/interfaces
+ ''['' -f /etc/shorewall/interfaces '']''
+ read_file /etc/shorewall/interfaces 0
+ local first rest
+ ''['' -f /etc/shorewall/interfaces '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 -- Interfaces File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/interfaces''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You must add an entry in this file for each network interface
on your''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# firewall system.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE Zone for this interface. Must match the short
name''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of a zone defined in /etc/shorewall/zones.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If the interface serves multiple zones that will be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# defined in the /etc/shorewall/hosts file, you
should''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# place "-" in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Name of interface. Each interface may be listed
only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# once in this file. You may NOT specify the name of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an alias (e.g., eth0:0) here; see''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# http://www.shorewall.net/FAQ.htm#faq18''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You may specify wildcards here. For example, if you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# want to make an entry that applies to all PPP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interfaces, use
''\''''ppp+''\''''.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# There is no need to define the loopback interface
(lo)''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in this file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# BROADCAST The broadcast address for the subnetwork to which
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface belongs. For P-T-P interfaces, this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column is left black.If the interface has multiple''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses on multiple subnets then list the
broadcast''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses as a comma-separated list.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you use the special value "detect", the
firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# will detect the broadcast address for you. If you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# select this option, the interface must be up before''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ cut -d# -f1
+ echo ''# the firewall is started, you must have iproute''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# installed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you don''\''''t want to give a
value for this column but''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you want to enter a value in the OPTIONS column,
enter''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "-" in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# OPTIONS A comma-separated list of options including
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# following:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dhcp - interface is managed by DHCP or used by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a DHCP server running on the firewall or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you have a static IP but are on a LAN''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# segment with lots of Laptop DHCP clients.''
+ grep -v ''^[[:space:]]*$''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# norfc1918 - This interface should not receive''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any packets whose source is in one''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of the ranges reserved by RFC 1918''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (i.e., private or "non-routable"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses. If packet mangling is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# enabled in shorewall.conf, packets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# whose destination addresses are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# reserved by RFC 1918 are also rejected.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# routefilter - turn on kernel route filtering for
this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface (anti-spoofing measure). This''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# option can also be enabled globally in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the /etc/shorewall/shorewall.conf file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# . . blacklist - Check packets arriving on this
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# against the /etc/shorewall/blacklist''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# maclist - Connection requests from this
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# are compared against the contents of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/maclist. If this option''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# is specified, the interface must be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an ethernet NIC and must be up before''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall is started.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# tcpflags - Packets arriving on this interface
are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# checked for certain illegal combinations''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of TCP flags. Packets found to have''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# such a combination of flags are handled''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# according to the setting of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TCP_FLAGS_DISPOSITION after having been''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# logged according to the setting of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TCP_FLAGS_LOG_LEVEL.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# proxyarp -''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Sets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''#
/proc/sys/net/ipv4/conf/<interface>/proxy_arp.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Do NOT use this option if you are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# employing Proxy ARP through entries in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/proxyarp. This option is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# intended soley for use with Proxy ARP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# sub-networking as described at:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# newnotsyn - TCP packets that
don''\''''t have the SYN''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# flag set and which are not part of an''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# established connection will be accepted''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# from this interface, even if''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NEWNOTSYN=No has been specified in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/shorewall.conf.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This option has no effect if''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NEWNOTSYN=Yes.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# routeback - If specified, indicates that
Shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# should include rules that allow filtering''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# traffic arriving on this interface back''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# out that same interface.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# arp_filter - If specified, this interface will
only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# respond to ARP who-has requests for IP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses configured on the interface.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If not specified, the interface can''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# respond to ARP who-has requests for''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IP addresses on any of the
firewall''\''''s''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface. The interface must be up''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# when Shorewall is started.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# nosmurfs - Filter packets for smurfs''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (packets with a broadcast''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address as the source).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Smurfs will be optionally logged based''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# on the setting of SMURF_LOG_LEVEL in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# shorewall.conf. After logging, the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packets are dropped.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# detectnets - Automatically taylors the zone named''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in the ZONE column to include only those''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# hosts routed through the interface.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# WARNING: DO NOT SET THE detectnets OPTION ON YOUR''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERNET INTERFACE!''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The order in which you list the options is not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# significant but the list should have no embedded
white''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# space.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 1: Suppose you have eth0 connected to a DSL modem
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth1 connected to your local network and that your''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# local subnet is 192.168.1.0/24. The interface gets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# it''\''''s IP address via DHCP from
subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 206.191.149.192/27. You have a DMZ with subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 192.168.2.0/24 using eth2.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Your entries for this setup would look like:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net eth0 206.191.149.223 dhcp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# local eth1 192.168.1.255''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dmz eth2 192.168.2.255''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 2: The same configuration without specifying
broadcast''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses is:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net eth0 detect dhcp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# loc eth1 detect''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dmz eth2 detect''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 3: You have a simple dial-in system with no
ethernet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# connections.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net ppp0 -''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#ZONE = xINCLUDE '']''
+ echo ''#ZONE INTERFACE BROADCAST OPTIONS''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' xnet = xINCLUDE '']''
+ echo ''net eth1 129.246.226.255''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc eth0 192.168.0.255''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ strip_file hosts
+ local fname
+ ''['' 1 = 1 '']''
++ find_file hosts
++ ''['' -n '''' -a -f /hosts
'']''
++ ''['' -f /etc/shorewall/hosts '']''
++ echo /etc/shorewall/hosts
+ fname=/etc/shorewall/hosts
+ ''['' -f /etc/shorewall/hosts '']''
+ read_file /etc/shorewall/hosts 0
+ local first rest
+ ''['' -f /etc/shorewall/hosts '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 - /etc/shorewall/hosts''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE
THAN''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IF YOU DON''\''''T HAVE THAT
SITUATION THEN DON''\''''T TOUCH THIS FILE.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file is used to define zones in terms of subnets
and/or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# individual IP addresses. Most simple setups
don''\''''t need to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (should not) place anything in this file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE - The name of a zone defined in
/etc/shorewall/zones''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# HOST(S) - The name of an interface followed by a colon
(":") and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a comma-separated list whose elements are either:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a) The IP address of a host''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# b) A subnetwork in the form''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <subnet-address>/<mask width>''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The interface must be defined in the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/interfaces file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Examples:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth1:192.168.1.3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth2:192.168.2.0/24''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth3:192.168.2.0/24,192.168.3.1''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# OPTIONS - A comma-separated list of options.
Currently-defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# options are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# maclist - Connection requests from these hosts''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# are compared against the contents of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/maclist. If this option''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# is specified, the interface must be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an ethernet NIC and must be up before''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall is started.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# routeback - Shorewall show set up the
infrastructure''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to pass packets from this/these''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address(es) back to themselves. This is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# necessary of hosts in this group use the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# services of a transparent proxy that is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a member of the group or if DNAT is used''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to send requests originating from this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# group to a server in the group.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#ZONE = xINCLUDE '']''
+ echo ''#ZONE HOST(S) OPTIONS''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ ''['' -n /bin/sh '']''
++ decodeaddr 192.168.1.1
++ local x
++ local temp=0
++ local ''ifs=
''
++ IFS=.
++ temp=192
++ temp=49320
++ temp=12625921
++ temp=3232235777
++ echo 3232235777
++ IFS=
+ temp=3232235777
++ encodeaddr 3232235777
++ addr=3232235777
++ local x
++ local y=1
++ addr=12625921
++ y=1.1
++ addr=49320
++ y=168.1.1
++ addr=192
++ y=192.168.1.1
++ echo 192.168.1.1
+ ''['' 192.168.1.1 ''!='' 192.168.1.1
'']''
+ my_mutex_on
+ ''['' -n '''' '']''
+ mutex_on
+ local try=0
+ local lockf=/var/lib/shorewall/lock
+ MUTEX_TIMEOUT=60
+ ''['' 60 -gt 0 '']''
+ ''['' -d /var/lib/shorewall '']''
+ qt which lockfile
+ which lockfile
+ lockfile -60 -r1 /var/lib/shorewall/lock
+ have_mutex=Yes
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ define_firewall Start
+ check_disabled_startup
+ ''['' -f /etc/shorewall/startup_disabled '']''
+ echo ''Starting Shorewall...''
+ verify_os_version
++ uname -r
+ osversion=2.4.20-30.9jKarrels
++ lsmod
++ grep ''^ipchains''
+ ''['' start = start -a -n ''''
'']''
+ verify_ip
+ qt ip link ls
+ ip link ls
+ load_kernel_modules
+ ''['' -z '''' '']''
+ MODULESDIR=/lib/modules/2.4.20-30.9jKarrels/kernel/net/ipv4/netfilter
++ find_file modules
++ ''['' -n '''' -a -f /modules
'']''
++ ''['' -f /etc/shorewall/modules '']''
++ echo /etc/shorewall/modules
+ modules=/etc/shorewall/modules
+ ''['' -f /etc/shorewall/modules -a -d
/lib/modules/2.4.20-30.9jKarrels/kernel/net/ipv4/netfilter '']''
+ echo ''Loading Modules...''
+ . /etc/shorewall/modules
++ loadmodule ip_tables
++ local modulename=ip_tables
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_tables
++ ''['' -z ''ip_tables 14360 13 [ipt_TOS
ipt_MASQUERADE ipt_REJECT ipt_pkttype ipt_LOG ipt_state ipt_multiport
ipt_conntrack iptable_filter iptable_mangle iptable_nat]''
'']''
++ loadmodule iptable_filter
++ local modulename=iptable_filter
++ local modulefile
++ local suffix
+++ lsmod
+++ grep iptable_filter
++ ''['' -z ''iptable_filter 2316 1
(autoclean)
ip_tables 14360 13 [ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_pkttype
ipt_LOG ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle
iptable_nat]'' '']''
++ loadmodule ip_conntrack
++ local modulename=ip_conntrack
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack
++ ''['' -z ''ip_conntrack_h323 3648 0 (unused)
ip_conntrack_irc 4048 1 [ip_nat_irc]
ip_conntrack_tftp 2512 1
ip_conntrack_ftp 5072 1 [ip_nat_ftp]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule ip_conntrack_h323
++ local modulename=ip_conntrack_h323
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_h323
++ ''['' -z ''ip_conntrack_h323 3648 0 (unused)
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule ip_conntrack_ftp
++ local modulename=ip_conntrack_ftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_ftp
++ ''['' -z ''ip_conntrack_ftp 5072 1
[ip_nat_ftp]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule ip_conntrack_tftp
++ local modulename=ip_conntrack_tftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_tftp
++ ''['' -z ''ip_conntrack_tftp 2512 1
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule ip_conntrack_irc
++ local modulename=ip_conntrack_irc
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_irc
++ ''['' -z ''ip_conntrack_irc 4048 1
[ip_nat_irc]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule iptable_nat
++ local modulename=iptable_nat
++ local modulefile
++ local suffix
+++ lsmod
+++ grep iptable_nat
++ ''['' -z ''iptable_nat 20216 3
(autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]
ip_tables 14360 13 [ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_pkttype
ipt_LOG ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle
iptable_nat]'' '']''
++ loadmodule ip_nat_ftp
++ local modulename=ip_nat_ftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_nat_ftp
++ ''['' -z ''ip_nat_ftp 3920 0 (unused)
ip_conntrack_ftp 5072 1 [ip_nat_ftp]
iptable_nat 20216 3 (autoclean) [ipt_MASQUERADE ip_nat_irc
ip_nat_tftp ip_nat_ftp]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule ip_nat_tftp
++ local modulename=ip_nat_tftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_nat_tftp
++ ''['' -z ''ip_nat_tftp 2544 0 (unused)
iptable_nat 20216 3 (autoclean) [ipt_MASQUERADE ip_nat_irc
ip_nat_tftp ip_nat_ftp]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
++ loadmodule ip_nat_irc
++ local modulename=ip_nat_irc
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_nat_irc
++ ''['' -z ''ip_nat_irc 3216 0 (unused)
ip_conntrack_irc 4048 1 [ip_nat_irc]
iptable_nat 20216 3 (autoclean) [ipt_MASQUERADE ip_nat_irc
ip_nat_tftp ip_nat_ftp]
ip_conntrack 27848 7 (autoclean) [ip_conntrack_h323 ipt_MASQUERADE
ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp
ip_conntrack_ftp ipt_conntrack iptable_nat]'' '']''
+ echo Initializing...
+ initialize_netfilter
+ report_capabilities
+ echo ''Shorewall has detected the following iptables/netfilter
capabilities:''
+ report_capability Yes NAT
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' NAT: Available
+ report_capability Yes ''Packet Mangling''
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' Packet Mangling: Available
+ report_capability Yes ''Multi-port Match''
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' Multi-port Match: Available
+ report_capability Yes ''Connection Tracking Match''
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' Connection Tracking Match: Available
+ echo ''Determining Zones...''
+ determine_zones
++ find_file zones
++ ''['' -n '''' -a -f /zones
'']''
++ ''['' -f /etc/shorewall/zones '']''
++ echo /etc/shorewall/zones
+ local zonefile=/etc/shorewall/zones
+ multi_display=Multi-zone
+ strip_file zones /etc/shorewall/zones
+ local fname
+ ''['' 2 = 1 '']''
+ fname=/etc/shorewall/zones
+ ''['' -f /etc/shorewall/zones '']''
+ read_file /etc/shorewall/zones 0
+ local first rest
+ ''['' -f /etc/shorewall/zones '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 /etc/shorewall/zones''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file determines your network zones. Columns
are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE Short name of the zone (5 Characters or less in
length).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DISPLAY Display name of the zone''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# COMMENTS Comments about the zone''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU
HAVE NESTED OR''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# OVERLAPPING ZONES DEFINED THROUGH
/etc/shorewall/hosts.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# See
http://www.shorewall.net/Documentation.htm#Nested''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#ZONE = xINCLUDE '']''
+ echo ''#ZONE DISPLAY COMMENTS''
+ read first rest
+ ''['' xnet = xINCLUDE '']''
+ echo ''net Net Internet''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc Local Local networks''
+ read first rest
+ ''['' x#dmz = xINCLUDE '']''
+ echo ''#dmz DMZ Demilitarized zone''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
++ find_zones /tmp/shorewall-13463/zones
++ read zone display comments
++ ''['' -n net '']''
++ echo net
++ read zone display comments
++ ''['' -n loc '']''
++ echo loc
++ read zone display comments
+ zones=net
loc
++ echo net loc
+ zones=net loc
++ find_display net /tmp/shorewall-13463/zones
++ grep ''^net'' /tmp/shorewall-13463/zones
++ read z display comments
++ ''['' xnet = xnet '']''
++ echo Net
++ read z display comments
+ dsply=Net
+ eval ''net_display=$dsply''
++ net_display=Net
++ find_display loc /tmp/shorewall-13463/zones
++ grep ''^loc'' /tmp/shorewall-13463/zones
++ read z display comments
++ ''['' xloc = xloc '']''
++ echo Local
++ read z display comments
+ dsply=Local
+ eval ''loc_display=$dsply''
++ loc_display=Local
+ ''['' -z ''net loc'' '']''
+ display_list Zones: net loc
+ ''['' 3 -gt 1 '']''
+ echo '' Zones: net loc''
+ echo ''Validating interfaces file...''
+ validate_interfaces_file
+ local wildcard
+ local found_obsolete_option+ local z interface subnet options r iface option
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=net
+ eval ''z="net"''
++ z=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=eth1
+ eval ''interface="eth1"''
++ interface=eth1
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=129.246.226.255
+ eval ''subnet="129.246.226.255"''
++ subnet=129.246.226.255
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval+ eval ''options=""''
++ options+ shift
+ ''['' 0 -gt 0 '']''
+ r=net eth1 129.246.226.255
+ ''['' xnet = x- '']''
+ ''['' -n net '']''
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ list_search eth1
+ local e=eth1
+ ''['' 1 -gt 1 '']''
+ return 1
+ wildcard+ all_interfaces= eth1
++ separate_list
++ local list
++ local part
++ local newlist
++ list++ part++ newlist++ ''['' x ''!='' x
'']''
++ echo ''''
+ options++ chain_base eth1
++ local c=eth1
++ true
++ echo eth1
++ return
+ iface=eth1
+ eval eth1_broadcast=129.246.226.255
++ eth1_broadcast=129.246.226.255
+ eval eth1_zone=net
++ eth1_zone=net
+ eval ''eth1_options=""''
++ eth1_options+ ''['' -z '' eth1''
'']''
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=loc
+ eval ''z="loc"''
++ z=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=eth0
+ eval ''interface="eth0"''
++ interface=eth0
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=192.168.0.255
+ eval ''subnet="192.168.0.255"''
++ subnet=192.168.0.255
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval+ eval ''options=""''
++ options+ shift
+ ''['' 0 -gt 0 '']''
+ r=loc eth0 192.168.0.255
+ ''['' xloc = x- '']''
+ ''['' -n loc '']''
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ list_search eth0 eth1
+ local e=eth0
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xeth0 = xeth1 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ wildcard+ all_interfaces= eth1 eth0
++ separate_list
++ local list
++ local part
++ local newlist
++ list++ part++ newlist++ ''['' x ''!='' x
'']''
++ echo ''''
+ options++ chain_base eth0
++ local c=eth0
++ true
++ echo eth0
++ return
+ iface=eth0
+ eval eth0_broadcast=192.168.0.255
++ eth0_broadcast=192.168.0.255
+ eval eth0_zone=loc
++ eth0_zone=loc
+ eval ''eth0_options=""''
++ eth0_options+ ''['' -z '' eth1 eth0''
'']''
+ read z interface subnet options
+ echo ''Validating hosts file...''
+ validate_hosts_file
+ local z hosts options r interface host option
+ read z hosts options
+ echo ''Validating Policy file...''
+ validate_policy
+ local clientwild
+ local serverwild
+ local zone
+ local zone1
+ local pc
+ local chain
+ local policy
+ local loglevel
+ local synparams
+ all_policy_chains+ strip_file policy
+ local fname
+ ''['' 1 = 1 '']''
++ find_file policy
++ ''['' -n '''' -a -f /policy
'']''
++ ''['' -f /etc/shorewall/policy '']''
++ echo /etc/shorewall/policy
+ fname=/etc/shorewall/policy
+ ''['' -f /etc/shorewall/policy '']''
+ read_file /etc/shorewall/policy 0
+ local first rest
+ ''['' -f /etc/shorewall/policy '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 -- Policy File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/policy''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file determines what to do with a new connection request
if we''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# don''\''''t get a match from the
/etc/shorewall/rules file . For each''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# source/destination pair, the file is processed in order until
a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# match is found ("all" will match any client or
server).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE Source zone. Must be the name of a zone
defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in /etc/shorewall/zones, $FW or "all".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST Destination zone. Must be the name of a zone
defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in /etc/shorewall/zones, $FW or "all"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# POLICY Policy if no match from the rules file is found.
Must''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# be "ACCEPT", "DROP", "REJECT",
"CONTINUE" or "NONE".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT - Accept the connection''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DROP - Ignore the connection request''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REJECT - For TCP, send RST. For all other, send''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "port unreachable" ICMP.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CONTINUE - Pass the connection request past''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any other rules that it might also''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# match (where the source or destination''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# zone in those rules is a superset of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the SOURCE or DEST in this policy).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NONE - Assume that there will never be any''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packets from this SOURCE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to this DEST. Shorewall will not set up''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any infrastructure to handle such''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packets and you may not have any rules''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with this SOURCE and DEST in the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/rules file. If such a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packet _is_ received, the result is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# undefined. NONE may not be used if the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE or DEST columns contain the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# firewall zone ($FW) or "all".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If this column contains ACCEPT, DROP or REJECT and
a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# corresponding common action is defined in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/actions (or
/usr/share/shorewall/actions.std)''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# then that action will be invoked before the policy named
in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# this column is inforced.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOG LEVEL If supplied, each connection handled under the
default''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# POLICY is logged at that level. If not supplied, no''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# log message is generated. See syslog.conf(5) for a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# description of log levels.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Beginning with Shorewall version 1.3.12, you may''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# also specify ULOG (must be in upper case). This
will''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# log to the ULOG target and sent to a separate log''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# through use of ulogd''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (http://www.gnumonks.org/projects/ulogd).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you don''\''''t want to log but
need to specify the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# following column, place "-" here.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LIMIT:BURST If passed, specifies the maximum TCP connection
rate''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and the size of an acceptable burst. If not
specified,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TCP connections are not limited.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# As shipped, the default policies are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a) All connections from the local network to the internet are
allowed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# b) All connections from the internet are ignored but logged
at syslog''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# level KERNEL.INFO.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# d) All other connection requests are rejected and logged at
level''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# KERNEL.INFO.''
+ read first rest
+ ''[''
x###############################################################################
= xINCLUDE '']''
+ echo
''###############################################################################
''
+ read first rest
+ ''['' x#SOURCE = xINCLUDE '']''
+ echo ''#SOURCE DEST POLICY LOG LIMIT:BURST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LEVEL''
+ read first rest
+ ''['' xfw = xINCLUDE '']''
+ echo ''fw loc ACCEPT info''
+ read first rest
+ ''['' xfw = xINCLUDE '']''
+ echo ''fw net ACCEPT info''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc loc ACCEPT info''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc net ACCEPT''
+ read first rest
+ ''['' xnet = xINCLUDE '']''
+ echo ''net all DROP info''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THE FOLLOWING POLICY MUST BE LAST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' xall = xINCLUDE '']''
+ echo ''all all REJECT info''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- DO NOT REMOVE''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- DO NOT REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=fw
+ eval ''client="fw"''
++ client=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=loc
+ eval ''server="loc"''
++ server=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ chain=fw2loc
+ is_policy_chain fw2loc
+ eval test ''"$fw2loc_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= fw2loc
+ eval fw2loc_is_policy=Yes
++ fw2loc_is_policy=Yes
+ eval fw2loc_policy=ACCEPT
++ fw2loc_policy=ACCEPT
+ eval fw2loc_loglevel=info
++ fw2loc_loglevel=info
+ eval fw2loc_synparams++ fw2loc_synparams+ ''['' -n
'''' '']''
+ ''['' -n '''' '']''
+ eval fw2loc_policychain=fw2loc
++ fw2loc_policychain=fw2loc
+ print_policy fw loc
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=fw
+ eval ''client="fw"''
++ client=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=net
+ eval ''server="net"''
++ server=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ chain=fw2net
+ is_policy_chain fw2net
+ eval test ''"$fw2net_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= fw2loc fw2net
+ eval fw2net_is_policy=Yes
++ fw2net_is_policy=Yes
+ eval fw2net_policy=ACCEPT
++ fw2net_policy=ACCEPT
+ eval fw2net_loglevel=info
++ fw2net_loglevel=info
+ eval fw2net_synparams++ fw2net_synparams+ ''['' -n
'''' '']''
+ ''['' -n '''' '']''
+ eval fw2net_policychain=fw2net
++ fw2net_policychain=fw2net
+ print_policy fw net
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=loc
+ eval ''client="loc"''
++ client=loc
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=loc
+ eval ''server="loc"''
++ server=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ chain=loc2loc
+ is_policy_chain loc2loc
+ eval test ''"$loc2loc_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= fw2loc fw2net loc2loc
+ eval loc2loc_is_policy=Yes
++ loc2loc_is_policy=Yes
+ eval loc2loc_policy=ACCEPT
++ loc2loc_policy=ACCEPT
+ eval loc2loc_loglevel=info
++ loc2loc_loglevel=info
+ eval loc2loc_synparams++ loc2loc_synparams+ ''['' -n
'''' '']''
+ ''['' -n '''' '']''
+ eval loc2loc_policychain=loc2loc
++ loc2loc_policychain=loc2loc
+ print_policy loc loc
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=loc
+ eval ''client="loc"''
++ client=loc
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=net
+ eval ''server="net"''
++ server=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval+ eval ''loglevel=""''
++ loglevel+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ chain=loc2net
+ is_policy_chain loc2net
+ eval test ''"$loc2net_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' x = x- '']''
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= fw2loc fw2net loc2loc loc2net
+ eval loc2net_is_policy=Yes
++ loc2net_is_policy=Yes
+ eval loc2net_policy=ACCEPT
++ loc2net_policy=ACCEPT
+ eval loc2net_loglevel++ loc2net_loglevel+ eval loc2net_synparams++
loc2net_synparams+ ''['' -n ''''
'']''
+ ''['' -n '''' '']''
+ eval loc2net_policychain=loc2net
++ loc2net_policychain=loc2net
+ print_policy loc net
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=net
+ eval ''client="net"''
++ client=net
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=all
+ eval ''server="all"''
++ server=all
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=DROP
+ eval ''policy="DROP"''
++ policy=DROP
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ serverwild=Yes
+ chain=net2all
+ is_policy_chain net2all
+ eval test ''"$net2all_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ ''['' DROP = NONE '']''
+ all_policy_chains= fw2loc fw2net loc2loc loc2net net2all
+ eval net2all_is_policy=Yes
++ net2all_is_policy=Yes
+ eval net2all_policy=DROP
++ net2all_policy=DROP
+ eval net2all_loglevel=info
++ net2all_loglevel=info
+ eval net2all_synparams++ net2all_synparams+ ''['' -n
'''' '']''
+ ''['' -n Yes '']''
+ eval ''pc=$net2net_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2net_policychain=net2all
++ net2net_policychain=net2all
+ eval net2net_policy=DROP
++ net2net_policy=DROP
+ print_policy net net
+ ''['' start ''!='' check '']''
+ eval ''pc=$net2loc_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2loc_policychain=net2all
++ net2loc_policychain=net2all
+ eval net2loc_policy=DROP
++ net2loc_policy=DROP
+ print_policy net loc
+ ''['' start ''!='' check '']''
+ eval ''pc=$net2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2fw_policychain=net2all
++ net2fw_policychain=net2all
+ eval net2fw_policy=DROP
++ net2fw_policy=DROP
+ print_policy net fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$net2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2all_policychain=net2all
++ net2all_policychain=net2all
+ eval net2all_policy=DROP
++ net2all_policy=DROP
+ print_policy net all
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=all
+ eval ''client="all"''
++ client=all
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=all
+ eval ''server="all"''
++ server=all
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=REJECT
+ eval ''policy="REJECT"''
++ policy=REJECT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ clientwild=Yes
+ serverwild=Yes
+ chain=all2all
+ is_policy_chain all2all
+ eval test ''"$all2all_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ ''['' REJECT = NONE '']''
+ all_policy_chains= fw2loc fw2net loc2loc loc2net net2all all2all
+ eval all2all_is_policy=Yes
++ all2all_is_policy=Yes
+ eval all2all_policy=REJECT
++ all2all_policy=REJECT
+ eval all2all_loglevel=info
++ all2all_loglevel=info
+ eval all2all_synparams++ all2all_synparams+ ''['' -n Yes
'']''
+ ''['' -n Yes '']''
+ eval ''pc=$net2net_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$net2loc_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$net2fw_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$net2all_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$loc2net_policychain''
++ pc=loc2net
+ ''['' -z loc2net '']''
+ eval ''pc=$loc2loc_policychain''
++ pc=loc2loc
+ ''['' -z loc2loc '']''
+ eval ''pc=$loc2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval loc2fw_policychain=all2all
++ loc2fw_policychain=all2all
+ eval loc2fw_policy=REJECT
++ loc2fw_policy=REJECT
+ print_policy loc fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$loc2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval loc2all_policychain=all2all
++ loc2all_policychain=all2all
+ eval loc2all_policy=REJECT
++ loc2all_policy=REJECT
+ print_policy loc all
+ ''['' start ''!='' check '']''
+ eval ''pc=$fw2net_policychain''
++ pc=fw2net
+ ''['' -z fw2net '']''
+ eval ''pc=$fw2loc_policychain''
++ pc=fw2loc
+ ''['' -z fw2loc '']''
+ eval ''pc=$fw2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval fw2fw_policychain=all2all
++ fw2fw_policychain=all2all
+ eval fw2fw_policy=REJECT
++ fw2fw_policy=REJECT
+ print_policy fw fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$fw2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval fw2all_policychain=all2all
++ fw2all_policychain=all2all
+ eval fw2all_policy=REJECT
++ fw2all_policy=REJECT
+ print_policy fw all
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2net_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2net_policychain=all2all
++ all2net_policychain=all2all
+ eval all2net_policy=REJECT
++ all2net_policy=REJECT
+ print_policy all net
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2loc_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2loc_policychain=all2all
++ all2loc_policychain=all2all
+ eval all2loc_policy=REJECT
++ all2loc_policy=REJECT
+ print_policy all loc
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2fw_policychain=all2all
++ all2fw_policychain=all2all
+ eval all2fw_policy=REJECT
++ all2fw_policy=REJECT
+ print_policy all fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2all_policychain=all2all
++ all2all_policychain=all2all
+ eval all2all_policy=REJECT
++ all2all_policy=REJECT
+ print_policy all all
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ echo ''Determining Hosts in Zones...''
+ determine_interfaces
++ find_interfaces net
++ local zne=net
++ local z
++ local interface
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ eval ''z=$eth1_zone''
+++ z=net
++ ''['' xnet = xnet '']''
++ echo eth1
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ eval ''z=$eth0_zone''
+++ z=loc
++ ''['' xloc = xnet '']''
+ interfaces=eth1
++ echo eth1
+ interfaces=eth1
+ eval ''net_interfaces="$interfaces"''
++ net_interfaces=eth1
++ find_interfaces loc
++ local zne=loc
++ local z
++ local interface
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ eval ''z=$eth1_zone''
+++ z=net
++ ''['' xnet = xloc '']''
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ eval ''z=$eth0_zone''
+++ z=loc
++ ''['' xloc = xloc '']''
++ echo eth0
+ interfaces=eth0
++ echo eth0
+ interfaces=eth0
+ eval ''loc_interfaces="$interfaces"''
++ loc_interfaces=eth0
+ determine_hosts
++ find_hosts net
++ local hosts interface address addresses
++ read z hosts options
+ hosts++ echo
+ hosts+ eval ''interfaces=$net_interfaces''
++ interfaces=eth1
++ chain_base eth1
++ local c=eth1
++ true
++ echo eth1
++ return
+ eval ''options=$eth1_options''
++ options+ list_search detectnets
+ local e=detectnets
+ ''['' 1 -gt 1 '']''
+ return 1
+ subnets=0.0.0.0/0
+ ''['' -z '''' '']''
+ hosts=eth1:0.0.0.0/0
+ list_search routeback
+ local e=routeback
+ ''['' 1 -gt 1 '']''
+ return 1
+ interfaces+ interface=eth1
+ list_search eth1
+ local e=eth1
+ ''['' 1 -gt 1 '']''
+ return 1
+ ''['' -z '''' '']''
+ interfaces=eth1
+ eval ''net_interfaces=$interfaces''
++ net_interfaces=eth1
+ eval ''net_hosts=$hosts''
++ net_hosts=eth1:0.0.0.0/0
+ ''['' -n eth1:0.0.0.0/0 '']''
+ eval ''display=$net_display''
++ display=Net
+ display_list ''Net Zone:'' eth1:0.0.0.0/0
+ ''['' 2 -gt 1 '']''
+ echo '' Net Zone: eth1:0.0.0.0/0''
++ find_hosts loc
++ local hosts interface address addresses
++ read z hosts options
+ hosts++ echo
+ hosts+ eval ''interfaces=$loc_interfaces''
++ interfaces=eth0
++ chain_base eth0
++ local c=eth0
++ true
++ echo eth0
++ return
+ eval ''options=$eth0_options''
++ options+ list_search detectnets
+ local e=detectnets
+ ''['' 1 -gt 1 '']''
+ return 1
+ subnets=0.0.0.0/0
+ ''['' -z '''' '']''
+ hosts=eth0:0.0.0.0/0
+ list_search routeback
+ local e=routeback
+ ''['' 1 -gt 1 '']''
+ return 1
+ interfaces+ interface=eth0
+ list_search eth0
+ local e=eth0
+ ''['' 1 -gt 1 '']''
+ return 1
+ ''['' -z '''' '']''
+ interfaces=eth0
+ eval ''loc_interfaces=$interfaces''
++ loc_interfaces=eth0
+ eval ''loc_hosts=$hosts''
++ loc_hosts=eth0:0.0.0.0/0
+ ''['' -n eth0:0.0.0.0/0 '']''
+ eval ''display=$loc_display''
++ display=Local
+ display_list ''Local Zone:'' eth0:0.0.0.0/0
+ ''['' 2 -gt 1 '']''
+ echo '' Local Zone: eth0:0.0.0.0/0''
+ run_user_exit init
++ find_file init
++ ''['' -n '''' -a -f /init
'']''
++ ''['' -f /etc/shorewall/init '']''
++ echo /etc/shorewall/init
+ local user_exit=/etc/shorewall/init
+ ''['' -f /etc/shorewall/init '']''
+ echo ''Processing /etc/shorewall/init ...''
+ . /etc/shorewall/init
+ strip_file rules
+ local fname
+ ''['' 1 = 1 '']''
++ find_file rules
++ ''['' -n '''' -a -f /rules
'']''
++ ''['' -f /etc/shorewall/rules '']''
++ echo /etc/shorewall/rules
+ fname=/etc/shorewall/rules
+ ''['' -f /etc/shorewall/rules '']''
+ read_file /etc/shorewall/rules 0
+ local first rest
+ ''['' -f /etc/shorewall/rules '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall version 2.0 - Rules File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/rules''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Rules in this file govern connection establishment. Requests
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# responses are automatically allowed using connection
tracking. For any''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# particular (source,dest) pair of zones, the rules are
evaluated in the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# order in which they appear in this file and the first match
is the one''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# that determines the disposition of the request.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In most places where an IP address or subnet is allowed,
you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# can preceed the address/subnet with "!" (e.g.,
!192.168.1.0/24) to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# indicate that the rule matches all addresses except the
address/subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# given. Notice that no white space is permitted between
"!" and the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address/subnet.''
+ read first rest
+ ''[''
x#------------------------------------------------------------------------------
= xINCLUDE '']''
+ echo
''#------------------------------------------------------------------------------
''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# WARNING: If you masquerade or use SNAT from a local system to
the internet,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you cannot use an ACCEPT rule to allow traffic from the
internet to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# that system. You *must* use a DNAT rule instead.''
+ read first rest
+ ''[''
x#-------------------------------------------------------------------------------#
= xINCLUDE '']''
+ echo
''#-------------------------------------------------------------------------------#
''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
CONTINUE,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOG, QUEUE or an <action>.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT -- allow the connection request''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DROP -- ignore the request''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REJECT -- disallow the request and return an''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# icmp-unreachable or an RST packet.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT -- Forward the request to another''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# system (and optionally another''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT- -- Advanced users only.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Like DNAT but only generates the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT iptables rule and not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the companion ACCEPT rule.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT -- Redirect the request to a local''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port on the firewall.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT-''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# -- Advanced users only.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Like REDIRET but only generates the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT iptables rule and not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the companion ACCEPT rule.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CONTINUE -- (For experts only). Do not process''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any of the following rules for this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (source zone,destination zone). If''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The source and/or destination IP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address falls into a zone defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# later in /etc/shorewall/zones, this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# connection request will be passed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to the rules defined for that''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (those) zone(s).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOG -- Simply log the packet and continue.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# QUEUE -- Queue the packet to a user-space''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# application such as ftwall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (http://p2pwall.sf.net).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <action> -- The name of an action defined in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/actions or in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /usr/share/shorewall/actions.std.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The ACTION may optionally be followed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# by ":" and a syslog log level (e.g, REJECT:info
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT:debug). This causes the packet to be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# logged at the specified level.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You may also specify ULOG (must be in upper case) as
a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# log level.This will log to the ULOG target for
routing''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to a separate log through use of ulogd''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (http://www.gnumonks.org/projects/ulogd).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE Source hosts to which the rule applies. May be a
zone''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# defined in /etc/shorewall/zones, $FW to indicate
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# firewall itself, or "all" If the ACTION is DNAT
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT, sub-zones of the specified zone may be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# excluded from the rule by following the zone name
with''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "!''\'''' and a comma-separated
list of sub-zone names.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Except when "all" is specified, clients may be
further''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# restricted to a list of subnets and/or hosts by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# appending ":" and a comma-separated list of
subnets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and/or hosts. Hosts may be specified by IP or MAC''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address; mac addresses must begin with "~" and must
use''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "-" as a separator.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# loc:192.168.1.1,192.168.1.2''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Hosts 192.168.1.1 and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 192.168.1.2 in the local zone.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# loc:~00-A0-C9-15-39-78 Host in the local zone with''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# MAC address 00:A0:C9:15:39:78.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Alternatively, clients may be specified by
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# by appending ":" to the zone name followed by
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface name. For example, loc:eth1 specifies a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# client that communicates with the firewall system''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# through eth1. This may be optionally followed by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# another colon (":") and an IP/MAC/subnet
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# as described above (e.g., loc:eth1:192.168.1.5).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST Location of Server. May be a zone defined in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/zones, $FW to indicate the firewall''
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# itself or "all"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Except when "all" is specified, the server may
be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# further restricted to a particular subnet, host or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface by appending ":" and the subnet, host
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface. See above.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Restrictions:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1. MAC addresses are not allowed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2. In DNAT rules, only IP addresses are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# allowed; no FQDNs or subnet addresses''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# are permitted.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 3. You may not specify both an interface and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an address.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Unlike in the SOURCE column, you may specify a range
of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# up to 256 IP addresses using the syntax''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <first ip>-<last ip>. When the ACTION is DNAT or
DNAT-,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the connections will be assigned to addresses in
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# range in a round-robin fashion.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The port that the server is listening on may be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# included and separated from the
server''\''''s IP address by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ":". If omitted, the firewall will not modifiy
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# destination port. A destination port may only be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# included if the ACTION is DNAT or REDIRECT.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: loc:192.168.1.3:3128 specifies a local''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# server at IP address 192.168.1.3 and listening on
port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 3128. The port number MUST be specified as an
integer''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and not as a name from /etc/services.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# if the ACTION is REDIRECT, this column needs only
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# contain the port number on the firewall that the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# request should be redirected to.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PROTO Protocol - Must be "tcp", "udp",
"icmp", a number, or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "all".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST PORT(S) Destination Ports. A comma-separated list of
Port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# names (from /etc/services), port numbers or port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ranges; if the protocol is "icmp", this column
is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interpreted as the destination icmp-type(s).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# A port range is expressed as <low port>:<high
port>.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This column is ignored if PROTOCOL = all but must
be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# entered if any of the following ields are supplied.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In that case, it is suggested that this field
contain''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "-"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If your kernel contains multi-port match support,
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only a single Netfilter rule will be generated if
in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# this list and the CLIENT PORT(S) list below:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1. There are 15 or less ports listed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2. No port ranges are included.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Otherwise, a separate rule will be generated for
each''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CLIENT PORT(S) (Optional) Port(s) used by the client. If
omitted,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any source port is acceptable. Specified as a
comma-''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# separated list of port names, port numbers or port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ranges.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you don''\''''t want to restrict
client ports but need to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# specify an ADDRESS in the next column, then place
"-"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If your kernel contains multi-port match support,
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only a single Netfilter rule will be generated if
in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# this list and the DEST PORT(S) list above:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1. There are 15 or less ports listed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2. No port ranges are included.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Otherwise, a separate rule will be generated for
each''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-]
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT[-]) If included and different from the IP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address given in the SERVER column, this is an
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# on some interface on the firewall and connections
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# that address will be forwarded to the IP and port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# specified in the DEST column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# A comma-separated list of addresses may also be
used.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This is usually most useful with the REDIRECT
target''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# where you want to redirect traffic destined for''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# particular set of hosts.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Finally, if the list of addresses begins with "!"
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the rule will be followed only if the original''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# destination address in the connection request does
not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# match any of the addresses listed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The address (list) may optionally be followed by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a colon (":") and a second IP address. This
causes''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall to use the second IP address as the
source''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address in forwarded packets. See the Shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# documentation for restrictions concerning this
feature.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If no source IP address is given, the original
source''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address is not altered.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# RATE LIMIT You may rate-limit the rule by placing a value
in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# this colume:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <rate>/<interval>[:<burst>]''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# where <rate> is the number of connections per''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <interval> ("sec" or "min") and
<burst> is the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# largest burst permitted. If no <burst> is
given,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a value of 5 is assumed. There may be no''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# no whitespace embedded in the specification.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: 10/sec:20''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# USER/GROUP This column may only be non-empty if the SOURCE
is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the firewall itself.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The column may contain:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# [!][<user name or number>][:<group name or
number>]''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# When this column is non-empty, the rule applies
only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# if the program generating the output is running
under''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the effective <user> and/or <group> specified (or
is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NOT running under that id if "!" is
given).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Examples:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# joe #program must be run by joe''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# :kids #program must be run by a member of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #the
''\''''kids''\''''
group''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# !:kids #program must not be run by a member''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #of the
''\''''kids''\''''
group''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Accept SMTP requests from the DMZ to the
internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT dmz net tcp smtp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Forward all ssh and http connection requests from
the internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to local system 192.168.1.3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT net loc:192.168.1.3 tcp ssh,http''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Forward all http connection requests from the
internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to local system 192.168.1.3 with a limit of 3 per second
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a maximum burst of 10''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT<3/sec:10> net loc:192.168.1.3 tcp http''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Redirect all locally-originating www connection
requests to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port 3128 on the firewall (Squid running on the
firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# system) except when the destination address is
192.168.2.2''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT loc 3128 tcp www - !192.168.2.2''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: All http requests from the internet to
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 130.252.100.69 are to be forwarded to 192.168.1.3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT net loc:192.168.1.3 tcp 80 -
130.252.100.69''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: You want to accept SSH connections to your firewall
only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# from internet IP addresses 130.252.100.69 and
130.252.100.70''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT net:130.252.100.69,130.252.100.70 fw # tcp
22''
+ read first rest
+ ''[''
x####################################################################################################
= xINCLUDE '']''
+ echo
''####################################################################################################
''
+ read first rest
+ ''['' x#ACTION = xINCLUDE '']''
+ echo ''#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
RATE USER/''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PORT PORT(S) DEST LIMIT GROUP''
+ read first rest
+ ''['' x#FIREWALL = xINCLUDE '']''
+ echo ''#FIREWALL ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:129.246.226.135 tcp domain,ssh''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:129.246.226.135 udp domain''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT loc:129.246.226.135 net tcp domain''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT loc:129.246.226.135 net udp domain''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x#MAIL = xINCLUDE '']''
+ echo ''#MAIL ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:192.168.0.136 tcp
http,smtp,pop3,imap,domain''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x#ASSETS = xINCLUDE '']''
+ echo ''#ASSETS ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:192.168.0.98 tcp
www,http,https,ftp,smtp''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT fw loc:192.168.0.98 tcp http,https,ftp,smtp''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:192.168.0.98 tcp
389,522,1503,1720,1731''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:192.168.0.12 tcp www,http,https''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net loc:192.168.0.14 tcp www,http,https''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x#GENERAL = xINCLUDE '']''
+ echo ''#GENERAL ''
+ read first rest
+ ''['' x#DNAT = xINCLUDE '']''
+ echo ''#DNAT loc loc:192.168.0.98 tcp www,http,https -''
+ read first rest
+ ''['' x#129.246.226.135 = xINCLUDE '']''
+ echo ''#129.246.226.135 ''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ strip_file proxyarp
+ local fname
+ ''['' 1 = 1 '']''
++ find_file proxyarp
++ ''['' -n '''' -a -f /proxyarp
'']''
++ ''['' -f /etc/shorewall/proxyarp '']''
++ echo /etc/shorewall/proxyarp
+ fname=/etc/shorewall/proxyarp
+ ''['' -f /etc/shorewall/proxyarp '']''
+ read_file /etc/shorewall/proxyarp 0
+ local first rest
+ ''['' -f /etc/shorewall/proxyarp '']''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 -- Proxy ARP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/proxyarp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file is used to define Proxy ARP.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns must be separated by white space and are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ADDRESS IP Address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Local interface where system is connected. If
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# local interface is obvious from the subnetting,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you may enter "-" in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# EXTERNAL External Interface to be used to access this
system''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# HAVEROUTE If there is already a route from the firewall
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the host whose address is given, enter "Yes" or
"yes"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in this column. Otherwise, entry "no",
"No" or leave''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the column empty and Shorewall will add the route
for''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you. If Shorewall adds the route,the route will be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# persistent if the PERSISTENT column contains Yes;''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# otherwise, "shorewall stop" or "shorewall
clear" will''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# delete the route.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PERSISTENT If HAVEROUTE is No or "no", then the
value of this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column determines if the route added by Shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# persists after a "shorewall stop" or a
"shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# clear". If this column contains "Yes" or
"yes" then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the route persists; If the column is empty or
contains''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "No"or "no" then the route is deleted at
"shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# stop" or "shorewall clear".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Host with IP 155.186.235.6 is connected to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface eth1 and we want hosts attached via eth0''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to be able to access it using that address.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ADDRESS INTERFACE EXTERNAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 155.186.235.6 eth1 eth0''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#ADDRESS = xINCLUDE '']''
+ echo ''#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ strip_file maclist
+ local fname
+ ''['' 1 = 1 '']''
++ find_file maclist
++ ''['' -n '''' -a -f /maclist
'']''
++ ''['' -f /etc/shorewall/maclist '']''
++ echo /etc/shorewall/maclist
+ fname=/etc/shorewall/maclist
+ ''['' -f /etc/shorewall/maclist '']''
+ read_file /etc/shorewall/maclist 0
+ local first rest
+ ''['' -f /etc/shorewall/maclist '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 - MAC list file''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/maclist''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Network interface to a host''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# MAC MAC address of the host -- you do not need to
use''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the Shorewall format for MAC addresses here''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IP ADDRESSES Optional -- if specified, both the MAC and IP
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# must match. This column can contain a
comma-separated''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# list of host and/or subnet addresses.''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#INTERFACE = xINCLUDE '']''
+ echo ''#INTERFACE MAC IP ADDRESSES (Optional)''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ strip_file nat
+ local fname
+ ''['' 1 = 1 '']''
++ find_file nat
++ ''['' -n '''' -a -f /nat
'']''
++ ''['' -f /etc/shorewall/nat '']''
++ echo /etc/shorewall/nat
+ fname=/etc/shorewall/nat
+ ''['' -f /etc/shorewall/nat '']''
+ read_file /etc/shorewall/nat 0
+ local first rest
+ ''['' -f /etc/shorewall/nat '']''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 2.0 -- Network Address Translation Table''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/nat''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file is used to define one-to-one Network Address
Translation''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (NAT).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# WARNING: If all you want to do is simple port forwarding, do
NOT use this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in
most''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# cases, Proxy ARP is a better solution that one-to-one
NAT.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns must be separated by white space and are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# EXTERNAL External IP Address - this should NOT be the
primary''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IP address of the interface named in the next''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column and must not be a DNS Name.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Interface that you want to EXTERNAL address to
appear''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you
may''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# follow the interface name with ":" and a digit
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# indicate that you want Shorewall to add the alias''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with this name (e.g., "eth0:0"). That allows you
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# see the alias with ifconfig. THAT IS THE ONLY THING''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERNAL Internal Address (must not be a DNS Name).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ALL INTERFACES If Yes or yes, NAT will be effective from all
hosts.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If No or no (or left empty) then NAT will be
effective''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only through the interface named in the INTERFACE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOCAL If Yes or yes and the ALL INTERFACES column
contains''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Yes or yes, NAT will be effective from the firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# system''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#EXTERNAL = xINCLUDE '']''
+ echo ''#EXTERNAL INTERFACE INTERNAL ALL LOCAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACES''
+ read first rest
+ ''['' x129.246.226.136 = xINCLUDE '']''
+ echo ''129.246.226.136 eth1:136 192.168.0.136 yes yes''
+ read first rest
+ ''['' x129.246.226.98 = xINCLUDE '']''
+ echo ''129.246.226.98 eth1:98 192.168.0.98 yes yes''
+ read first rest
+ ''['' x129.246.226.12 = xINCLUDE '']''
+ echo ''129.246.226.12 eth1:12 192.168.0.12 yes yes''
+ read first rest
+ ''['' x129.246.226.14 = xINCLUDE '']''
+ echo ''129.246.226.14 eth1:14 192.168.0.14 yes yes''
+ read first rest
+ ''['' x = xINCLUDE '']''
+ echo '' ''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ terminator=fatal_error
+ deletechain shorewall
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ ''['' -n Yes '']''
+ delete_nat
+ run_iptables -t nat -F
+ iptables -t nat -F
+ run_iptables -t nat -X
+ iptables -t nat -X
+ ''['' -f /var/lib/shorewall/nat '']''
+ read external interface
+ rm -f ''{/var/lib/shorewall}/nat''
+ ''['' -d /var/lib/shorewall '']''
+ touch /var/lib/shorewall/nat
+ delete_proxy_arp
+ ''['' -f /var/lib/shorewall/proxyarp '']''
+ read address interface external haveroute
+ rm -f /var/lib/shorewall/proxyarp
+ ''['' -d /var/lib/shorewall '']''
+ touch /var/lib/shorewall/proxyarp
++ ls /proc/sys/net/ipv4/conf/all/proxy_arp
/proc/sys/net/ipv4/conf/default/proxy_arp /proc/sys/net/ipv4/conf/eth0/proxy_arp
/proc/sys/net/ipv4/conf/eth1/proxy_arp /proc/sys/net/ipv4/conf/lo/proxy_arp
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ ''['' -n Yes '']''
+ run_iptables -t mangle -F
+ iptables -t mangle -F
+ run_iptables -t mangle -X
+ iptables -t mangle -X
+ ''['' -n '''' '']''
+ echo ''Deleting user chains...''
+ setpolicy INPUT DROP
+ run_iptables -P INPUT DROP
+ iptables -P INPUT DROP
+ setpolicy OUTPUT DROP
+ run_iptables -P OUTPUT DROP
+ iptables -P OUTPUT DROP
+ setpolicy FORWARD DROP
+ run_iptables -P FORWARD DROP
+ iptables -P FORWARD DROP
+ deleteallchains
+ run_iptables -F
+ iptables -F
+ run_iptables -X
+ iptables -X
+ setcontinue FORWARD
+ run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ setcontinue INPUT
+ run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ setcontinue OUTPUT
+ run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -n '''' '']''
+ run_iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ run_iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
++ find_file accounting
++ ''['' -n '''' -a -f /accounting
'']''
++ ''['' -f /etc/shorewall/accounting '']''
++ echo /etc/shorewall/accounting
+ accounting_file=/etc/shorewall/accounting
+ ''['' -f /etc/shorewall/accounting '']''
+ setup_accounting /etc/shorewall/accounting
+ echo ''Setting up Accounting...''
+ strip_file accounting /etc/shorewall/accounting
+ local fname
+ ''['' 2 = 1 '']''
+ fname=/etc/shorewall/accounting
+ ''['' -f /etc/shorewall/accounting '']''
+ read_file /etc/shorewall/accounting 0
+ local first rest
+ ''['' -f /etc/shorewall/accounting '']''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall version 2.0 - Accounting File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/accounting''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Accounting rules exist simply to count packets and bytes in
categories''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# that you define in this file. You may display these rules and
their''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packet and byte counters using the "shorewall show
accounting" command.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Please see http://shorewall.net/Accounting.html for examples
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# additional information about how to use this file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACTION - What to do when a match is found.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# COUNT - Simply count the match and continue''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with the next rule''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DONE - Count the match and
don''\''''t attempt''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to match any other accounting rules''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in the chain specified in the CHAIN''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <chain>[:COUNT]''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# - Where <chain> is the name of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a chain. Shorewall will create''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the chain automatically if it''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# doesn''\''''t already exist.
Causes''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a jump to that chain. If :COUNT''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# is including, a counting rule''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# matching this record will be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# added to <chain>''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CHAIN - The name of a chain. If specified as
"-" the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''#
''\''''accounting''\'''' chain
is assumed. This is the chain''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# where the accounting rule is added. The chain will''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# be created if it doesn''\''''t
already exist.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE - Packet Source''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The name of an interface, an address (host or net)
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an interface name followed by ":"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and a host or net address.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DESTINATION - Packet Destination''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Format the same as the SOURCE column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PROTOCOL A protocol name (from /etc/protocols), a
protocol''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# number.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST PORT Destination Port number''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Service name from /etc/services or port number. May''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only be specified if the protocol is TCP or UDP (6''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# or 17).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE PORT Source Port number''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Service name from /etc/services or port number. May''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only be specified if the protocol is TCP or UDP (6''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# or 17).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In all of the above columns except ACTION and CHAIN, the
values "-",''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "any" and "all" may be used as
wildcards''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Please see http://shorewall.net/Accounting.html for examples
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# additional information about how to use this file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#ACTION = xINCLUDE '']''
+ echo ''#ACTION CHAIN SOURCE DESTINATION PROTO DEST
SOURCE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PORT PORT''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ read action chain source dest proto port sport
+ havechain accounting
++ chain_base accounting
++ local c=accounting
++ true
++ echo accounting
++ return
+ local c=accounting
+ eval test ''"$exists_accounting"'' = Yes
++ test '''' = Yes
+ run_iptables -A INPUT -p udp --dport 53 -j ACCEPT
+ iptables -A INPUT -p udp --dport 53 -j ACCEPT
+ run_iptables -A INPUT -p ''!'' icmp -m state --state INVALID
-j DROP
+ iptables -A INPUT -p ''!'' icmp -m state --state INVALID -j
DROP
+ run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ run_iptables -A OUTPUT -p ''!'' icmp -m state --state INVALID
-j DROP
+ iptables -A OUTPUT -p ''!'' icmp -m state --state INVALID -j
DROP
+ run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ run_iptables -A FORWARD -p ''!'' icmp -m state --state INVALID
-j DROP
+ iptables -A FORWARD -p ''!'' icmp -m state --state INVALID -j
DROP
+ ''['' -n '''' '']''
+ ''['' -z Yes '']''
+ createchain icmpdef no
++ chain_base icmpdef
++ local c=icmpdef
++ true
++ echo icmpdef
++ return
+ local c=icmpdef
+ run_iptables -N icmpdef
+ iptables -N icmpdef
+ ''['' no = yes '']''
+ eval exists_icmpdef=Yes
++ exists_icmpdef=Yes
+ createchain reject no
++ chain_base reject
++ local c=reject
++ true
++ echo reject
++ return
+ local c=reject
+ run_iptables -N reject
+ iptables -N reject
+ ''['' no = yes '']''
+ eval exists_reject=Yes
++ exists_reject=Yes
+ createchain dynamic no
++ chain_base dynamic
++ local c=dynamic
++ true
++ echo dynamic
++ return
+ local c=dynamic
+ run_iptables -N dynamic
+ iptables -N dynamic
+ ''['' no = yes '']''
+ eval exists_dynamic=Yes
++ exists_dynamic=Yes
+ createchain smurfs no
++ chain_base smurfs
++ local c=smurfs
++ true
++ echo smurfs
++ return
+ local c=smurfs
+ run_iptables -N smurfs
+ iptables -N smurfs
+ ''['' no = yes '']''
+ eval exists_smurfs=Yes
++ exists_smurfs=Yes
+ ''['' -f /var/lib/shorewall/save '']''
+ ''['' -n Yes '']''
+ state=-m state --state NEW
+ echo ''Creating Interface Chains...''
++ forward_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_fwd
+ createchain eth1_fwd no
++ chain_base eth1_fwd
++ local c=eth1_fwd
++ true
++ echo eth1_fwd
++ return
+ local c=eth1_fwd
+ run_iptables -N eth1_fwd
+ iptables -N eth1_fwd
+ ''['' no = yes '']''
+ eval exists_eth1_fwd=Yes
++ exists_eth1_fwd=Yes
++ forward_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_fwd
+ run_iptables -A eth1_fwd -m state --state NEW -j dynamic
+ iptables -A eth1_fwd -m state --state NEW -j dynamic
++ input_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_in
+ createchain eth1_in no
++ chain_base eth1_in
++ local c=eth1_in
++ true
++ echo eth1_in
++ return
+ local c=eth1_in
+ run_iptables -N eth1_in
+ iptables -N eth1_in
+ ''['' no = yes '']''
+ eval exists_eth1_in=Yes
++ exists_eth1_in=Yes
++ input_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_in
+ run_iptables -A eth1_in -m state --state NEW -j dynamic
+ iptables -A eth1_in -m state --state NEW -j dynamic
++ forward_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_fwd
+ createchain eth0_fwd no
++ chain_base eth0_fwd
++ local c=eth0_fwd
++ true
++ echo eth0_fwd
++ return
+ local c=eth0_fwd
+ run_iptables -N eth0_fwd
+ iptables -N eth0_fwd
+ ''['' no = yes '']''
+ eval exists_eth0_fwd=Yes
++ exists_eth0_fwd=Yes
++ forward_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_fwd
+ run_iptables -A eth0_fwd -m state --state NEW -j dynamic
+ iptables -A eth0_fwd -m state --state NEW -j dynamic
++ input_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_in
+ createchain eth0_in no
++ chain_base eth0_in
++ local c=eth0_in
++ true
++ echo eth0_in
++ return
+ local c=eth0_in
+ run_iptables -N eth0_in
+ iptables -N eth0_in
+ ''['' no = yes '']''
+ eval exists_eth0_in=Yes
++ exists_eth0_in=Yes
++ input_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_in
+ run_iptables -A eth0_in -m state --state NEW -j dynamic
+ iptables -A eth0_in -m state --state NEW -j dynamic
+ echo ''Configuring Proxy ARP''
+ setup_proxy_arp
+ read address interface external haveroute persistent
++ find_interfaces_by_option proxyarp
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ eval ''options=$eth1_options''
+++ options++ list_search proxyarp
++ local e=proxyarp
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ eval ''options=$eth0_options''
+++ options++ list_search proxyarp
++ local e=proxyarp
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces+ echo ''Setting up NAT...''
+ setup_nat
+ local allints
+ read external interface internal allints localnat
+ expandv external interface internal allints localnat
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$external''
++ varval=129.246.226.136
+ eval ''external="129.246.226.136"''
++ external=129.246.226.136
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=eth1:136
+ eval ''interface="eth1:136"''
++ interface=eth1:136
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$internal''
++ varval=192.168.0.136
+ eval ''internal="192.168.0.136"''
++ internal=192.168.0.136
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$allints''
++ varval=yes
+ eval ''allints="yes"''
++ allints=yes
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$localnat''
++ varval=yes
+ eval ''localnat="yes"''
++ localnat=yes
+ shift
+ ''['' 0 -gt 0 '']''
+ iface=eth1
+ ''['' -n Yes '']''
+ qt ip addr del 129.246.226.136 dev eth1
+ ip addr del 129.246.226.136 dev eth1
+ ''['' -z yes -o yes = Yes -o yes = yes '']''
+ addnatrule nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ ensurenatchain nat_in
+ havenatchain nat_in
+ eval test ''"$exists_nat_nat_in"'' = Yes
++ test '''' = Yes
+ createnatchain nat_in
+ run_iptables -t nat -N nat_in
+ iptables -t nat -N nat_in
+ eval exists_nat_nat_in=Yes
++ exists_nat_nat_in=Yes
+ run_iptables2 -t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination
192.168.0.136
+ ''['' ''x-t nat -A nat_in -d 129.246.226.136 -j DNAT
--to-destination 192.168.0.136'' = ''x-t nat -A nat_in -d
129.246.226.136 -j DNAT --to-destination 192.168.0.136''
'']''
+ run_iptables -t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination
192.168.0.136
+ iptables -t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination
192.168.0.136
+ return
+ addnatrule nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136
+ ensurenatchain nat_out
+ havenatchain nat_out
+ eval test ''"$exists_nat_nat_out"'' = Yes
++ test '''' = Yes
+ createnatchain nat_out
+ run_iptables -t nat -N nat_out
+ iptables -t nat -N nat_out
+ eval exists_nat_nat_out=Yes
++ exists_nat_nat_out=Yes
+ run_iptables2 -t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source
129.246.226.136
+ ''['' ''x-t nat -A nat_out -s 192.168.0.136 -j SNAT
--to-source 129.246.226.136'' = ''x-t nat -A nat_out -s
192.168.0.136 -j SNAT --to-source 129.246.226.136''
'']''
+ run_iptables -t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source
129.246.226.136
+ iptables -t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source
129.246.226.136
+ return
+ ''['' yes = Yes -o yes = yes '']''
+ run_iptables2 -t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination
192.168.0.136
+ ''['' ''x-t nat -A OUTPUT -d 129.246.226.136 -j DNAT
--to-destination 192.168.0.136'' = ''x-t nat -A OUTPUT -d
129.246.226.136 -j DNAT --to-destination 192.168.0.136''
'']''
+ run_iptables -t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination
192.168.0.136
+ iptables -t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination
192.168.0.136
iptables: Invalid argument
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x