Duncan Sands
2003-Sep-10 03:06 UTC
[Shorewall-users] Masquerading failure due to 2.6test kernel strictness
In the iptables (v1.2.8) man page it states:
MASQUERADE
This target is only valid in the nat table, in the
POSTROUTING chain.
However shorewall does the following:
+ iptables -t nat -N ppp0_masq
+ eval ppp0_masq_nat_exists=Yes
++ ppp0_masq_nat_exists=Yes
+ run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d
0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A ppp0_masq -s
192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']''
+ run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
Note the -j MASQUERADE with the ppp0_masq chain. This is invalid according to
the above man page
snippet.
With 2.4 kernels this works fine. However with 2.6test kernels it no longer
works:
iptables: Invalid argument
Testing shows that the "invalid argument" is -j MASQUERADE. On the
other hand,
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
works fine, showing that the problem is indeed due to using MASQUERADE with
a chain that is not POSTROUTING.
So it looks as if the 2.6 kernel is stricter than 2.4.
Any ideas for how to deal with this?
Thanks,
Duncan.
Shorewall version 1.4.6a
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 9178 qdisc pfifo_fast qlen 3
link/ppp
inet 81.49.162.240 peer 193.253.160.3/32 scope global ppp0
ip route show:
193.253.160.3 dev ppp0 proto kernel scope link src 81.49.162.240
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
127.0.0.0/8 via 127.0.0.1 dev lo scope link
default via 193.253.160.3 dev ppp0
shorewall debug start:
<snipped>
+ setup_one
+ local using
+ destnet=0.0.0.0/0
+ interface=ppp0
+ list_search ppp0 ppp0 eth0 vmnet1 vmnet8
+ local e=ppp0
+ ''['' 5 -gt 1 '']''
+ shift
+ ''['' xppp0 = xppp0 '']''
+ return 0
+ ''['' eth0 = eth0 '']''
+ nomasq++ masq_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_masq
+ chain=ppp0_masq
+ iface+ source=eth0
++ get_routed_subnets eth0
++ local address
++ local rest
++ ip route show dev eth0
++ read address rest
++ ''['' x192.168.0.0/24 = xdefault '']''
++ ''['' 192.168.0.0/24 = 192.168.0.0 '']''
++ echo 192.168.0.0/24
++ read address rest
+ subnets=192.168.0.0/24
+ ''['' -z 192.168.0.0/24 '']''
+ subnet=192.168.0.0/24
+ ''['' -n '''' -a -n ''''
'']''
+ destination=0.0.0.0/0
+ ''['' -n '''' '']''
+ destnet=-d 0.0.0.0/0
+ ''['' -n 192.168.0.0/24 '']''
+ ''['' -n '''' '']''
+ addnatrule ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ensurenatchain ppp0_masq
+ havenatchain ppp0_masq
+ eval test ''"$ppp0_masq_nat_exists"'' = Yes
++ test '''' = Yes
+ createnatchain ppp0_masq
+ run_iptables -t nat -N ppp0_masq
+ iptables -t nat -N ppp0_masq
+ eval ppp0_masq_nat_exists=Yes
++ ppp0_masq_nat_exists=Yes
+ run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d
0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A ppp0_masq -s
192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']''
+ run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables: Invalid argument
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x
Duncan Sands
2003-Sep-14 17:35 UTC
[Shorewall-users] Masquerading failure due to 2.6test kernel strictness
In the iptables (v1.2.8) man page it states:
MASQUERADE
This target is only valid in the nat table, in the
POSTROUTING chain.
However shorewall does the following:
+ iptables -t nat -N ppp0_masq
+ eval ppp0_masq_nat_exists=Yes
++ ppp0_masq_nat_exists=Yes
+ run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d
0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A ppp0_masq -s
192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']''
+ run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
Note the -j MASQUERADE with the ppp0_masq chain. This is invalid according to
the above man page
snippet.
With 2.4 kernels this works fine. However with 2.6test kernels it no longer
works:
iptables: Invalid argument
Testing shows that the "invalid argument" is -j MASQUERADE. On the
other hand,
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
works fine, showing that the problem is indeed due to using MASQUERADE with
a chain that is not POSTROUTING.
So it looks as if the 2.6 kernel is stricter than 2.4.
Any ideas for how to deal with this?
Thanks,
Duncan.
Shorewall version 1.4.6a
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 9178 qdisc pfifo_fast qlen 3
link/ppp
inet 81.49.162.240 peer 193.253.160.3/32 scope global ppp0
ip route show:
193.253.160.3 dev ppp0 proto kernel scope link src 81.49.162.240
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
127.0.0.0/8 via 127.0.0.1 dev lo scope link
default via 193.253.160.3 dev ppp0
shorewall debug start:
+ shift
+ nolock+ ''['' 1 -gt 1 '']''
+ trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9
+ command=start
+ ''['' 1 -ne 1 '']''
+ do_initialize
+ export LC_ALL=C
+ LC_ALL=C
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+ terminator=startup_error
+ version+ FW+ SUBSYSLOCK+ STATEDIR+ ALLOWRELATED=Yes
+ LOGRATE+ LOGBURST+ LOGPARMS+ ADD_IP_ALIASES+ ADD_SNAT_ALIASES+ TC_ENABLED+
LOGUNCLEAN+ BLACKLIST_DISPOSITION+ BLACKLIST_LOGLEVEL+ CLAMPMSS+ ROUTE_FILTER+
NAT_BEFORE_RULES+ DETECT_DNAT_IPADDRS+ MUTEX_TIMEOUT+ NEWNOTSYN+ LOGNEWNOTSYN+
FORWARDPING+ MACLIST_DISPOSITION+ MACLIST_LOG_LEVEL+ TCP_FLAGS_DISPOSITION+
TCP_FLAGS_LOG_LEVEL+ RFC1918_LOG_LEVEL+ MARK_IN_FORWARD_CHAIN+
SHARED_DIR=/usr/share/shorewall
+ FUNCTIONS+ VERSION_FILE+ LOGFORMAT+ LOGRULENUMBERS+ stopping+ have_mutex+
masq_seq=1
+ nonat_seq=1
+ aliases_to_add+ TMP_DIR=/tmp/shorewall-4750
+ rm -rf /tmp/shorewall-4750
+ mkdir -p /tmp/shorewall-4750
+ chmod 700 /tmp/shorewall-4750
+ trap ''rm -rf /tmp/shorewall-4750; my_mutex_off; exit 2'' 1 2
3 4 5 6 9
+ FUNCTIONS=/usr/share/shorewall/functions
+ ''['' -f /usr/share/shorewall/functions '']''
+ echo ''Loading /usr/share/shorewall/functions...''
+ . /usr/share/shorewall/functions
++ LEFTSHIFT=<<
+ VERSION_FILE=/usr/share/shorewall/version
+ ''['' -f /usr/share/shorewall/version '']''
++ cat /usr/share/shorewall/version
+ version=1.4.6a
+ run_user_exit params
++ find_file params
++ ''['' -n '''' -a -f /params
'']''
++ echo /etc/shorewall/params
+ local user_exit=/etc/shorewall/params
+ ''['' -f /etc/shorewall/params '']''
+ echo ''Processing /etc/shorewall/params ...''
+ . /etc/shorewall/params
++ find_file shorewall.conf
++ ''['' -n '''' -a -f /shorewall.conf
'']''
++ echo /etc/shorewall/shorewall.conf
+ config=/etc/shorewall/shorewall.conf
+ ''['' -f /etc/shorewall/shorewall.conf '']''
+ echo ''Processing /etc/shorewall/shorewall.conf...''
+ . /etc/shorewall/shorewall.conf
++ LOGFILE=/var/log/messages
++ LOGFORMAT=Shorewall:%s:%s:
++ LOGRATE++ LOGBURST++ LOGUNCLEAN=info
++ BLACKLIST_LOGLEVEL++ LOGNEWNOTSYN=info
++ MACLIST_LOG_LEVEL=info
++ TCP_FLAGS_LOG_LEVEL=info
++ RFC1918_LOG_LEVEL=info
++ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
++ SHOREWALL_SHELL=/bin/sh
++ SUBSYSLOCK=/var/lock/subsys/shorewall
++ STATEDIR=/var/lib/shorewall
++ MODULESDIR++ FW=fw
++ IP_FORWARDING=On
++ ADD_IP_ALIASES=Yes
++ ADD_SNAT_ALIASES=No
++ TC_ENABLED=No
++ CLEAR_TC=Yes
++ MARK_IN_FORWARD_CHAIN=No
++ CLAMPMSS=No
++ ROUTE_FILTER=No
++ NAT_BEFORE_RULES=Yes
++ DETECT_DNAT_IPADDRS=No
++ MUTEX_TIMEOUT=60
++ NEWNOTSYN=No
++ BLACKLIST_DISPOSITION=DROP
++ MACLIST_DISPOSITION=REJECT
++ TCP_FLAGS_DISPOSITION=DROP
+ determine_capabilities
+ qt iptables -t nat -L -n
+ iptables -t nat -L -n
+ NAT_ENABLED=Yes
+ qt iptables -t mangle -L -n
+ iptables -t mangle -L -n
+ MANGLE_ENABLED=Yes
+ CONNTRACK_MATCH+ MULTIPORT+ qt iptables -N fooX1234
+ iptables -N fooX1234
+ qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ MULTIPORT=Yes
+ qt iptables -F fooX1234
+ iptables -F fooX1234
+ qt iptables -X fooX1234
+ iptables -X fooX1234
+ ''['' -z /var/lib/shorewall '']''
+ ''['' -d /var/lib/shorewall '']''
+ ''['' -z fw '']''
++ added_param_value_yes ALLOWRELATED Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ ALLOWRELATED=Yes
+ ''['' -n Yes '']''
++ added_param_value_yes ADD_IP_ALIASES Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ ADD_IP_ALIASES=Yes
++ added_param_value_yes TC_ENABLED No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ TC_ENABLED+ ''['' -n ''''
'']''
+ ''['' -n On '']''
+ ''['' -n '''' -a -z Yes '']''
+ ''['' -z DROP '']''
++ added_param_value_no CLAMPMSS No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ CLAMPMSS++ added_param_value_no ADD_SNAT_ALIASES No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ ADD_SNAT_ALIASES++ added_param_value_no ROUTE_FILTER No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ ROUTE_FILTER++ added_param_value_yes NAT_BEFORE_RULES Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ NAT_BEFORE_RULES=Yes
++ added_param_value_no DETECT_DNAT_IPADDRS No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ DETECT_DNAT_IPADDRS++ added_param_value_no FORWARDPING
++ local val++ ''['' -z ''''
'']''
++ echo ''''
+ FORWARDPING+ ''['' -n ''''
'']''
++ added_param_value_yes NEWNOTSYN No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ NEWNOTSYN+ maclist_target=reject
+ ''['' -n REJECT '']''
+ ''['' -n DROP '']''
+ ''['' -z info '']''
++ added_param_value_no MARK_IN_FORWARD_CHAIN No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ MARK_IN_FORWARD_CHAIN+ ''['' -n ''''
'']''
+ marking_chain=tcpre
+ ''['' -n '''' '']''
+ CLEAR_TC+ ''['' -n Shorewall:%s:%s: '']''
++ echo Shorewall:%s:%s:
++ grep %d
+ ''['' -n '''' '']''
++ printf Shorewall:%s:%s: fooxx barxx
+ temp=Shorewall:fooxx:barxx:
+ ''['' 0 -ne 0 '']''
+ ''['' 22 -gt 29 '']''
+ strip_file interfaces
+ local fname
+ ''['' 1 = 1 '']''
++ find_file interfaces
++ ''['' -n '''' -a -f /interfaces
'']''
++ echo /etc/shorewall/interfaces
+ fname=/etc/shorewall/interfaces
+ ''['' -f /etc/shorewall/interfaces '']''
+ read_file /etc/shorewall/interfaces 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 -- Interfaces File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/interfaces''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You must add an entry in this file for each network interface
on your''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# firewall system.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE Zone for this interface. Must match the short
name''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of a zone defined in /etc/shorewall/zones.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If the interface serves multiple zones that will be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# defined in the /etc/shorewall/hosts file, you
should''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# place "-" in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Name of interface. Each interface may be listed
only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# once in this file. You may NOT specify the name of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an alias (e.g., eth0:0) here; see''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# http://www.shorewall.net/FAQ.htm#faq18''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You may specify wildcards here. For example, if you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# want to make an entry that applies to all PPP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interfaces, use
''\''''ppp+''\''''.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS
FILE.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# BROADCAST The broadcast address for the subnetwork to which
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface belongs. For P-T-P interfaces, this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column is left black.If the interface has multiple''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses on multiple subnets then list the
broadcast''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses as a comma-separated list.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you use the special value "detect", the
firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# will detect the broadcast address for you. If you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# select this option, the interface must be up before''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the firewall is started, you must have iproute''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# installed and the interface must only be associated''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with a single subnet.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you don''\''''t want to give a
value for this column but''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you want to enter a value in the OPTIONS column,
enter''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "-" in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# OPTIONS A comma-separated list of options including
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# following:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dhcp - interface is managed by DHCP or used by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a DHCP server running on the firewall or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you have a static IP but are on a LAN''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# segment with lots of Laptop DHCP clients.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# norfc1918 - This interface should not receive''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any packets whose source is in one''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of the ranges reserved by RFC 1918''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (i.e., private or "non-routable"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses. If packet mangling is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# enabled in shorewall.conf, packets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# whose destination addresses are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# reserved by RFC 1918 are also rejected.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# routefilter - turn on kernel route filtering for
this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface (anti-spoofing measure). This''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# option can also be enabled globally in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the /etc/shorewall/shorewall.conf file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dropunclean - Logs and drops mangled/invalid
packets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# logunclean - Logs mangled/invalid packets but
does''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# not drop them.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# . . blacklist - Check packets arriving on this
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# against the /etc/shorewall/blacklist''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# maclist - Connection requests from this
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# are compared against the contents of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/maclist. If this option''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# is specified, the interface must be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an ethernet NIC and must be up before''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall is started.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# tcpflags - Packets arriving on this interface
are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# checked for certain illegal combinations''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of TCP flags. Packets found to have''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# such a combination of flags are handled''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# according to the setting of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TCP_FLAGS_DISPOSITION after having been''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# logged according to the setting of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TCP_FLAGS_LOG_LEVEL.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# proxyarp -''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Sets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''#
/proc/sys/net/ipv4/conf/<interface>/proxy_arp.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Do NOT use this option if you are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# employing Proxy ARP through entries in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/proxyarp. This option is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# intended soley for use with Proxy ARP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# sub-networking as described at:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# newnotsyn - TCP packets that
don''\''''t have the SYN''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# flag set and which are not part of an''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# established connection will be accepted''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# from this interface, even if''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NEWNOTSYN=No has been specified in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/shorewall.conf.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This option has no effect if''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NEWNOTSYN=Yes.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The order in which you list the options is not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# significant but the list should have no embedded
white''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# space.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 1: Suppose you have eth0 connected to a DSL modem
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth1 connected to your local network and that your''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# local subnet is 192.168.1.0/24. The interface gets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# it''\''''s IP address via DHCP from
subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 206.191.149.192/27. You have a DMZ with subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 192.168.2.0/24 using eth2.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Your entries for this setup would look like:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net eth0 206.191.149.223 dhcp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# local eth1 192.168.1.255''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dmz eth2 192.168.2.255''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 2: The same configuration without specifying
broadcast''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# addresses is:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net eth0 detect dhcp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# loc eth1 detect''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dmz eth2 detect''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 3: You have a simple dial-in system with no
ethernet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# connections.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net ppp0 -''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#ZONE = xINCLUDE '']''
+ echo ''#ZONE INTERFACE BROADCAST OPTIONS''
+ read first rest
+ ''['' xnet = xINCLUDE '']''
+ echo ''net ppp0 - routefilter,norfc1918''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc eth0 detect''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc vmnet1 detect''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc vmnet8 detect''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ strip_file hosts
+ local fname
+ ''['' 1 = 1 '']''
++ find_file hosts
++ ''['' -n '''' -a -f /hosts
'']''
++ echo /etc/shorewall/hosts
+ fname=/etc/shorewall/hosts
+ ''['' -f /etc/shorewall/hosts '']''
+ read_file /etc/shorewall/hosts 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 - /etc/shorewall/hosts''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED
TO''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO
ROUTE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# BETWEEN THESE NETWORKS.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A
SINGLE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IF YOU DON''\''''T HAVE EITHER OF
THESE SITUATIONS THEN DON''\''''T TOUCH''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THIS FILE.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file is used to define zones in terms of subnets
and/or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# individual IP addresses. Most simple setups
don''\''''t need to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (should not) place anything in this file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE - The name of a zone defined in
/etc/shorewall/zones''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# HOST(S) - The name of an interface followed by a colon
(":") and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a comma-separated list whose elements are either:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ cut -d# -f1
+ echo ''# a) The IP address of a host''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# b) A subnetwork in the form''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <subnet-address>/<mask width>''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The interface must be defined in the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/interfaces file.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Examples:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth1:192.168.1.3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth2:192.168.2.0/24''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth3:192.168.2.0/24,192.168.3.1''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# OPTIONS - A comma-separated list of options.
Currently-defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# options are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# maclist - Connection requests from these hosts''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# are compared against the contents of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/maclist. If this option''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# is specified, the interface must be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an ethernet NIC and must be up before''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall is started.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# routeback - Shorewall show set up the
infrastructure''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to pass packets from this/these''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address(es) back to themselves. This is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# necessary of hosts in this group use the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# services of a transparent proxy that is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a member of the group or if DNAT is used''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to send requests originating from this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# group to a server in the group.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#ZONE = xINCLUDE '']''
+ echo ''#ZONE HOST(S) OPTIONS''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ grep -v ''^[[:space:]]*$''
+ ''['' -n /bin/sh '']''
++ decodeaddr 192.168.1.1
++ local x
++ local temp=0
++ local ''ifs=
''
++ IFS=.
++ temp=192
++ temp=49320
++ temp=12625921
++ temp=3232235777
++ echo 3232235777
++ IFS=
+ temp=3232235777
++ encodeaddr 3232235777
++ addr=3232235777
++ local x
++ local y=1
++ addr=12625921
++ y=1.1
++ addr=49320
++ y=168.1.1
++ addr=192
++ y=192.168.1.1
++ echo 192.168.1.1
+ ''['' 192.168.1.1 ''!='' 192.168.1.1
'']''
+ my_mutex_on
+ ''['' -n '''' '']''
+ mutex_on
+ local try=0
+ local lockf=/var/lib/shorewall/lock
+ MUTEX_TIMEOUT=60
+ ''['' 60 -gt 0 '']''
+ ''['' -d /var/lib/shorewall '']''
+ qt which lockfile
+ which lockfile
+ ''['' -f /var/lib/shorewall/lock -a 0 -lt 60
'']''
+ ''['' 0 -lt 60 '']''
+ echo 4750
+ have_mutex=Yes
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ define_firewall Start
+ ''['' -f /etc/shorewall/startup_disabled '']''
+ echo ''Starting Shorewall...''
+ verify_os_version
++ uname -r
+ osversion=2.6.0-test4
++ lsmod
++ grep ''^ipchains''
+ ''['' start = start -a -n ''''
'']''
+ verify_ip
+ qt ip link ls
+ ip link ls
+ load_kernel_modules
+ ''['' -z '''' '']''
+ MODULESDIR=/lib/modules/2.6.0-test4/kernel/net/ipv4/netfilter
++ find_file modules
++ ''['' -n '''' -a -f /modules
'']''
++ echo /etc/shorewall/modules
+ modules=/etc/shorewall/modules
+ ''['' -f /etc/shorewall/modules -a -d
/lib/modules/2.6.0-test4/kernel/net/ipv4/netfilter '']''
+ echo Initializing...
+ initialize_netfilter
+ report_capabilities
+ echo ''Shorewall has detected the following iptables/netfilter
capabilities:''
+ report_capability Yes NAT
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' NAT: Available
+ report_capability Yes ''Packet Mangling''
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' Packet Mangling: Available
+ report_capability Yes ''Multi-port Match''
+ local setting+ ''['' xYes = xYes '']''
+ setting=Available
+ shift
+ echo '' '' Multi-port Match: Available
+ report_capability ''Connection Tracking Match''
+ local setting+ ''['' ''xConnection Tracking
Match'' = xYes '']''
+ setting=Not available
+ echo '' '' Connection Tracking Match: Not available
+ echo ''Determining Zones...''
+ determine_zones
++ find_file zones
++ ''['' -n '''' -a -f /zones
'']''
++ echo /etc/shorewall/zones
+ local zonefile=/etc/shorewall/zones
+ multi_display=Multi-zone
+ strip_file zones /etc/shorewall/zones
+ local fname
+ ''['' 2 = 1 '']''
+ fname=/etc/shorewall/zones
+ ''['' -f /etc/shorewall/zones '']''
+ read_file /etc/shorewall/zones 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 /etc/shorewall/zones''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file determines your network zones. Columns
are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE Short name of the zone (5 Characters or less in
length).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DISPLAY Display name of the zone''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# COMMENTS Comments about the zone''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#ZONE = xINCLUDE '']''
+ echo ''#ZONE DISPLAY COMMENTS''
+ read first rest
+ ''['' xnet = xINCLUDE '']''
+ echo ''net Net Internet''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc Local Local Networks''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
++ find_zones /tmp/shorewall-4750/zones
++ read zone display comments
++ ''['' -n net '']''
++ echo net
++ read zone display comments
++ ''['' -n loc '']''
++ echo loc
++ read zone display comments
+ zones=net
loc
++ echo net loc
+ zones=net loc
++ find_display net /tmp/shorewall-4750/zones
++ grep ''^net'' /tmp/shorewall-4750/zones
++ read z display comments
++ ''['' xnet = xnet '']''
++ echo Net
++ read z display comments
+ dsply=Net
+ eval ''net_display=$dsply''
++ net_display=Net
++ find_display loc /tmp/shorewall-4750/zones
++ grep ''^loc'' /tmp/shorewall-4750/zones
++ read z display comments
++ ''['' xloc = xloc '']''
++ echo Local
++ read z display comments
+ dsply=Local
+ eval ''loc_display=$dsply''
++ loc_display=Local
+ ''['' -z ''net loc'' '']''
+ display_list Zones: net loc
+ ''['' 3 -gt 1 '']''
+ echo '' Zones: net loc''
+ echo ''Validating interfaces file...''
+ validate_interfaces_file
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=net
+ eval ''z="net"''
++ z=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=ppp0
+ eval ''interface="ppp0"''
++ interface=ppp0
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=-
+ eval ''subnet="-"''
++ subnet=-
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval=routefilter,norfc1918
+ eval ''options="routefilter,norfc1918"''
++ options=routefilter,norfc1918
+ shift
+ ''['' 0 -gt 0 '']''
+ r=net ppp0 - routefilter,norfc1918
+ ''['' xnet = x- '']''
+ ''['' -n net '']''
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
++ ip link show ppp0
++ grep LOOPBACK
+ ''['' -n '''' '']''
+ list_search ppp0
+ local e=ppp0
+ ''['' 1 -gt 1 '']''
+ return 1
+ all_interfaces= ppp0
++ separate_list routefilter,norfc1918
++ local list
++ local part
++ local newlist
++ list=routefilter,norfc1918
++ part=routefilter
++ newlist=routefilter
++ ''['' xroutefilter ''!=''
xroutefilter,norfc1918 '']''
++ list=norfc1918
++ part=norfc1918
++ newlist=routefilter norfc1918
++ ''['' xnorfc1918 ''!='' xnorfc1918
'']''
++ echo ''routefilter norfc1918''
+ options=routefilter norfc1918
++ chain_base ppp0
++ local c=ppp0
++ echo ppp0
+ interface=ppp0
+ eval ppp0_broadcast=-
++ ppp0_broadcast=-
+ eval ppp0_zone=net
++ ppp0_zone=net
+ eval ''ppp0_options="routefilter''
''norfc1918"''
++ ppp0_options=routefilter norfc1918
+ ''['' -z '' ppp0'' '']''
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=loc
+ eval ''z="loc"''
++ z=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=eth0
+ eval ''interface="eth0"''
++ interface=eth0
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=detect
+ eval ''subnet="detect"''
++ subnet=detect
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval+ eval ''options=""''
++ options+ shift
+ ''['' 0 -gt 0 '']''
+ r=loc eth0 detect
+ ''['' xloc = x- '']''
+ ''['' -n loc '']''
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
++ ip link show eth0
++ grep LOOPBACK
+ ''['' -n '''' '']''
+ list_search eth0 ppp0
+ local e=eth0
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xeth0 = xppp0 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ all_interfaces= ppp0 eth0
++ separate_list
++ local list
++ local part
++ local newlist
++ list++ part++ newlist++ ''['' x ''!='' x
'']''
++ echo ''''
+ options++ chain_base eth0
++ local c=eth0
++ echo eth0
+ interface=eth0
+ eval eth0_broadcast=detect
++ eth0_broadcast=detect
+ eval eth0_zone=loc
++ eth0_zone=loc
+ eval ''eth0_options=""''
++ eth0_options+ ''['' -z '' ppp0 eth0''
'']''
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=loc
+ eval ''z="loc"''
++ z=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=vmnet1
+ eval ''interface="vmnet1"''
++ interface=vmnet1
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=detect
+ eval ''subnet="detect"''
++ subnet=detect
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval+ eval ''options=""''
++ options+ shift
+ ''['' 0 -gt 0 '']''
+ r=loc vmnet1 detect
+ ''['' xloc = x- '']''
+ ''['' -n loc '']''
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
++ ip link show vmnet1
++ grep LOOPBACK
+ ''['' -n '''' '']''
+ list_search vmnet1 ppp0 eth0
+ local e=vmnet1
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xvmnet1 = xppp0 '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xvmnet1 = xeth0 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ all_interfaces= ppp0 eth0 vmnet1
++ separate_list
++ local list
++ local part
++ local newlist
++ list++ part++ newlist++ ''['' x ''!='' x
'']''
++ echo ''''
+ options++ chain_base vmnet1
++ local c=vmnet1
++ echo vmnet1
+ interface=vmnet1
+ eval vmnet1_broadcast=detect
++ vmnet1_broadcast=detect
+ eval vmnet1_zone=loc
++ vmnet1_zone=loc
+ eval ''vmnet1_options=""''
++ vmnet1_options+ ''['' -z '' ppp0 eth0
vmnet1'' '']''
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=loc
+ eval ''z="loc"''
++ z=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=vmnet8
+ eval ''interface="vmnet8"''
++ interface=vmnet8
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=detect
+ eval ''subnet="detect"''
++ subnet=detect
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval+ eval ''options=""''
++ options+ shift
+ ''['' 0 -gt 0 '']''
+ r=loc vmnet8 detect
+ ''['' xloc = x- '']''
+ ''['' -n loc '']''
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
++ ip link show vmnet8
++ grep LOOPBACK
+ ''['' -n '''' '']''
+ list_search vmnet8 ppp0 eth0 vmnet1
+ local e=vmnet8
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xvmnet8 = xppp0 '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xvmnet8 = xeth0 '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xvmnet8 = xvmnet1 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ all_interfaces= ppp0 eth0 vmnet1 vmnet8
++ separate_list
++ local list
++ local part
++ local newlist
++ list++ part++ newlist++ ''['' x ''!='' x
'']''
++ echo ''''
+ options++ chain_base vmnet8
++ local c=vmnet8
++ echo vmnet8
+ interface=vmnet8
+ eval vmnet8_broadcast=detect
++ vmnet8_broadcast=detect
+ eval vmnet8_zone=loc
++ vmnet8_zone=loc
+ eval ''vmnet8_options=""''
++ vmnet8_options+ ''['' -z '' ppp0 eth0 vmnet1
vmnet8'' '']''
+ read z interface subnet options
+ echo ''Validating hosts file...''
+ validate_hosts_file
+ read z hosts options
+ echo ''Validating Policy file...''
+ validate_policy
+ local clientwild
+ local serverwild
+ local zone
+ local zone1
+ local pc
+ local chain
+ local policy
+ local loglevel
+ local synparams
+ all_policy_chains+ strip_file policy
+ local fname
+ ''['' 1 = 1 '']''
++ find_file policy
++ ''['' -n '''' -a -f /policy
'']''
++ echo /etc/shorewall/policy
+ fname=/etc/shorewall/policy
+ ''['' -f /etc/shorewall/policy '']''
+ read_file /etc/shorewall/policy 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 -- Policy File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/policy''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file determines what to do with a new connection request
if we''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# don''\''''t get a match from the
/etc/shorewall/rules file or from the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/common[.def] file. For each source/destination
pair, the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# file is processed in order until a match is found
("all" will match''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any client or server).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE Source zone. Must be the name of a zone
defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in /etc/shorewall/zones, $FW or "all".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST Destination zone. Must be the name of a zone
defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in /etc/shorewall/zones, $FW or "all"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# WARNING: Firewall->Firewall policies are not allowed;
if''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you have a policy where both SOURCE and DEST are
$FW,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall will not start!''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# POLICY Policy if no match from the rules file is found.
Must''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# be "ACCEPT", "DROP", "REJECT",
"CONTINUE" or "NONE".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT - Accept the connection''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DROP - Ignore the connection request''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REJECT - For TCP, send RST. For all other, send''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "port unreachable" ICMP.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CONTINUE - Pass the connection request past''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any other rules that it might also''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# match (where the source or destination''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# zone in those rules is a superset of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the SOURCE or DEST in this policy).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# NONE - Assume that there will never be any''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packets from this SOURCE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to this DEST. Shorewall will not set up''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any infrastructure to handle such''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packets and you may not have any rules''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with this SOURCE and DEST in the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/rules file. If such a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# packet _is_ received, the result is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# undefined.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOG LEVEL If supplied, each connection handled under the
default''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# POLICY is logged at that level. If not supplied, no''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# log message is generated. See syslog.conf(5) for a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# description of log levels.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Beginning with Shorewall version 1.3.12, you may''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# also specify ULOG (must be in upper case). This
will''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# log to the ULOG target and sent to a separate log''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# through use of ulogd''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (http://www.gnumonks.org/projects/ulogd).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you don''\''''t want to log but
need to specify the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# following column, place "_" here.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LIMIT:BURST If passed, specifies the maximum TCP connection
rate''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and the size of an acceptable burst. If not
specified,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TCP connections are not limited.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# As shipped, the default policies are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a) All connections from the local network to the internet are
allowed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# b) All connections from the internet are ignored but logged
at syslog''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# level KERNEL.INFO.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# d) All other connection requests are rejected and logged at
level''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# KERNEL.INFO.''
+ read first rest
+ ''[''
x###############################################################################
= xINCLUDE '']''
+ echo
''###############################################################################
''
+ read first rest
+ ''['' x#SOURCE = xINCLUDE '']''
+ echo ''#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc net ACCEPT''
+ read first rest
+ ''['' xloc = xINCLUDE '']''
+ echo ''loc fw ACCEPT''
+ read first rest
+ ''['' xfw = xINCLUDE '']''
+ echo ''fw net ACCEPT''
+ read first rest
+ ''['' xfw = xINCLUDE '']''
+ echo ''fw loc ACCEPT''
+ read first rest
+ ''['' xnet = xINCLUDE '']''
+ echo ''net all DROP info''
+ read first rest
+ ''['' xall = xINCLUDE '']''
+ echo ''all all REJECT info''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=loc
+ eval ''client="loc"''
++ client=loc
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=net
+ eval ''server="net"''
++ server=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval+ eval ''loglevel=""''
++ loglevel+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ chain=loc2net
+ ''['' xloc2net = xfw2fw '']''
+ is_policy_chain loc2net
+ eval test ''"$loc2net_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' x = x- '']''
+ chain=loc2net
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= loc2net
+ eval loc2net_is_policy=Yes
++ loc2net_is_policy=Yes
+ eval loc2net_policy=ACCEPT
++ loc2net_policy=ACCEPT
+ eval loc2net_loglevel++ loc2net_loglevel+ eval loc2net_synparams++
loc2net_synparams+ ''['' -n ''''
'']''
+ ''['' -n '''' '']''
+ eval loc2net_policychain=loc2net
++ loc2net_policychain=loc2net
+ print_policy loc net
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=loc
+ eval ''client="loc"''
++ client=loc
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=fw
+ eval ''server="fw"''
++ server=fw
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval+ eval ''loglevel=""''
++ loglevel+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ chain=loc2fw
+ ''['' xloc2fw = xfw2fw '']''
+ is_policy_chain loc2fw
+ eval test ''"$loc2fw_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' x = x- '']''
+ chain=loc2fw
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= loc2net loc2fw
+ eval loc2fw_is_policy=Yes
++ loc2fw_is_policy=Yes
+ eval loc2fw_policy=ACCEPT
++ loc2fw_policy=ACCEPT
+ eval loc2fw_loglevel++ loc2fw_loglevel+ eval loc2fw_synparams++
loc2fw_synparams+ ''['' -n ''''
'']''
+ ''['' -n '''' '']''
+ eval loc2fw_policychain=loc2fw
++ loc2fw_policychain=loc2fw
+ print_policy loc fw
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=fw
+ eval ''client="fw"''
++ client=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=net
+ eval ''server="net"''
++ server=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval+ eval ''loglevel=""''
++ loglevel+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ chain=fw2net
+ ''['' xfw2net = xfw2fw '']''
+ is_policy_chain fw2net
+ eval test ''"$fw2net_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' x = x- '']''
+ chain=fw2net
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= loc2net loc2fw fw2net
+ eval fw2net_is_policy=Yes
++ fw2net_is_policy=Yes
+ eval fw2net_policy=ACCEPT
++ fw2net_policy=ACCEPT
+ eval fw2net_loglevel++ fw2net_loglevel+ eval fw2net_synparams++
fw2net_synparams+ ''['' -n ''''
'']''
+ ''['' -n '''' '']''
+ eval fw2net_policychain=fw2net
++ fw2net_policychain=fw2net
+ print_policy fw net
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=fw
+ eval ''client="fw"''
++ client=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=loc
+ eval ''server="loc"''
++ server=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval+ eval ''loglevel=""''
++ loglevel+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ chain=fw2loc
+ ''['' xfw2loc = xfw2fw '']''
+ is_policy_chain fw2loc
+ eval test ''"$fw2loc_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' x = x- '']''
+ chain=fw2loc
+ ''['' ACCEPT = NONE '']''
+ all_policy_chains= loc2net loc2fw fw2net fw2loc
+ eval fw2loc_is_policy=Yes
++ fw2loc_is_policy=Yes
+ eval fw2loc_policy=ACCEPT
++ fw2loc_policy=ACCEPT
+ eval fw2loc_loglevel++ fw2loc_loglevel+ eval fw2loc_synparams++
fw2loc_synparams+ ''['' -n ''''
'']''
+ ''['' -n '''' '']''
+ eval fw2loc_policychain=fw2loc
++ fw2loc_policychain=fw2loc
+ print_policy fw loc
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=net
+ eval ''client="net"''
++ client=net
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=all
+ eval ''server="all"''
++ server=all
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=DROP
+ eval ''policy="DROP"''
++ policy=DROP
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ serverwild=Yes
+ chain=net2all
+ ''['' xnet2all = xfw2fw '']''
+ is_policy_chain net2all
+ eval test ''"$net2all_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ chain=net2all
+ ''['' DROP = NONE '']''
+ all_policy_chains= loc2net loc2fw fw2net fw2loc net2all
+ eval net2all_is_policy=Yes
++ net2all_is_policy=Yes
+ eval net2all_policy=DROP
++ net2all_policy=DROP
+ eval net2all_loglevel=info
++ net2all_loglevel=info
+ eval net2all_synparams++ net2all_synparams+ ''['' -n
'''' '']''
+ ''['' -n Yes '']''
+ eval ''pc=$net2net_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2net_policychain=net2all
++ net2net_policychain=net2all
+ eval net2net_policy=DROP
++ net2net_policy=DROP
+ print_policy net net
+ ''['' start ''!='' check '']''
+ eval ''pc=$net2loc_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2loc_policychain=net2all
++ net2loc_policychain=net2all
+ eval net2loc_policy=DROP
++ net2loc_policy=DROP
+ print_policy net loc
+ ''['' start ''!='' check '']''
+ eval ''pc=$net2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2fw_policychain=net2all
++ net2fw_policychain=net2all
+ eval net2fw_policy=DROP
++ net2fw_policy=DROP
+ print_policy net fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$net2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval net2all_policychain=net2all
++ net2all_policychain=net2all
+ eval net2all_policy=DROP
++ net2all_policy=DROP
+ print_policy net all
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=all
+ eval ''client="all"''
++ client=all
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=all
+ eval ''server="all"''
++ server=all
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=REJECT
+ eval ''policy="REJECT"''
++ policy=REJECT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval=info
+ eval ''loglevel="info"''
++ loglevel=info
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ clientwild+ serverwild+ clientwild=Yes
+ serverwild=Yes
+ chain=all2all
+ ''['' xall2all = xfw2fw '']''
+ is_policy_chain all2all
+ eval test ''"$all2all_is_policy"'' = Yes
++ test '''' = Yes
+ ''['' xinfo = x- '']''
+ chain=all2all
+ ''['' REJECT = NONE '']''
+ all_policy_chains= loc2net loc2fw fw2net fw2loc net2all all2all
+ eval all2all_is_policy=Yes
++ all2all_is_policy=Yes
+ eval all2all_policy=REJECT
++ all2all_policy=REJECT
+ eval all2all_loglevel=info
++ all2all_loglevel=info
+ eval all2all_synparams++ all2all_synparams+ ''['' -n Yes
'']''
+ ''['' -n Yes '']''
+ eval ''pc=$net2net_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$net2loc_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$net2fw_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$net2all_policychain''
++ pc=net2all
+ ''['' -z net2all '']''
+ eval ''pc=$loc2net_policychain''
++ pc=loc2net
+ ''['' -z loc2net '']''
+ eval ''pc=$loc2loc_policychain''
++ pc+ ''['' -z '''' '']''
+ eval loc2loc_policychain=all2all
++ loc2loc_policychain=all2all
+ eval loc2loc_policy=REJECT
++ loc2loc_policy=REJECT
+ print_policy loc loc
+ ''['' start ''!='' check '']''
+ eval ''pc=$loc2fw_policychain''
++ pc=loc2fw
+ ''['' -z loc2fw '']''
+ eval ''pc=$loc2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval loc2all_policychain=all2all
++ loc2all_policychain=all2all
+ eval loc2all_policy=REJECT
++ loc2all_policy=REJECT
+ print_policy loc all
+ ''['' start ''!='' check '']''
+ eval ''pc=$fw2net_policychain''
++ pc=fw2net
+ ''['' -z fw2net '']''
+ eval ''pc=$fw2loc_policychain''
++ pc=fw2loc
+ ''['' -z fw2loc '']''
+ eval ''pc=$fw2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval fw2fw_policychain=all2all
++ fw2fw_policychain=all2all
+ eval fw2fw_policy=REJECT
++ fw2fw_policy=REJECT
+ print_policy fw fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$fw2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval fw2all_policychain=all2all
++ fw2all_policychain=all2all
+ eval fw2all_policy=REJECT
++ fw2all_policy=REJECT
+ print_policy fw all
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2net_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2net_policychain=all2all
++ all2net_policychain=all2all
+ eval all2net_policy=REJECT
++ all2net_policy=REJECT
+ print_policy all net
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2loc_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2loc_policychain=all2all
++ all2loc_policychain=all2all
+ eval all2loc_policy=REJECT
++ all2loc_policy=REJECT
+ print_policy all loc
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2fw_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2fw_policychain=all2all
++ all2fw_policychain=all2all
+ eval all2fw_policy=REJECT
++ all2fw_policy=REJECT
+ print_policy all fw
+ ''['' start ''!='' check '']''
+ eval ''pc=$all2all_policychain''
++ pc+ ''['' -z '''' '']''
+ eval all2all_policychain=all2all
++ all2all_policychain=all2all
+ eval all2all_policy=REJECT
++ all2all_policy=REJECT
+ print_policy all all
+ ''['' start ''!='' check '']''
+ read client server policy loglevel synparams
+ echo ''Determining Hosts in Zones...''
+ determine_interfaces
++ find_interfaces net
++ local zne=net
++ local z
++ local interface
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''z=$ppp0_zone''
+++ z=net
++ ''['' xnet = xnet '']''
++ echo ppp0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''z=$eth0_zone''
+++ z=loc
++ ''['' xloc = xnet '']''
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''z=$vmnet1_zone''
+++ z=loc
++ ''['' xloc = xnet '']''
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''z=$vmnet8_zone''
+++ z=loc
++ ''['' xloc = xnet '']''
+ interfaces=ppp0
++ echo ppp0
+ interfaces=ppp0
+ eval ''net_interfaces="$interfaces"''
++ net_interfaces=ppp0
++ find_interfaces loc
++ local zne=loc
++ local z
++ local interface
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''z=$ppp0_zone''
+++ z=net
++ ''['' xnet = xloc '']''
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''z=$eth0_zone''
+++ z=loc
++ ''['' xloc = xloc '']''
++ echo eth0
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''z=$vmnet1_zone''
+++ z=loc
++ ''['' xloc = xloc '']''
++ echo vmnet1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''z=$vmnet8_zone''
+++ z=loc
++ ''['' xloc = xloc '']''
++ echo vmnet8
+ interfaces=eth0
vmnet1
vmnet8
++ echo eth0 vmnet1 vmnet8
+ interfaces=eth0 vmnet1 vmnet8
+ eval ''loc_interfaces="$interfaces"''
++ loc_interfaces=eth0 vmnet1 vmnet8
+ determine_hosts
++ find_hosts net
++ local hosts interface address addresses
++ read z hosts options
+ hosts++ echo
+ hosts+ eval ''interfaces=$net_interfaces''
++ interfaces=ppp0
+ ''['' -z '''' '']''
+ hosts=ppp0:0.0.0.0/0
+ interfaces+ interface=ppp0
+ list_search ppp0
+ local e=ppp0
+ ''['' 1 -gt 1 '']''
+ return 1
+ ''['' -z '''' '']''
+ interfaces=ppp0
+ ''['' 0.0.0.0/0 = 0.0.0.0/0 '']''
+ eval ''net_interfaces=$interfaces''
++ net_interfaces=ppp0
+ eval ''net_hosts=$hosts''
++ net_hosts=ppp0:0.0.0.0/0
+ ''['' -n ppp0:0.0.0.0/0 '']''
+ eval ''display=$net_display''
++ display=Net
+ display_list ''Net Zone:'' ppp0:0.0.0.0/0
+ ''['' 2 -gt 1 '']''
+ echo '' Net Zone: ppp0:0.0.0.0/0''
++ find_hosts loc
++ local hosts interface address addresses
++ read z hosts options
+ hosts++ echo
+ hosts+ eval ''interfaces=$loc_interfaces''
++ interfaces=eth0 vmnet1 vmnet8
+ ''['' -z '''' '']''
+ hosts=eth0:0.0.0.0/0
+ ''['' -z eth0:0.0.0.0/0 '']''
+ hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0
+ ''['' -z ''eth0:0.0.0.0/0 vmnet1:0.0.0.0/0''
'']''
+ hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0
+ interfaces+ interface=eth0
+ list_search eth0
+ local e=eth0
+ ''['' 1 -gt 1 '']''
+ return 1
+ ''['' -z '''' '']''
+ interfaces=eth0
+ ''['' 0.0.0.0/0 = 0.0.0.0/0 '']''
+ interface=vmnet1
+ list_search vmnet1 eth0
+ local e=vmnet1
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xvmnet1 = xeth0 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ ''['' -z eth0 '']''
+ interfaces=eth0 vmnet1
+ ''['' 0.0.0.0/0 = 0.0.0.0/0 '']''
+ interface=vmnet8
+ list_search vmnet8 eth0 vmnet1
+ local e=vmnet8
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xvmnet8 = xeth0 '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xvmnet8 = xvmnet1 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ ''['' -z ''eth0 vmnet1'' '']''
+ interfaces=eth0 vmnet1 vmnet8
+ ''['' 0.0.0.0/0 = 0.0.0.0/0 '']''
+ eval ''loc_interfaces=$interfaces''
++ loc_interfaces=eth0 vmnet1 vmnet8
+ eval ''loc_hosts=$hosts''
++ loc_hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0
+ ''['' -n ''eth0:0.0.0.0/0 vmnet1:0.0.0.0/0
vmnet8:0.0.0.0/0'' '']''
+ eval ''display=$loc_display''
++ display=Local
+ display_list ''Local Zone:'' eth0:0.0.0.0/0 vmnet1:0.0.0.0/0
vmnet8:0.0.0.0/0
+ ''['' 4 -gt 1 '']''
+ echo '' Local Zone: eth0:0.0.0.0/0 vmnet1:0.0.0.0/0
vmnet8:0.0.0.0/0''
+ run_user_exit init
++ find_file init
++ ''['' -n '''' -a -f /init
'']''
++ echo /etc/shorewall/init
+ local user_exit=/etc/shorewall/init
+ ''['' -f /etc/shorewall/init '']''
+ echo ''Processing /etc/shorewall/init ...''
+ . /etc/shorewall/init
+ strip_file rules
+ local fname
+ ''['' 1 = 1 '']''
++ find_file rules
++ ''['' -n '''' -a -f /rules
'']''
++ echo /etc/shorewall/rules
+ fname=/etc/shorewall/rules
+ ''['' -f /etc/shorewall/rules '']''
+ read_file /etc/shorewall/rules 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall version 1.4 - Rules File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/rules''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Rules in this file govern connection establishment. Requests
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# responses are automatically allowed using connection
tracking.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In most places where an IP address or subnet is allowed,
you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# can preceed the address/subnet with "!" (e.g.,
!192.168.1.0/24) to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# indicate that the rule matches all addresses except the
address/subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# given. Notice that no white space is permitted between
"!" and the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address/subnet.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
CONTINUE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# or LOG.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT -- allow the connection request''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DROP -- ignore the request''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REJECT -- disallow the request and return an''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# icmp-unreachable or an RST packet.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT -- Forward the request to another''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# system (and optionally another''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT- -- Advanced users only.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Like DNAT but only generates the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT iptables rule and not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the companion ACCEPT rule.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT -- Redirect the request to a local''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port on the firewall.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT-''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# -- Advanced users only.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Like REDIRET but only generates the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT iptables rule and not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the companion ACCEPT rule.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CONTINUE -- (For experts only). Do not process''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any of the following rules for this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (source zone,destination zone). If''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The source and/or destination IP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address falls into a zone defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# later in /etc/shorewall/zones, this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# connection request will be passed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to the rules defined for that''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (those) zone(s).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOG -- Simply log the packet and continue.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# May optionally be followed by ":" and a syslog
log''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# level (e.g, REJECT:info). This causes the packet to
be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# logged at the specified level.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You may also specify ULOG (must be in upper case) as
a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# log level.This will log to the ULOG target for
routing''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to a separate log through use of ulogd''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (http://www.gnumonks.org/projects/ulogd).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SOURCE Source hosts to which the rule applies. May be a
zone''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# defined in /etc/shorewall/zones, $FW to indicate
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# firewall itself, or "all" If the ACTION is DNAT
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT, sub-zones of the specified zone may be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# excluded from the rule by following the zone name
with''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "!''\'''' and a comma-separated
list of sub-zone names.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Except when "all" is specified, clients may be
further''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# restricted to a list of subnets and/or hosts by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# appending ":" and a comma-separated list of
subnets''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and/or hosts. Hosts may be specified by IP or MAC''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address; mac addresses must begin with "~" and must
use''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "-" as a separator.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# loc:192.168.1.1,192.168.1.2''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Hosts 192.168.1.1 and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 192.168.1.2 in the local zone.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# loc:~00-A0-C9-15-39-78 Host in the local zone with''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# MAC address 00:A0:C9:15:39:78.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Alternatively, clients may be specified by
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# by appending ":" to the zone name followed by
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface name. For example, loc:eth1 specifies a''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# client that communicates with the firewall system''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# through eth1. This may be optionally followed by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# another colon (":") and an IP/MAC/subnet
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# as described above (e.g., loc:eth1:192.168.1.5).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST Location of Server. May be a zone defined in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/zones, $FW to indicate the firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# itself or "all"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Except when "all" is specified, the server may
be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# further restricted to a particular subnet, host or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface by appending ":" and the subnet, host
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface. See above.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Restrictions:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1. MAC addresses are not allowed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2. In DNAT rules, only IP addresses are''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# allowed; no FQDNs or subnet addresses''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# are permitted.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 3. You may not specify both an interface and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# an address.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Unlike in the SOURCE column, you may specify a range
of''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# up to 256 IP addresses using the syntax''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <first ip>-<last ip>. When the ACTION is DNAT or
DNAT-,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the connections will be assigned to addresses in
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# range in a round-robin fashion.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The port that the server is listening on may be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# included and separated from the
server''\''''s IP address by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ":". If omitted, the firewall will not modifiy
the''
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# destination port. A destination port may only be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# included if the ACTION is DNAT or REDIRECT.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: loc:192.168.1.3:3128 specifies a local''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# server at IP address 192.168.1.3 and listening on
port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 3128. The port number MUST be specified as an
integer''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and not as a name from /etc/services.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# if the ACTION is REDIRECT, this column needs only
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# contain the port number on the firewall that the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# request should be redirected to.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PROTO Protocol - Must be "tcp", "udp",
"icmp", a number, or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "all".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DEST PORT(S) Destination Ports. A comma-separated list of
Port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# names (from /etc/services), port numbers or port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ranges; if the protocol is "icmp", this column
is''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interpreted as the destination icmp-type(s).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# A port range is expressed as <low port>:<high
port>.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This column is ignored if PROTOCOL = all but must
be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# entered if any of the following ields are supplied.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In that case, it is suggested that this field
contain''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "-"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If your kernel contains multi-port match support,
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only a single Netfilter rule will be generated if
in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# this list and the CLIENT PORT(S) list below:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1. There are 15 or less ports listed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2. No port ranges are included.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Otherwise, a separate rule will be generated for
each''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# CLIENT PORT(S) (Optional) Port(s) used by the client. If
omitted,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# any source port is acceptable. Specified as a
comma-''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# separated list of port names, port numbers or port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ranges.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If you don''\''''t want to restrict
client ports but need to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# specify an ADDRESS in the next column, then place
"-"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If your kernel contains multi-port match support,
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only a single Netfilter rule will be generated if
in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# this list and the DEST PORT(S) list above:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 1. There are 15 or less ports listed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 2. No port ranges are included.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Otherwise, a separate rule will be generated for
each''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-]
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT[-]) If included and different from the IP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address given in the SERVER column, this is an
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# on some interface on the firewall and connections
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# that address will be forwarded to the IP and port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# specified in the DEST column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# A comma-separated list of addresses may also be
used.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This is usually most useful with the REDIRECT
target''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# where you want to redirect traffic destined for''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# particular set of hosts.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Finally, if the list of addresses begins with "!"
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the rule will be followed only if the original''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# destination address in the connection request does
not''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# match any of the addresses listed.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The address (list) may optionally be followed by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a colon (":") and a second IP address. This
causes''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall to use the second IP address as the
source''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address in forwarded packets. See the Shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# documentation for restrictions concerning this
feature.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If no source IP address is given, the original
source''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# address is not altered.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Accept SMTP requests from the DMZ to the
internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT dmz net tcp smtp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Forward all ssh and http connection requests from
the internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to local system 192.168.1.3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT net loc:192.168.1.3 tcp ssh,http''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Redirect all locally-originating www connection
requests to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# port 3128 on the firewall (Squid running on the
firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# system) except when the destination address is
192.168.2.2''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# REDIRECT loc 3128 tcp www - !192.168.2.2''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: All http requests from the internet to
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 130.252.100.69 are to be forwarded to 192.168.1.3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DNAT net loc:192.168.1.3 tcp 80 -
130.252.100.69''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: You want to accept SSH connections to your firewall
only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# from internet IP addresses 130.252.100.69 and
130.252.100.70''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# # PORT PORT(S)
DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ACCEPT net:130.252.100.69,130.252.100.70 # tcp
22''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#ACTION = xINCLUDE '']''
+ echo ''#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PORT PORT(S) DEST''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Accept DNS connections from the firewall to the
network''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT fw net tcp 53''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT fw net udp 53''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Accept SSH connections from the local network for
administration''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT loc fw tcp 22''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Allow Ping To And From Firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT loc fw icmp 8''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net fw icmp 8''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT fw loc icmp 8''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT fw net icmp 8''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Dunc''\''''s rules:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' xACCEPT = xINCLUDE '']''
+ echo ''ACCEPT net fw tcp 22''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ strip_file proxyarp
+ local fname
+ ''['' 1 = 1 '']''
++ find_file proxyarp
++ ''['' -n '''' -a -f /proxyarp
'']''
++ echo /etc/shorewall/proxyarp
+ fname=/etc/shorewall/proxyarp
+ ''['' -f /etc/shorewall/proxyarp '']''
+ read_file /etc/shorewall/proxyarp 0
+ local first rest
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 -- Proxy ARP''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/proxyarp''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file is used to define Proxy ARP.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns must be separated by white space and are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ADDRESS IP Address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Local interface where system is connected. If
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# local interface is obvious from the subnetting,''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# you may enter "-" in this column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# EXTERNAL External Interface to be used to access this
system''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# HAVEROUTE If there is already a route from the firewall
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the host whose address is given, enter "Yes" or
"yes"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# in this column. Otherwise, entry "no",
"No" or leave''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the column empty.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: Host with IP 155.186.235.6 is connected to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface eth1 and we want hosts attached via eth0''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# to be able to access it using that address.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# #ADDRESS INTERFACE EXTERNAL HAVEROUTE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 155.186.235.6 eth1 eth0 No''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#ADDRESS = xINCLUDE '']''
+ echo ''#ADDRESS INTERFACE EXTERNAL HAVEROUTE''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ strip_file maclist
+ local fname
+ ''['' 1 = 1 '']''
++ find_file maclist
++ ''['' -n '''' -a -f /maclist
'']''
++ echo /etc/shorewall/maclist
+ fname=/etc/shorewall/maclist
+ ''['' -f /etc/shorewall/maclist '']''
+ read_file /etc/shorewall/maclist 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 - MAC list file''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/maclist''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Network interface to a host''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# MAC MAC address of the host -- you do not need to
use''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the Shorewall format for MAC addresses here''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IP ADDRESSES Optional -- if specified, both the MAC and IP
address''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# must match. This column can contain a
comma-separated''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# list of host and/or subnet addresses.''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#INTERFACE = xINCLUDE '']''
+ echo ''#INTERFACE MAC IP ADDRESSES (Optional)''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ strip_file nat
+ local fname
+ ''['' 1 = 1 '']''
++ find_file nat
++ ''['' -n '''' -a -f /nat
'']''
++ echo /etc/shorewall/nat
+ fname=/etc/shorewall/nat
+ ''['' -f /etc/shorewall/nat '']''
+ read_file /etc/shorewall/nat 0
+ local first rest
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 -- Network Address Translation Table''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/nat''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file is used to define static Network Address
Translation (NAT).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# WARNING: If all you want to do is simple port forwarding, do
NOT use this''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in
most''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# cases, Proxy ARP is a better solution that static
NAT.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns must be separated by white space and are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# EXTERNAL External IP Address - this should NOT be the
primary''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IP address of the interface named in the next''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column and must not be a DNS Name.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE Interface that we want to EXTERNAL address to
appear''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you
may''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# follow the interface name with ":" and a digit
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# indicate that you want Shorewall to add the alias''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with this name (e.g., "eth0:0"). That allows you
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# see the alias with ifconfig. THAT IS THE ONLY THING''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERNAL Internal Address (must not be a DNS Name).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ALL INTERFACES If Yes or yes (or left empty), NAT will be
effective''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# from all hosts. If No or no then NAT will be
effective''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# only through the interface named in the INTERFACE''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LOCAL If Yes or yes and the ALL INTERFACES column
contains''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Yes or yes, NAT will be effective from the firewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# system''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#EXTERNAL = xINCLUDE '']''
+ echo ''#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ terminator=fatal_error
+ deletechain shorewall
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ ''['' -n Yes '']''
+ delete_nat
+ run_iptables -t nat -F
+ iptables -t nat -F
+ run_iptables -t nat -X
+ iptables -t nat -X
+ ''['' -f /var/lib/shorewall/nat '']''
+ read external interface
+ rm -f ''{/var/lib/shorewall}/nat''
+ ''['' -d /var/lib/shorewall '']''
+ touch /var/lib/shorewall/nat
+ delete_proxy_arp
+ ''['' -f /var/lib/shorewall/proxyarp '']''
+ read address interface external haveroute
+ rm -f /var/lib/shorewall/proxyarp
+ ''['' -d /var/lib/shorewall '']''
+ touch /var/lib/shorewall/proxyarp
++ ls /proc/sys/net/ipv4/conf/all/proxy_arp
/proc/sys/net/ipv4/conf/default/proxy_arp /proc/sys/net/ipv4/conf/eth0/proxy_arp
/proc/sys/net/ipv4/conf/lo/proxy_arp /proc/sys/net/ipv4/conf/ppp0/proxy_arp
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ ''['' -n Yes '']''
+ run_iptables -t mangle -F
+ iptables -t mangle -F
+ run_iptables -t mangle -X
+ iptables -t mangle -X
+ ''['' -n '''' '']''
+ echo ''Deleting user chains...''
+ setpolicy INPUT DROP
+ run_iptables -P INPUT DROP
+ iptables -P INPUT DROP
+ setpolicy OUTPUT DROP
+ run_iptables -P OUTPUT DROP
+ iptables -P OUTPUT DROP
+ setpolicy FORWARD DROP
+ run_iptables -P FORWARD DROP
+ iptables -P FORWARD DROP
+ deleteallchains
+ run_iptables -F
+ iptables -F
+ run_iptables -X
+ iptables -X
+ setcontinue FORWARD
+ run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ setcontinue INPUT
+ run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ setcontinue OUTPUT
+ run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ run_iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ run_iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+ run_iptables -A INPUT -p udp --dport 53 -j ACCEPT
+ iptables -A INPUT -p udp --dport 53 -j ACCEPT
+ run_iptables -A INPUT -p ''!'' icmp -m state --state INVALID
-j DROP
+ iptables -A INPUT -p ''!'' icmp -m state --state INVALID -j
DROP
+ run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ run_iptables -A OUTPUT -p ''!'' icmp -m state --state INVALID
-j DROP
+ iptables -A OUTPUT -p ''!'' icmp -m state --state INVALID -j
DROP
+ run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ run_iptables -A FORWARD -p ''!'' icmp -m state --state INVALID
-j DROP
+ iptables -A FORWARD -p ''!'' icmp -m state --state INVALID -j
DROP
+ ''['' -n '''' '']''
+ ''['' -z '''' '']''
+ createchain newnotsyn no
+ run_iptables -N newnotsyn
+ iptables -N newnotsyn
+ ''['' no = yes '']''
+ eval newnotsyn_exists=Yes
++ newnotsyn_exists=Yes
++ find_interfaces_by_option newnotsyn
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search newnotsyn routefilter norfc1918
++ local e=newnotsyn
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xnewnotsyn = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xnewnotsyn = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search newnotsyn
++ local e=newnotsyn
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search newnotsyn
++ local e=newnotsyn
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search newnotsyn
++ local e=newnotsyn
++ ''['' 1 -gt 1 '']''
++ return 1
+ run_user_exit newnotsyn
++ find_file newnotsyn
++ ''['' -n '''' -a -f /newnotsyn
'']''
++ echo /etc/shorewall/newnotsyn
+ local user_exit=/etc/shorewall/newnotsyn
+ ''['' -f /etc/shorewall/newnotsyn '']''
+ ''['' -n info '']''
+ log_rule info newnotsyn DROP
+ local level=info
+ local chain=newnotsyn
+ local disposition=DROP
+ local rulenum+ shift
+ shift
+ shift
+ ''['' -n '''' '']''
+ eval iptables -A newnotsyn -j LOG --log-level info --log-prefix
''"`printf "$LOGFORMAT" $chain
$disposition`"''
+++ printf Shorewall:%s:%s: newnotsyn DROP
++ iptables -A newnotsyn -j LOG --log-level info --log-prefix
Shorewall:newnotsyn:DROP:
+ ''['' 0 -ne 0 '']''
+ run_iptables -A newnotsyn -j DROP
+ iptables -A newnotsyn -j DROP
+ createchain icmpdef no
+ run_iptables -N icmpdef
+ iptables -N icmpdef
+ ''['' no = yes '']''
+ eval icmpdef_exists=Yes
++ icmpdef_exists=Yes
+ createchain common no
+ run_iptables -N common
+ iptables -N common
+ ''['' no = yes '']''
+ eval common_exists=Yes
++ common_exists=Yes
+ createchain reject no
+ run_iptables -N reject
+ iptables -N reject
+ ''['' no = yes '']''
+ eval reject_exists=Yes
++ reject_exists=Yes
+ createchain dynamic no
+ run_iptables -N dynamic
+ iptables -N dynamic
+ ''['' no = yes '']''
+ eval dynamic_exists=Yes
++ dynamic_exists=Yes
+ ''['' -f /var/lib/shorewall/save '']''
+ echo ''Creating Interface Chains...''
++ forward_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_fwd
+ createchain ppp0_fwd no
+ run_iptables -N ppp0_fwd
+ iptables -N ppp0_fwd
+ ''['' no = yes '']''
+ eval ppp0_fwd_exists=Yes
++ ppp0_fwd_exists=Yes
++ forward_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_fwd
+ run_iptables -A ppp0_fwd -j dynamic
+ iptables -A ppp0_fwd -j dynamic
++ input_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_in
+ createchain ppp0_in no
+ run_iptables -N ppp0_in
+ iptables -N ppp0_in
+ ''['' no = yes '']''
+ eval ppp0_in_exists=Yes
++ ppp0_in_exists=Yes
++ input_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_in
+ run_iptables -A ppp0_in -j dynamic
+ iptables -A ppp0_in -j dynamic
++ forward_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ echo eth0_fwd
+ createchain eth0_fwd no
+ run_iptables -N eth0_fwd
+ iptables -N eth0_fwd
+ ''['' no = yes '']''
+ eval eth0_fwd_exists=Yes
++ eth0_fwd_exists=Yes
++ forward_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ echo eth0_fwd
+ run_iptables -A eth0_fwd -j dynamic
+ iptables -A eth0_fwd -j dynamic
++ input_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ echo eth0_in
+ createchain eth0_in no
+ run_iptables -N eth0_in
+ iptables -N eth0_in
+ ''['' no = yes '']''
+ eval eth0_in_exists=Yes
++ eth0_in_exists=Yes
++ input_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ echo eth0_in
+ run_iptables -A eth0_in -j dynamic
+ iptables -A eth0_in -j dynamic
++ forward_chain vmnet1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ echo vmnet1_fwd
+ createchain vmnet1_fwd no
+ run_iptables -N vmnet1_fwd
+ iptables -N vmnet1_fwd
+ ''['' no = yes '']''
+ eval vmnet1_fwd_exists=Yes
++ vmnet1_fwd_exists=Yes
++ forward_chain vmnet1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ echo vmnet1_fwd
+ run_iptables -A vmnet1_fwd -j dynamic
+ iptables -A vmnet1_fwd -j dynamic
++ input_chain vmnet1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ echo vmnet1_in
+ createchain vmnet1_in no
+ run_iptables -N vmnet1_in
+ iptables -N vmnet1_in
+ ''['' no = yes '']''
+ eval vmnet1_in_exists=Yes
++ vmnet1_in_exists=Yes
++ input_chain vmnet1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ echo vmnet1_in
+ run_iptables -A vmnet1_in -j dynamic
+ iptables -A vmnet1_in -j dynamic
++ forward_chain vmnet8
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ echo vmnet8_fwd
+ createchain vmnet8_fwd no
+ run_iptables -N vmnet8_fwd
+ iptables -N vmnet8_fwd
+ ''['' no = yes '']''
+ eval vmnet8_fwd_exists=Yes
++ vmnet8_fwd_exists=Yes
++ forward_chain vmnet8
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ echo vmnet8_fwd
+ run_iptables -A vmnet8_fwd -j dynamic
+ iptables -A vmnet8_fwd -j dynamic
++ input_chain vmnet8
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ echo vmnet8_in
+ createchain vmnet8_in no
+ run_iptables -N vmnet8_in
+ iptables -N vmnet8_in
+ ''['' no = yes '']''
+ eval vmnet8_in_exists=Yes
++ vmnet8_in_exists=Yes
++ input_chain vmnet8
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ echo vmnet8_in
+ run_iptables -A vmnet8_in -j dynamic
+ iptables -A vmnet8_in -j dynamic
+ echo ''Configuring Proxy ARP''
+ setup_proxy_arp
+ read address interface external haveroute
++ find_interfaces_by_option proxyarp
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search proxyarp routefilter norfc1918
++ local e=proxyarp
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xproxyarp = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xproxyarp = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search proxyarp
++ local e=proxyarp
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search proxyarp
++ local e=proxyarp
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search proxyarp
++ local e=proxyarp
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces+ setup_nat
+ local allints
+ echo ''Setting up NAT...''
+ read external interface internal allints localnat
+ echo ''Adding Common Rules''
+ add_common_rules
+ local savelogparms+ run_iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
+ run_iptables -A reject -p udp -j REJECT
+ iptables -A reject -p udp -j REJECT
+ qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
+ iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
+ qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited
+ iptables -A reject -j REJECT --reject-with icmp-host-prohibited
++ find_interfaces_by_option dropunclean
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search dropunclean routefilter norfc1918
++ local e=dropunclean
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xdropunclean = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xdropunclean = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search dropunclean
++ local e=dropunclean
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search dropunclean
++ local e=dropunclean
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search dropunclean
++ local e=dropunclean
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces+ ''['' -n ''''
'']''
++ find_interfaces_by_option logunclean
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search logunclean routefilter norfc1918
++ local e=logunclean
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xlogunclean = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xlogunclean = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search logunclean
++ local e=logunclean
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search logunclean
++ local e=logunclean
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search logunclean
++ local e=logunclean
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces+ ''['' -n ''''
'']''
+ build_common_chain
+ run_user_exit icmpdef
++ find_file icmpdef
++ ''['' -n '''' -a -f /icmpdef
'']''
++ echo /etc/shorewall/icmpdef
+ local user_exit=/etc/shorewall/icmpdef
+ ''['' -f /etc/shorewall/icmpdef '']''
++ find_file common
++ ''['' -n '''' -a -f /common
'']''
++ echo /etc/shorewall/common
+ common=/etc/shorewall/common
+ ''['' -f /etc/shorewall/common '']''
++ find_file common.def
++ ''['' -n '''' -a -f /common.def
'']''
++ echo /etc/shorewall/common.def
+ . /etc/shorewall/common.def
++ run_iptables -A common -p icmp -j icmpdef
++ iptables -A common -p icmp -j icmpdef
++ run_iptables -A common -p udp --dport 135 -j reject
++ iptables -A common -p udp --dport 135 -j reject
++ run_iptables -A common -p udp --dport 137:139 -j reject
++ iptables -A common -p udp --dport 137:139 -j reject
++ run_iptables -A common -p udp --dport 445 -j reject
++ iptables -A common -p udp --dport 445 -j reject
++ run_iptables -A common -p tcp --dport 139 -j reject
++ iptables -A common -p tcp --dport 139 -j reject
++ run_iptables -A common -p tcp --dport 445 -j reject
++ iptables -A common -p tcp --dport 445 -j reject
++ run_iptables -A common -p tcp --dport 135 -j reject
++ iptables -A common -p tcp --dport 135 -j reject
++ run_iptables -A common -p udp --dport 1900 -j DROP
++ iptables -A common -p udp --dport 1900 -j DROP
++ run_iptables -A common -d 255.255.255.255 -j DROP
++ iptables -A common -d 255.255.255.255 -j DROP
++ run_iptables -A common -d 224.0.0.0/4 -j DROP
++ iptables -A common -d 224.0.0.0/4 -j DROP
++ run_iptables -A common -p tcp --dport 113 -j reject
++ iptables -A common -p tcp --dport 113 -j reject
++ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
++ iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+ ''['' -n '''' '']''
++ find_broadcasts
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''bcast=$ppp0_broadcast''
+++ bcast=-
++ ''['' x- = xdetect '']''
++ ''['' x- ''!='' x- '']''
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''bcast=$eth0_broadcast''
+++ bcast=detect
++ ''['' xdetect = xdetect '']''
+++ ip addr show eth0
++ addr=2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
+++ echo ''2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0''
+++ grep ''inet.*brd ''
++ ''['' -n '' inet 192.168.0.1/24 brd 192.168.0.255
scope global eth0'' '']''
+++ echo ''2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0''
+++ grep ''inet ''
+++ sed ''s/^.* inet.*brd //;s/scope.*//''
++ addr=192.168.0.255
++ echo 192.168.0.255
++ cut ''-d '' -f 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''bcast=$vmnet1_broadcast''
+++ bcast=detect
++ ''['' xdetect = xdetect '']''
+++ ip addr show vmnet1
++ addr+++ echo ''''
+++ grep ''inet.*brd ''
++ ''['' -n '''' '']''
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''bcast=$vmnet8_broadcast''
+++ bcast=detect
++ ''['' xdetect = xdetect '']''
+++ ip addr show vmnet8
++ addr+++ echo ''''
+++ grep ''inet.*brd ''
++ ''['' -n '''' '']''
+ drop_broadcasts 192.168.0.255
+ ''['' 1 -gt 0 '']''
+ run_iptables -A common -d 192.168.0.255 -j DROP
+ iptables -A common -d 192.168.0.255 -j DROP
+ shift
+ ''['' 0 -gt 0 '']''
++ find_interfaces_by_option dhcp
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search dhcp routefilter norfc1918
++ local e=dhcp
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xdhcp = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xdhcp = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search dhcp
++ local e=dhcp
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search dhcp
++ local e=dhcp
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search dhcp
++ local e=dhcp
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces+ ''['' -n ''''
'']''
++ find_interfaces_by_option norfc1918
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search norfc1918 routefilter norfc1918
++ local e=norfc1918
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xnorfc1918 = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xnorfc1918 = xnorfc1918 '']''
++ return 0
++ echo ppp0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search norfc1918
++ local e=norfc1918
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search norfc1918
++ local e=norfc1918
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search norfc1918
++ local e=norfc1918
++ ''['' 1 -gt 1 '']''
++ return 1
+ norfc1918_interfaces=ppp0
+ ''['' -n ppp0 '']''
+ echo ''Enabling RFC1918 Filtering''
+ strip_file rfc1918
+ local fname
+ ''['' 1 = 1 '']''
++ find_file rfc1918
++ ''['' -n '''' -a -f /rfc1918
'']''
++ echo /etc/shorewall/rfc1918
+ fname=/etc/shorewall/rfc1918
+ ''['' -f /etc/shorewall/rfc1918 '']''
+ read_file /etc/shorewall/rfc1918 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 -- RFC1918 File''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/rfc1918''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Lists the subnetworks that are blocked by the
''\''''norfc1918''\''''
interface option.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The default list includes those IP addresses listed in RFC
1918, those listed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# as
''\''''reserved''\'''' by the
IANA, the DHCP Autoconfig class B, and the class C''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# reserved for use in documentation and examples.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SUBNET The subnet (host addresses also allowed)''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TARGET Where to send packets to/from this subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# RETURN - let the packet be processed normally''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# DROP - silently drop the packet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# logdrop - log then drop''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''[''
x###############################################################################
= xINCLUDE '']''
+ echo
''###############################################################################
''
+ read first rest
+ ''['' x#SUBNET = xINCLUDE '']''
+ echo ''#SUBNET TARGET''
+ read first rest
+ ''['' x255.255.255.255 = xINCLUDE '']''
+ echo ''255.255.255.255 RETURN # We need to allow limited
broadcast''
+ read first rest
+ ''['' x169.254.0.0/16 = xINCLUDE '']''
+ echo ''169.254.0.0/16 DROP # DHCP autoconfig''
+ read first rest
+ ''['' x172.16.0.0/12 = xINCLUDE '']''
+ echo ''172.16.0.0/12 logdrop # RFC 1918''
+ read first rest
+ ''['' x192.0.2.0/24 = xINCLUDE '']''
+ echo ''192.0.2.0/24 logdrop # Example addresses''
+ read first rest
+ ''['' x192.168.0.0/16 = xINCLUDE '']''
+ echo ''192.168.0.0/16 logdrop # RFC 1918''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The following are generated with the help of the Python
program found at:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''#
http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The program was contributed by Andy Wiggin''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x0.0.0.0/7 = xINCLUDE '']''
+ echo ''0.0.0.0/7 logdrop # Reserved''
+ read first rest
+ ''['' x2.0.0.0/8 = xINCLUDE '']''
+ echo ''2.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x5.0.0.0/8 = xINCLUDE '']''
+ echo ''5.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x7.0.0.0/8 = xINCLUDE '']''
+ echo ''7.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x10.0.0.0/8 = xINCLUDE '']''
+ echo ''10.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x23.0.0.0/8 = xINCLUDE '']''
+ echo ''23.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x27.0.0.0/8 = xINCLUDE '']''
+ echo ''27.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x31.0.0.0/8 = xINCLUDE '']''
+ echo ''31.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x36.0.0.0/7 = xINCLUDE '']''
+ echo ''36.0.0.0/7 logdrop # Reserved''
+ read first rest
+ ''['' x39.0.0.0/8 = xINCLUDE '']''
+ echo ''39.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x41.0.0.0/8 = xINCLUDE '']''
+ echo ''41.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x42.0.0.0/8 = xINCLUDE '']''
+ echo ''42.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x49.0.0.0/8 = xINCLUDE '']''
+ echo ''49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98''
+ read first rest
+ ''['' x50.0.0.0/8 = xINCLUDE '']''
+ echo ''50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98''
+ read first rest
+ ''['' x58.0.0.0/7 = xINCLUDE '']''
+ echo ''58.0.0.0/7 logdrop # Reserved''
+ read first rest
+ ''['' x60.0.0.0/8 = xINCLUDE '']''
+ echo ''60.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x70.0.0.0/7 = xINCLUDE '']''
+ echo ''70.0.0.0/7 logdrop # Reserved''
+ read first rest
+ ''['' x72.0.0.0/5 = xINCLUDE '']''
+ echo ''72.0.0.0/5 logdrop # Reserved''
+ read first rest
+ ''['' x83.0.0.0/8 = xINCLUDE '']''
+ echo ''83.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x84.0.0.0/6 = xINCLUDE '']''
+ echo ''84.0.0.0/6 logdrop # Reserved''
+ read first rest
+ ''['' x88.0.0.0/5 = xINCLUDE '']''
+ echo ''88.0.0.0/5 logdrop # Reserved''
+ read first rest
+ ''['' x96.0.0.0/3 = xINCLUDE '']''
+ echo ''96.0.0.0/3 logdrop # Reserved''
+ read first rest
+ ''['' x127.0.0.0/8 = xINCLUDE '']''
+ echo ''127.0.0.0/8 logdrop # Loopback''
+ read first rest
+ ''['' x197.0.0.0/8 = xINCLUDE '']''
+ echo ''197.0.0.0/8 logdrop # Reserved''
+ read first rest
+ ''['' x198.18.0.0/15 = xINCLUDE '']''
+ echo ''198.18.0.0/15 logdrop # Reserved''
+ read first rest
+ ''['' x201.0.0.0/8 = xINCLUDE '']''
+ echo ''201.0.0.0/8 logdrop # Reserved - Central & South
America''
+ read first rest
+ ''['' x240.0.0.0/4 = xINCLUDE '']''
+ echo ''240.0.0.0/4 logdrop # Reserved''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# End of generated entries''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ createchain rfc1918 no
+ run_iptables -N rfc1918
+ iptables -N rfc1918
+ ''['' no = yes '']''
+ eval rfc1918_exists=Yes
++ rfc1918_exists=Yes
+ createchain logdrop no
+ run_iptables -N logdrop
+ iptables -N logdrop
+ ''['' no = yes '']''
+ eval logdrop_exists=Yes
++ logdrop_exists=Yes
+ log_rule info logdrop DROP
+ local level=info
+ local chain=logdrop
+ local disposition=DROP
+ local rulenum+ shift
+ shift
+ shift
+ ''['' -n '''' '']''
+ eval iptables -A logdrop -j LOG --log-level info --log-prefix
''"`printf "$LOGFORMAT" $chain
$disposition`"''
+++ printf Shorewall:%s:%s: logdrop DROP
++ iptables -A logdrop -j LOG --log-level info --log-prefix
Shorewall:logdrop:DROP:
+ ''['' 0 -ne 0 '']''
+ run_iptables -A logdrop -j DROP
+ iptables -A logdrop -j DROP
+ ''['' -n Yes -a -z '''' '']''
+ run_iptables -t mangle -N man1918
+ iptables -t mangle -N man1918
+ run_iptables -t mangle -N logdrop
+ iptables -t mangle -N logdrop
+ log_rule info logdrop DROP -t mangle
+ local level=info
+ local chain=logdrop
+ local disposition=DROP
+ local rulenum+ shift
+ shift
+ shift
+ ''['' -n '''' '']''
+ eval iptables -A logdrop -t mangle -j LOG --log-level info --log-prefix
''"`printf "$LOGFORMAT" $chain
$disposition`"''
+++ printf Shorewall:%s:%s: logdrop DROP
++ iptables -A logdrop -t mangle -j LOG --log-level info --log-prefix
Shorewall:logdrop:DROP:
+ ''['' 0 -ne 0 '']''
+ run_iptables -t mangle -A logdrop -j DROP
+ iptables -t mangle -A logdrop -j DROP
+ read subnet target
+ run_iptables2 -A rfc1918 -s 255.255.255.255 -j RETURN
+ ''['' ''x-A rfc1918 -s 255.255.255.255 -j
RETURN'' = ''x-A rfc1918 -s 255.255.255.255 -j RETURN''
'']''
+ run_iptables -A rfc1918 -s 255.255.255.255 -j RETURN
+ iptables -A rfc1918 -s 255.255.255.255 -j RETURN
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 255.255.255.255 -j RETURN
+ ''['' ''x-t mangle -A man1918 -d 255.255.255.255 -j
RETURN'' = ''x-t mangle -A man1918 -d 255.255.255.255 -j
RETURN'' '']''
+ run_iptables -t mangle -A man1918 -d 255.255.255.255 -j RETURN
+ iptables -t mangle -A man1918 -d 255.255.255.255 -j RETURN
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 169.254.0.0/16 -j DROP
+ ''['' ''x-A rfc1918 -s 169.254.0.0/16 -j
DROP'' = ''x-A rfc1918 -s 169.254.0.0/16 -j DROP''
'']''
+ run_iptables -A rfc1918 -s 169.254.0.0/16 -j DROP
+ iptables -A rfc1918 -s 169.254.0.0/16 -j DROP
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 169.254.0.0/16 -j DROP
+ ''['' ''x-t mangle -A man1918 -d 169.254.0.0/16 -j
DROP'' = ''x-t mangle -A man1918 -d 169.254.0.0/16 -j
DROP'' '']''
+ run_iptables -t mangle -A man1918 -d 169.254.0.0/16 -j DROP
+ iptables -t mangle -A man1918 -d 169.254.0.0/16 -j DROP
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 172.16.0.0/12 -j logdrop
+ ''['' ''x-A rfc1918 -s 172.16.0.0/12 -j
logdrop'' = ''x-A rfc1918 -s 172.16.0.0/12 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 172.16.0.0/12 -j logdrop
+ iptables -A rfc1918 -s 172.16.0.0/12 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 172.16.0.0/12 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 172.16.0.0/12 -j
logdrop'' = ''x-t mangle -A man1918 -d 172.16.0.0/12 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 172.16.0.0/12 -j logdrop
+ iptables -t mangle -A man1918 -d 172.16.0.0/12 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 192.0.2.0/24 -j logdrop
+ ''['' ''x-A rfc1918 -s 192.0.2.0/24 -j
logdrop'' = ''x-A rfc1918 -s 192.0.2.0/24 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 192.0.2.0/24 -j logdrop
+ iptables -A rfc1918 -s 192.0.2.0/24 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 192.0.2.0/24 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 192.0.2.0/24 -j
logdrop'' = ''x-t mangle -A man1918 -d 192.0.2.0/24 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 192.0.2.0/24 -j logdrop
+ iptables -t mangle -A man1918 -d 192.0.2.0/24 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 192.168.0.0/16 -j logdrop
+ ''['' ''x-A rfc1918 -s 192.168.0.0/16 -j
logdrop'' = ''x-A rfc1918 -s 192.168.0.0/16 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 192.168.0.0/16 -j logdrop
+ iptables -A rfc1918 -s 192.168.0.0/16 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 192.168.0.0/16 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 192.168.0.0/16 -j
logdrop'' = ''x-t mangle -A man1918 -d 192.168.0.0/16 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 192.168.0.0/16 -j logdrop
+ iptables -t mangle -A man1918 -d 192.168.0.0/16 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 0.0.0.0/7 -j logdrop
+ ''['' ''x-A rfc1918 -s 0.0.0.0/7 -j logdrop''
= ''x-A rfc1918 -s 0.0.0.0/7 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 0.0.0.0/7 -j logdrop
+ iptables -A rfc1918 -s 0.0.0.0/7 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 0.0.0.0/7 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 0.0.0.0/7 -j
logdrop'' = ''x-t mangle -A man1918 -d 0.0.0.0/7 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 0.0.0.0/7 -j logdrop
+ iptables -t mangle -A man1918 -d 0.0.0.0/7 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 2.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 2.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 2.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 2.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 2.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 2.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 2.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 2.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 2.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 2.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 5.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 5.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 5.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 5.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 5.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 5.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 5.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 5.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 5.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 5.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 7.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 7.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 7.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 7.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 7.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 7.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 7.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 7.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 7.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 7.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 10.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 10.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 10.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 10.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 10.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 10.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 10.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 10.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 10.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 10.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 23.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 23.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 23.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 23.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 23.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 23.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 23.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 23.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 23.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 23.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 27.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 27.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 27.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 27.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 27.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 27.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 27.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 27.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 27.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 27.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 31.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 31.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 31.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 31.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 31.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 31.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 31.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 31.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 31.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 31.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 36.0.0.0/7 -j logdrop
+ ''['' ''x-A rfc1918 -s 36.0.0.0/7 -j logdrop''
= ''x-A rfc1918 -s 36.0.0.0/7 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 36.0.0.0/7 -j logdrop
+ iptables -A rfc1918 -s 36.0.0.0/7 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 36.0.0.0/7 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 36.0.0.0/7 -j
logdrop'' = ''x-t mangle -A man1918 -d 36.0.0.0/7 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 36.0.0.0/7 -j logdrop
+ iptables -t mangle -A man1918 -d 36.0.0.0/7 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 39.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 39.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 39.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 39.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 39.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 39.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 39.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 39.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 39.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 39.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 41.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 41.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 41.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 41.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 41.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 41.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 41.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 41.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 41.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 41.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 42.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 42.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 42.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 42.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 42.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 42.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 42.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 42.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 42.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 42.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 49.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 49.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 49.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 49.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 49.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 49.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 49.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 49.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 49.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 49.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 50.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 50.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 50.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 50.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 50.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 50.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 50.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 50.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 50.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 50.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 58.0.0.0/7 -j logdrop
+ ''['' ''x-A rfc1918 -s 58.0.0.0/7 -j logdrop''
= ''x-A rfc1918 -s 58.0.0.0/7 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 58.0.0.0/7 -j logdrop
+ iptables -A rfc1918 -s 58.0.0.0/7 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 58.0.0.0/7 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 58.0.0.0/7 -j
logdrop'' = ''x-t mangle -A man1918 -d 58.0.0.0/7 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 58.0.0.0/7 -j logdrop
+ iptables -t mangle -A man1918 -d 58.0.0.0/7 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 60.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 60.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 60.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 60.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 60.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 60.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 60.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 60.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 60.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 60.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 70.0.0.0/7 -j logdrop
+ ''['' ''x-A rfc1918 -s 70.0.0.0/7 -j logdrop''
= ''x-A rfc1918 -s 70.0.0.0/7 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 70.0.0.0/7 -j logdrop
+ iptables -A rfc1918 -s 70.0.0.0/7 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 70.0.0.0/7 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 70.0.0.0/7 -j
logdrop'' = ''x-t mangle -A man1918 -d 70.0.0.0/7 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 70.0.0.0/7 -j logdrop
+ iptables -t mangle -A man1918 -d 70.0.0.0/7 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 72.0.0.0/5 -j logdrop
+ ''['' ''x-A rfc1918 -s 72.0.0.0/5 -j logdrop''
= ''x-A rfc1918 -s 72.0.0.0/5 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 72.0.0.0/5 -j logdrop
+ iptables -A rfc1918 -s 72.0.0.0/5 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 72.0.0.0/5 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 72.0.0.0/5 -j
logdrop'' = ''x-t mangle -A man1918 -d 72.0.0.0/5 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 72.0.0.0/5 -j logdrop
+ iptables -t mangle -A man1918 -d 72.0.0.0/5 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 83.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 83.0.0.0/8 -j logdrop''
= ''x-A rfc1918 -s 83.0.0.0/8 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 83.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 83.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 83.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 83.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 83.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 83.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 83.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 84.0.0.0/6 -j logdrop
+ ''['' ''x-A rfc1918 -s 84.0.0.0/6 -j logdrop''
= ''x-A rfc1918 -s 84.0.0.0/6 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 84.0.0.0/6 -j logdrop
+ iptables -A rfc1918 -s 84.0.0.0/6 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 84.0.0.0/6 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 84.0.0.0/6 -j
logdrop'' = ''x-t mangle -A man1918 -d 84.0.0.0/6 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 84.0.0.0/6 -j logdrop
+ iptables -t mangle -A man1918 -d 84.0.0.0/6 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 88.0.0.0/5 -j logdrop
+ ''['' ''x-A rfc1918 -s 88.0.0.0/5 -j logdrop''
= ''x-A rfc1918 -s 88.0.0.0/5 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 88.0.0.0/5 -j logdrop
+ iptables -A rfc1918 -s 88.0.0.0/5 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 88.0.0.0/5 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 88.0.0.0/5 -j
logdrop'' = ''x-t mangle -A man1918 -d 88.0.0.0/5 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 88.0.0.0/5 -j logdrop
+ iptables -t mangle -A man1918 -d 88.0.0.0/5 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 96.0.0.0/3 -j logdrop
+ ''['' ''x-A rfc1918 -s 96.0.0.0/3 -j logdrop''
= ''x-A rfc1918 -s 96.0.0.0/3 -j logdrop'' '']''
+ run_iptables -A rfc1918 -s 96.0.0.0/3 -j logdrop
+ iptables -A rfc1918 -s 96.0.0.0/3 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 96.0.0.0/3 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 96.0.0.0/3 -j
logdrop'' = ''x-t mangle -A man1918 -d 96.0.0.0/3 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 96.0.0.0/3 -j logdrop
+ iptables -t mangle -A man1918 -d 96.0.0.0/3 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 127.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 127.0.0.0/8 -j
logdrop'' = ''x-A rfc1918 -s 127.0.0.0/8 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 127.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 127.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 127.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 127.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 127.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 127.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 127.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 197.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 197.0.0.0/8 -j
logdrop'' = ''x-A rfc1918 -s 197.0.0.0/8 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 197.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 197.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 197.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 197.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 197.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 197.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 197.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 198.18.0.0/15 -j logdrop
+ ''['' ''x-A rfc1918 -s 198.18.0.0/15 -j
logdrop'' = ''x-A rfc1918 -s 198.18.0.0/15 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 198.18.0.0/15 -j logdrop
+ iptables -A rfc1918 -s 198.18.0.0/15 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 198.18.0.0/15 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 198.18.0.0/15 -j
logdrop'' = ''x-t mangle -A man1918 -d 198.18.0.0/15 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 198.18.0.0/15 -j logdrop
+ iptables -t mangle -A man1918 -d 198.18.0.0/15 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 201.0.0.0/8 -j logdrop
+ ''['' ''x-A rfc1918 -s 201.0.0.0/8 -j
logdrop'' = ''x-A rfc1918 -s 201.0.0.0/8 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 201.0.0.0/8 -j logdrop
+ iptables -A rfc1918 -s 201.0.0.0/8 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 201.0.0.0/8 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 201.0.0.0/8 -j
logdrop'' = ''x-t mangle -A man1918 -d 201.0.0.0/8 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 201.0.0.0/8 -j logdrop
+ iptables -t mangle -A man1918 -d 201.0.0.0/8 -j logdrop
+ return
+ read subnet target
+ run_iptables2 -A rfc1918 -s 240.0.0.0/4 -j logdrop
+ ''['' ''x-A rfc1918 -s 240.0.0.0/4 -j
logdrop'' = ''x-A rfc1918 -s 240.0.0.0/4 -j logdrop''
'']''
+ run_iptables -A rfc1918 -s 240.0.0.0/4 -j logdrop
+ iptables -A rfc1918 -s 240.0.0.0/4 -j logdrop
+ return
+ ''['' -n '''' '']''
+ ''['' -n Yes '']''
+ run_iptables2 -t mangle -A man1918 -d 240.0.0.0/4 -j logdrop
+ ''['' ''x-t mangle -A man1918 -d 240.0.0.0/4 -j
logdrop'' = ''x-t mangle -A man1918 -d 240.0.0.0/4 -j
logdrop'' '']''
+ run_iptables -t mangle -A man1918 -d 240.0.0.0/4 -j logdrop
+ iptables -t mangle -A man1918 -d 240.0.0.0/4 -j logdrop
+ return
+ read subnet target
++ first_chains ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ local c=ppp0
++ echo ppp0_fwd ppp0_in
+ run_iptables -A ppp0_fwd -m state --state NEW -j rfc1918
+ iptables -A ppp0_fwd -m state --state NEW -j rfc1918
+ run_iptables -A ppp0_in -m state --state NEW -j rfc1918
+ iptables -A ppp0_in -m state --state NEW -j rfc1918
+ ''['' -n Yes -a -z '''' '']''
+ run_iptables -t mangle -A PREROUTING -m state --state NEW -i ppp0 -j man1918
+ iptables -t mangle -A PREROUTING -m state --state NEW -i ppp0 -j man1918
++ find_interfaces_by_option tcpflags
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search tcpflags routefilter norfc1918
++ local e=tcpflags
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xtcpflags = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xtcpflags = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search tcpflags
++ local e=tcpflags
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search tcpflags
++ local e=tcpflags
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search tcpflags
++ local e=tcpflags
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces+ ''['' -n ''''
'']''
+ setup_blacklist
++ find_interfaces_by_option blacklist
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search blacklist routefilter norfc1918
++ local e=blacklist
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xblacklist = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xblacklist = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search blacklist
++ local e=blacklist
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search blacklist
++ local e=blacklist
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search blacklist
++ local e=blacklist
++ ''['' 1 -gt 1 '']''
++ return 1
+ local interfaces++ find_file blacklist
++ ''['' -n '''' -a -f /blacklist
'']''
++ echo /etc/shorewall/blacklist
+ local f=/etc/shorewall/blacklist
+ local disposition=DROP
+ ''['' -n '''' -a -f /etc/shorewall/blacklist
'']''
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
++ find_interfaces_by_option routefilter
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search routefilter routefilter norfc1918
++ local e=routefilter
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xroutefilter = xroutefilter '']''
++ return 0
++ echo ppp0
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search routefilter
++ local e=routefilter
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search routefilter
++ local e=routefilter
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search routefilter
++ local e=routefilter
++ ''['' 1 -gt 1 '']''
++ return 1
+ interfaces=ppp0
+ ''['' -n ppp0 -o -n '''' '']''
+ echo ''Setting up Kernel Route Filtering...''
+ ''['' -n '''' '']''
+ echo 0
+ file=/proc/sys/net/ipv4/conf/ppp0/rp_filter
+ ''['' -f /proc/sys/net/ipv4/conf/ppp0/rp_filter
'']''
+ echo 1
+ echo 1
+ echo ''IP Forwarding Enabled''
++ find_file tunnels
++ ''['' -n '''' -a -f /tunnels
'']''
++ echo /etc/shorewall/tunnels
+ tunnels=/etc/shorewall/tunnels
+ ''['' -f /etc/shorewall/tunnels '']''
+ echo ''Processing /etc/shorewall/tunnels...''
+ setup_tunnels /etc/shorewall/tunnels
+ local inchain
+ local outchain
+ strip_file tunnels /etc/shorewall/tunnels
+ local fname
+ ''['' 2 = 1 '']''
+ fname=/etc/shorewall/tunnels
+ ''['' -f /etc/shorewall/tunnels '']''
+ read_file /etc/shorewall/tunnels 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 - /etc/shorewall/tunnels''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This file defines IPSEC, GRE, IPIP and OPENVPN
tunnels.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IPIP, GRE and OPENVPN tunnels must be configured on
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# firewall/gateway itself. IPSEC endpoints may be
defined''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# on the firewall/gateway or on an internal system.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# The columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# TYPE -- must start in column 1 and be "ipsec",
"ipsecnat","ip"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# "gre", "6to4", "pptpclient",
"pptpserver" or "openvpn".''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# If type is "openvpn", it may optionally be
followed''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# by ":" and the port number used by the tunnel. if
no''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ":" and port number are included, then the default
port''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# of 5000 will be used''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONE -- The zone of the physical interface through
which''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# tunnel traffic passes. This is normally your
internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# zone.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# GATEWAY -- The IP address of the remote tunnel gateway.
If the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# remote getway has no fixed address (Road Warrior)''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# then specify the gateway as 0.0.0.0/0.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# GATEWAY''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ZONES -- Optional. If the gateway system specified in the
third''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# column is a standalone host then this column should''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# contain a comma-separated list of the names of the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# zones that the host might be in. This column only''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# applies to IPSEC tunnels.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 1:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IPSec tunnel. The remote gateway is 4.33.99.124 and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# the remote subnet is 192.168.9.0/24''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ipsec net 4.33.99.124''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 2:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Road Warrior (LapTop that may connect from
anywhere)''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# where the "gw" zone is used to represent the
remote''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# LapTop.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ipsec net 0.0.0.0/0 gw''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 3:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Host 4.33.99.124 is a standalone system connected''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# via an ipsec tunnel to the firewall system. The
host''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# is in zone gw.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ipsec net 4.33.99.124 gw''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 4:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Road Warriors that may belong to zones vpn1, vpn2
or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# vpn3. The FreeS/Wan _updown script will add the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# host to the appropriate zone using the "shorewall
add"''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# command on connect and will remove the host from
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# zone at disconnect time.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 5:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You run the Linux PPTP client on your firewall and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# connect to server 192.0.2.221.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# pptpclient net 192.0.2.221''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 6:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You run a PPTP server on your firewall.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# pptpserver net''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 7:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# OPENVPN tunnel. The remote gateway is 4.33.99.124
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# openvpn uses port 7777.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# openvpn:7777 net 4.33.99.124''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ ''['' x# = xINCLUDE '']''
+ echo ''# TYPE ZONE GATEWAY GATEWAY ZONE PORT''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE''
+ read first rest
+ read kind z gateway z1
++ find_hosts_by_option maclist
++ local ignore hosts interface address addresses options
++ read ignore hosts options
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ eval ''options=$ppp0_options''
+++ options=routefilter norfc1918
++ list_search maclist routefilter norfc1918
++ local e=maclist
++ ''['' 3 -gt 1 '']''
++ shift
++ ''['' xmaclist = xroutefilter '']''
++ ''['' 2 -gt 1 '']''
++ shift
++ ''['' xmaclist = xnorfc1918 '']''
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ echo eth0
++ eval ''options=$eth0_options''
+++ options++ list_search maclist
++ local e=maclist
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet1
+++ local c=vmnet1
+++ echo vmnet1
++ eval ''options=$vmnet1_options''
+++ options++ list_search maclist
++ local e=maclist
++ ''['' 1 -gt 1 '']''
++ return 1
+++ chain_base vmnet8
+++ local c=vmnet8
+++ echo vmnet8
++ eval ''options=$vmnet8_options''
+++ options++ list_search maclist
++ local e=maclist
++ ''['' 1 -gt 1 '']''
++ return 1
+ maclist_hosts+ ''['' -n ''''
'']''
++ find_file rules
++ ''['' -n '''' -a -f /rules
'']''
++ echo /etc/shorewall/rules
+ rules=/etc/shorewall/rules
+ echo ''Processing /etc/shorewall/rules...''
+ process_rules /etc/shorewall/rules
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=fw
+ eval ''xclients="fw"''
++ xclients=fw
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=net
+ eval ''xservers="net"''
++ xservers=net
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=tcp
+ eval ''xprotocol="tcp"''
++ xprotocol=tcp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=53
+ eval ''xports="53"''
++ xports=53
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xfw = xall '']''
+ ''['' xnet = xall '']''
+ process_rule ACCEPT fw net tcp 53
+ local target=ACCEPT
+ local clients=fw
+ local servers=net
+ local protocol=tcp
+ local ports=53
+ local cports+ local address++ echo ACCEPT fw net tcp 53
+ local ''rule=ACCEPT fw net tcp 53''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' fw = fw '']''
+ clientzone=fw
+ clients+ ''['' fw = fw '']''
+ excludezones+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ source=fw
+ ''['' fw = fw '']''
+ source_hosts+ ''['' net = net '']''
+ serverzone=net
+ servers+ serverport+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ dest=net
+ chain=fw2net
+ eval ''policy=$fw2net_policy''
++ policy=ACCEPT
+ ''['' ACCEPT = NONE '']''
+ ''['' xfw2net = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain fw2net
+ havechain fw2net
+ eval test ''"$fw2net_exists"'' = Yes
++ test '''' = Yes
+ createchain fw2net yes
+ run_iptables -N fw2net
+ iptables -N fw2net
+ ''['' yes = yes '']''
+ run_iptables -A fw2net -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A fw2net -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A fw2net -m state --state NEW -p tcp ''!'' --syn
-j newnotsyn
+ iptables -A fw2net -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval fw2net_exists=Yes
++ fw2net_exists=Yes
++ list_count 53
+++ separate_list 53
+++ local list
+++ local part
+++ local newlist
+++ list=53
+++ part=53
+++ newlist=53
+++ ''['' x53 ''!='' x53 '']''
+++ echo 53
++ arg_count 53
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 53 = 53 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=53
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=tcp
+ addr+ servport+ multiport+ ''['' x53 = x-
'']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 53 '']''
+ dports=--dport
+ ''['' -n ''-m multiport'' -a 53
''!='' 53 '']''
+ dports=--dport 53
+ ''['' -n '''' '']''
+ proto=-p tcp
+ ''['' -z ''-p tcp'' -a -z ''''
-a -z '''' -a -z '''' -a ACCEPT
''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT
+ ''['' ''x-A fw2net -p tcp -m state --state NEW --dport
53 -j ACCEPT'' = ''x-A fw2net -p tcp -m state --state NEW
--dport 53 -j ACCEPT'' '']''
+ run_iptables -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT
+ iptables -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT fw net tcp 53" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=fw
+ eval ''xclients="fw"''
++ xclients=fw
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=net
+ eval ''xservers="net"''
++ xservers=net
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=udp
+ eval ''xprotocol="udp"''
++ xprotocol=udp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=53
+ eval ''xports="53"''
++ xports=53
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xfw = xall '']''
+ ''['' xnet = xall '']''
+ process_rule ACCEPT fw net udp 53
+ local target=ACCEPT
+ local clients=fw
+ local servers=net
+ local protocol=udp
+ local ports=53
+ local cports+ local address++ echo ACCEPT fw net udp 53
+ local ''rule=ACCEPT fw net udp 53''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' fw = fw '']''
+ clientzone=fw
+ clients+ ''['' fw = fw '']''
+ excludezones+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ source=fw
+ ''['' fw = fw '']''
+ source_hosts+ ''['' net = net '']''
+ serverzone=net
+ servers+ serverport+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ dest=net
+ chain=fw2net
+ eval ''policy=$fw2net_policy''
++ policy=ACCEPT
+ ''['' ACCEPT = NONE '']''
+ ''['' xfw2net = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain fw2net
+ havechain fw2net
+ eval test ''"$fw2net_exists"'' = Yes
++ test Yes = Yes
++ list_count 53
+++ separate_list 53
+++ local list
+++ local part
+++ local newlist
+++ list=53
+++ part=53
+++ newlist=53
+++ ''['' x53 ''!='' x53 '']''
+++ echo 53
++ arg_count 53
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 53 = 53 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=53
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=udp
+ addr+ servport+ multiport+ ''['' x53 = x-
'']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 53 '']''
+ dports=--dport
+ ''['' -n ''-m multiport'' -a 53
''!='' 53 '']''
+ dports=--dport 53
+ ''['' -n '''' '']''
+ proto=-p udp
+ ''['' -z ''-p udp'' -a -z ''''
-a -z '''' -a -z '''' -a ACCEPT
''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT
+ ''['' ''x-A fw2net -p udp -m state --state NEW --dport
53 -j ACCEPT'' = ''x-A fw2net -p udp -m state --state NEW
--dport 53 -j ACCEPT'' '']''
+ run_iptables -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT
+ iptables -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT fw net udp 53" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=loc
+ eval ''xclients="loc"''
++ xclients=loc
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=fw
+ eval ''xservers="fw"''
++ xservers=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=tcp
+ eval ''xprotocol="tcp"''
++ xprotocol=tcp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=22
+ eval ''xports="22"''
++ xports=22
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xloc = xall '']''
+ ''['' xfw = xall '']''
+ process_rule ACCEPT loc fw tcp 22
+ local target=ACCEPT
+ local clients=loc
+ local servers=fw
+ local protocol=tcp
+ local ports=22
+ local cports+ local address++ echo ACCEPT loc fw tcp 22
+ local ''rule=ACCEPT loc fw tcp 22''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' loc = loc '']''
+ clientzone=loc
+ clients+ ''['' loc = loc '']''
+ excludezones+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ source=loc
+ ''['' loc = fw '']''
+ eval ''source_hosts="$loc_hosts"''
++ source_hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0
+ ''['' fw = fw '']''
+ serverzone=fw
+ servers+ serverport+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ dest=fw
+ chain=loc2fw
+ eval ''policy=$loc2fw_policy''
++ policy=ACCEPT
+ ''['' ACCEPT = NONE '']''
+ ''['' xloc2fw = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain loc2fw
+ havechain loc2fw
+ eval test ''"$loc2fw_exists"'' = Yes
++ test '''' = Yes
+ createchain loc2fw yes
+ run_iptables -N loc2fw
+ iptables -N loc2fw
+ ''['' yes = yes '']''
+ run_iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A loc2fw -m state --state NEW -p tcp ''!'' --syn
-j newnotsyn
+ iptables -A loc2fw -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval loc2fw_exists=Yes
++ loc2fw_exists=Yes
++ list_count 22
+++ separate_list 22
+++ local list
+++ local part
+++ local newlist
+++ list=22
+++ part=22
+++ newlist=22
+++ ''['' x22 ''!='' x22 '']''
+++ echo 22
++ arg_count 22
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 22 = 22 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=22
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=tcp
+ addr+ servport+ multiport+ ''['' x22 = x-
'']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 22 '']''
+ dports=--dport
+ ''['' -n ''-m multiport'' -a 22
''!='' 22 '']''
+ dports=--dport 22
+ ''['' -n '''' '']''
+ proto=-p tcp
+ ''['' -z ''-p tcp'' -a -z ''''
-a -z '''' -a -z '''' -a ACCEPT
''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ ''['' ''x-A loc2fw -p tcp -m state --state NEW --dport
22 -j ACCEPT'' = ''x-A loc2fw -p tcp -m state --state NEW
--dport 22 -j ACCEPT'' '']''
+ run_iptables -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ iptables -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT loc fw tcp 22" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=loc
+ eval ''xclients="loc"''
++ xclients=loc
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=fw
+ eval ''xservers="fw"''
++ xservers=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=icmp
+ eval ''xprotocol="icmp"''
++ xprotocol=icmp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=8
+ eval ''xports="8"''
++ xports=8
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xloc = xall '']''
+ ''['' xfw = xall '']''
+ process_rule ACCEPT loc fw icmp 8
+ local target=ACCEPT
+ local clients=loc
+ local servers=fw
+ local protocol=icmp
+ local ports=8
+ local cports+ local address++ echo ACCEPT loc fw icmp 8
+ local ''rule=ACCEPT loc fw icmp 8''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' loc = loc '']''
+ clientzone=loc
+ clients+ ''['' loc = loc '']''
+ excludezones+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ source=loc
+ ''['' loc = fw '']''
+ eval ''source_hosts="$loc_hosts"''
++ source_hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0
+ ''['' fw = fw '']''
+ serverzone=fw
+ servers+ serverport+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ dest=fw
+ chain=loc2fw
+ eval ''policy=$loc2fw_policy''
++ policy=ACCEPT
+ ''['' ACCEPT = NONE '']''
+ ''['' xloc2fw = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain loc2fw
+ havechain loc2fw
+ eval test ''"$loc2fw_exists"'' = Yes
++ test Yes = Yes
++ list_count 8
+++ separate_list 8
+++ local list
+++ local part
+++ local newlist
+++ list=8
+++ part=8
+++ newlist=8
+++ ''['' x8 ''!='' x8 '']''
+++ echo 8
++ arg_count 8
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 8 = 8 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=8
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=icmp
+ addr+ servport+ multiport+ ''['' x8 = x- '']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 8 '']''
+ dports=--icmp-type 8
+ state+ proto=-p icmp
+ ''['' -z ''-p icmp'' -a -z
'''' -a -z '''' -a -z '''' -a
ACCEPT ''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A loc2fw -p icmp --icmp-type 8 -j ACCEPT
+ ''['' ''x-A loc2fw -p icmp --icmp-type 8 -j
ACCEPT'' = ''x-A loc2fw -p icmp --icmp-type 8 -j
ACCEPT'' '']''
+ run_iptables -A loc2fw -p icmp --icmp-type 8 -j ACCEPT
+ iptables -A loc2fw -p icmp --icmp-type 8 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT loc fw icmp 8" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=net
+ eval ''xclients="net"''
++ xclients=net
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=fw
+ eval ''xservers="fw"''
++ xservers=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=icmp
+ eval ''xprotocol="icmp"''
++ xprotocol=icmp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=8
+ eval ''xports="8"''
++ xports=8
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xnet = xall '']''
+ ''['' xfw = xall '']''
+ process_rule ACCEPT net fw icmp 8
+ local target=ACCEPT
+ local clients=net
+ local servers=fw
+ local protocol=icmp
+ local ports=8
+ local cports+ local address++ echo ACCEPT net fw icmp 8
+ local ''rule=ACCEPT net fw icmp 8''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' net = net '']''
+ clientzone=net
+ clients+ ''['' net = net '']''
+ excludezones+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ source=net
+ ''['' net = fw '']''
+ eval ''source_hosts="$net_hosts"''
++ source_hosts=ppp0:0.0.0.0/0
+ ''['' fw = fw '']''
+ serverzone=fw
+ servers+ serverport+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ dest=fw
+ chain=net2fw
+ eval ''policy=$net2fw_policy''
++ policy=DROP
+ ''['' DROP = NONE '']''
+ ''['' xnet2fw = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain net2fw
+ havechain net2fw
+ eval test ''"$net2fw_exists"'' = Yes
++ test '''' = Yes
+ createchain net2fw yes
+ run_iptables -N net2fw
+ iptables -N net2fw
+ ''['' yes = yes '']''
+ run_iptables -A net2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A net2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A net2fw -m state --state NEW -p tcp ''!'' --syn
-j newnotsyn
+ iptables -A net2fw -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval net2fw_exists=Yes
++ net2fw_exists=Yes
++ list_count 8
+++ separate_list 8
+++ local list
+++ local part
+++ local newlist
+++ list=8
+++ part=8
+++ newlist=8
+++ ''['' x8 ''!='' x8 '']''
+++ echo 8
++ arg_count 8
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 8 = 8 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=8
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=icmp
+ addr+ servport+ multiport+ ''['' x8 = x- '']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 8 '']''
+ dports=--icmp-type 8
+ state+ proto=-p icmp
+ ''['' -z ''-p icmp'' -a -z
'''' -a -z '''' -a -z '''' -a
ACCEPT ''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A net2fw -p icmp --icmp-type 8 -j ACCEPT
+ ''['' ''x-A net2fw -p icmp --icmp-type 8 -j
ACCEPT'' = ''x-A net2fw -p icmp --icmp-type 8 -j
ACCEPT'' '']''
+ run_iptables -A net2fw -p icmp --icmp-type 8 -j ACCEPT
+ iptables -A net2fw -p icmp --icmp-type 8 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT net fw icmp 8" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=fw
+ eval ''xclients="fw"''
++ xclients=fw
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=loc
+ eval ''xservers="loc"''
++ xservers=loc
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=icmp
+ eval ''xprotocol="icmp"''
++ xprotocol=icmp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=8
+ eval ''xports="8"''
++ xports=8
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xfw = xall '']''
+ ''['' xloc = xall '']''
+ process_rule ACCEPT fw loc icmp 8
+ local target=ACCEPT
+ local clients=fw
+ local servers=loc
+ local protocol=icmp
+ local ports=8
+ local cports+ local address++ echo ACCEPT fw loc icmp 8
+ local ''rule=ACCEPT fw loc icmp 8''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' fw = fw '']''
+ clientzone=fw
+ clients+ ''['' fw = fw '']''
+ excludezones+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ source=fw
+ ''['' fw = fw '']''
+ source_hosts+ ''['' loc = loc '']''
+ serverzone=loc
+ servers+ serverport+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ dest=loc
+ chain=fw2loc
+ eval ''policy=$fw2loc_policy''
++ policy=ACCEPT
+ ''['' ACCEPT = NONE '']''
+ ''['' xfw2loc = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain fw2loc
+ havechain fw2loc
+ eval test ''"$fw2loc_exists"'' = Yes
++ test '''' = Yes
+ createchain fw2loc yes
+ run_iptables -N fw2loc
+ iptables -N fw2loc
+ ''['' yes = yes '']''
+ run_iptables -A fw2loc -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A fw2loc -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A fw2loc -m state --state NEW -p tcp ''!'' --syn
-j newnotsyn
+ iptables -A fw2loc -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval fw2loc_exists=Yes
++ fw2loc_exists=Yes
++ list_count 8
+++ separate_list 8
+++ local list
+++ local part
+++ local newlist
+++ list=8
+++ part=8
+++ newlist=8
+++ ''['' x8 ''!='' x8 '']''
+++ echo 8
++ arg_count 8
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 8 = 8 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=8
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=icmp
+ addr+ servport+ multiport+ ''['' x8 = x- '']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 8 '']''
+ dports=--icmp-type 8
+ state+ proto=-p icmp
+ ''['' -z ''-p icmp'' -a -z
'''' -a -z '''' -a -z '''' -a
ACCEPT ''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A fw2loc -p icmp --icmp-type 8 -j ACCEPT
+ ''['' ''x-A fw2loc -p icmp --icmp-type 8 -j
ACCEPT'' = ''x-A fw2loc -p icmp --icmp-type 8 -j
ACCEPT'' '']''
+ run_iptables -A fw2loc -p icmp --icmp-type 8 -j ACCEPT
+ iptables -A fw2loc -p icmp --icmp-type 8 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT fw loc icmp 8" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=fw
+ eval ''xclients="fw"''
++ xclients=fw
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=net
+ eval ''xservers="net"''
++ xservers=net
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=icmp
+ eval ''xprotocol="icmp"''
++ xprotocol=icmp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=8
+ eval ''xports="8"''
++ xports=8
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xfw = xall '']''
+ ''['' xnet = xall '']''
+ process_rule ACCEPT fw net icmp 8
+ local target=ACCEPT
+ local clients=fw
+ local servers=net
+ local protocol=icmp
+ local ports=8
+ local cports+ local address++ echo ACCEPT fw net icmp 8
+ local ''rule=ACCEPT fw net icmp 8''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' fw = fw '']''
+ clientzone=fw
+ clients+ ''['' fw = fw '']''
+ excludezones+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ source=fw
+ ''['' fw = fw '']''
+ source_hosts+ ''['' net = net '']''
+ serverzone=net
+ servers+ serverport+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ dest=net
+ chain=fw2net
+ eval ''policy=$fw2net_policy''
++ policy=ACCEPT
+ ''['' ACCEPT = NONE '']''
+ ''['' xfw2net = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain fw2net
+ havechain fw2net
+ eval test ''"$fw2net_exists"'' = Yes
++ test Yes = Yes
++ list_count 8
+++ separate_list 8
+++ local list
+++ local part
+++ local newlist
+++ list=8
+++ part=8
+++ newlist=8
+++ ''['' x8 ''!='' x8 '']''
+++ echo 8
++ arg_count 8
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 8 = 8 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=8
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=icmp
+ addr+ servport+ multiport+ ''['' x8 = x- '']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 8 '']''
+ dports=--icmp-type 8
+ state+ proto=-p icmp
+ ''['' -z ''-p icmp'' -a -z
'''' -a -z '''' -a -z '''' -a
ACCEPT ''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A fw2net -p icmp --icmp-type 8 -j ACCEPT
+ ''['' ''x-A fw2net -p icmp --icmp-type 8 -j
ACCEPT'' = ''x-A fw2net -p icmp --icmp-type 8 -j
ACCEPT'' '']''
+ run_iptables -A fw2net -p icmp --icmp-type 8 -j ACCEPT
+ iptables -A fw2net -p icmp --icmp-type 8 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT fw net icmp 8" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
+ expandv xclients xservers xprotocol xports xcports xaddress
+ local varval
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$xclients''
++ varval=net
+ eval ''xclients="net"''
++ xclients=net
+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$xservers''
++ varval=fw
+ eval ''xservers="fw"''
++ xservers=fw
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$xprotocol''
++ varval=tcp
+ eval ''xprotocol="tcp"''
++ xprotocol=tcp
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$xports''
++ varval=22
+ eval ''xports="22"''
++ xports=22
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$xcports''
++ varval+ eval ''xcports=""''
++ xcports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$xaddress''
++ varval+ eval ''xaddress=""''
++ xaddress+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' xnet = xall '']''
+ ''['' xfw = xall '']''
+ process_rule ACCEPT net fw tcp 22
+ local target=ACCEPT
+ local clients=net
+ local servers=fw
+ local protocol=tcp
+ local ports=22
+ local cports+ local address++ echo ACCEPT net fw tcp 22
+ local ''rule=ACCEPT net fw tcp 22''
+ ''['' ACCEPT = ACCEPT '']''
+ loglevel+ logtarget=ACCEPT
+ dnat_only+ ''['' x = x- '']''
+ ''['' net = net '']''
+ clientzone=net
+ clients+ ''['' net = net '']''
+ excludezones+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ source=net
+ ''['' net = fw '']''
+ eval ''source_hosts="$net_hosts"''
++ source_hosts=ppp0:0.0.0.0/0
+ ''['' fw = fw '']''
+ serverzone=fw
+ servers+ serverport+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xfw = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xfw = xloc '']''
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xfw = xfw '']''
+ return 0
+ dest=fw
+ chain=net2fw
+ eval ''policy=$net2fw_policy''
++ policy=DROP
+ ''['' DROP = NONE '']''
+ ''['' xnet2fw = xfw2fw '']''
+ ''['' start = check '']''
+ ensurechain net2fw
+ havechain net2fw
+ eval test ''"$net2fw_exists"'' = Yes
++ test Yes = Yes
++ list_count 22
+++ separate_list 22
+++ local list
+++ local part
+++ local newlist
+++ list=22
+++ part=22
+++ newlist=22
+++ ''['' x22 ''!='' x22 '']''
+++ echo 22
++ arg_count 22
++ echo 1
++ list_count
+++ separate_list
+++ local list
+++ local part
+++ local newlist
+++ list+++ part+++ newlist+++ ''['' x ''!='' x
'']''
+++ echo ''''
++ arg_count
++ echo 0
+ ''['' -n Yes -a 22 = 22 -a '''' =
'''' -a 1 -le 15 -a 0 -le 15 '']''
+ multioption=-m multiport
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ port=22
+ cport=-
+ add_a_rule
+ local natrule+ cli+ dest_interface+ serv+ sports+ dports+ state=-m state
--state NEW
+ proto=tcp
+ addr+ servport+ multiport+ ''['' x22 = x-
'']''
+ ''['' x- = x- '']''
+ cport+ ''['' -n 22 '']''
+ dports=--dport
+ ''['' -n ''-m multiport'' -a 22
''!='' 22 '']''
+ dports=--dport 22
+ ''['' -n '''' '']''
+ proto=-p tcp
+ ''['' -z ''-p tcp'' -a -z ''''
-a -z '''' -a -z '''' -a ACCEPT
''!='' LOG '']''
+ ''['' -n '''' '']''
+ ''['' -n '''' '']''
+ ''['' start ''!='' check '']''
+ ''['' -n '''' '']''
+ ''['' ACCEPT ''!='' LOG '']''
+ run_iptables2 -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ ''['' ''x-A net2fw -p tcp -m state --state NEW --dport
22 -j ACCEPT'' = ''x-A net2fw -p tcp -m state --state NEW
--dport 22 -j ACCEPT'' '']''
+ run_iptables -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ iptables -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT
+ return
+ ''['' start = check '']''
+ echo '' Rule "ACCEPT net fw tcp 22" added.''
+ read xtarget xclients xservers xprotocol xports xcports xaddress
++ find_file policy
++ ''['' -n '''' -a -f /policy
'']''
++ echo /etc/shorewall/policy
+ policy=/etc/shorewall/policy
+ echo ''Processing /etc/shorewall/policy...''
+ apply_policy_rules
+ eval ''policy=$loc2net_policy''
++ policy=ACCEPT
+ eval ''loglevel=$loc2net_loglevel''
++ loglevel+ eval ''synparams=$loc2net_synparams''
++ synparams+ ''['' -n ''''
'']''
+ havechain loc2net
+ eval test ''"$loc2net_exists"'' = Yes
++ test '''' = Yes
+ createchain loc2net yes
+ run_iptables -N loc2net
+ iptables -N loc2net
+ ''['' yes = yes '']''
+ run_iptables -A loc2net -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A loc2net -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A loc2net -m state --state NEW -p tcp ''!''
--syn -j newnotsyn
+ iptables -A loc2net -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval loc2net_exists=Yes
++ loc2net_exists=Yes
+ ''['' -n '''' '']''
+ eval ''policy=$loc2fw_policy''
++ policy=ACCEPT
+ eval ''loglevel=$loc2fw_loglevel''
++ loglevel+ eval ''synparams=$loc2fw_synparams''
++ synparams+ ''['' -n ''''
'']''
+ havechain loc2fw
+ eval test ''"$loc2fw_exists"'' = Yes
++ test Yes = Yes
+ ''['' -n '''' '']''
+ eval ''policy=$fw2net_policy''
++ policy=ACCEPT
+ eval ''loglevel=$fw2net_loglevel''
++ loglevel+ eval ''synparams=$fw2net_synparams''
++ synparams+ ''['' -n ''''
'']''
+ havechain fw2net
+ eval test ''"$fw2net_exists"'' = Yes
++ test Yes = Yes
+ ''['' -n '''' '']''
+ eval ''policy=$fw2loc_policy''
++ policy=ACCEPT
+ eval ''loglevel=$fw2loc_loglevel''
++ loglevel+ eval ''synparams=$fw2loc_synparams''
++ synparams+ ''['' -n ''''
'']''
+ havechain fw2loc
+ eval test ''"$fw2loc_exists"'' = Yes
++ test Yes = Yes
+ ''['' -n '''' '']''
+ eval ''policy=$net2all_policy''
++ policy=DROP
+ eval ''loglevel=$net2all_loglevel''
++ loglevel=info
+ eval ''synparams=$net2all_synparams''
++ synparams+ ''['' -n ''''
'']''
+ havechain net2all
+ eval test ''"$net2all_exists"'' = Yes
++ test '''' = Yes
+ createchain net2all yes
+ run_iptables -N net2all
+ iptables -N net2all
+ ''['' yes = yes '']''
+ run_iptables -A net2all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A net2all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A net2all -m state --state NEW -p tcp ''!''
--syn -j newnotsyn
+ iptables -A net2all -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval net2all_exists=Yes
++ net2all_exists=Yes
+ policy_rules net2all DROP info
+ local target=DROP
+ run_iptables -A net2all -j common
+ iptables -A net2all -j common
+ ''['' 3 -eq 3 -a xinfo ''!='' x-
'']''
+ log_rule info net2all DROP
+ local level=info
+ local chain=net2all
+ local disposition=DROP
+ local rulenum+ shift
+ shift
+ shift
+ ''['' -n '''' '']''
+ eval iptables -A net2all -j LOG --log-level info --log-prefix
''"`printf "$LOGFORMAT" $chain
$disposition`"''
+++ printf Shorewall:%s:%s: net2all DROP
++ iptables -A net2all -j LOG --log-level info --log-prefix
Shorewall:net2all:DROP:
+ ''['' 0 -ne 0 '']''
+ ''['' -n DROP '']''
+ run_iptables -A net2all -j DROP
+ iptables -A net2all -j DROP
+ ''['' -n '''' '']''
+ eval ''policy=$all2all_policy''
++ policy=REJECT
+ eval ''loglevel=$all2all_loglevel''
++ loglevel=info
+ eval ''synparams=$all2all_synparams''
++ synparams+ ''['' -n ''''
'']''
+ havechain all2all
+ eval test ''"$all2all_exists"'' = Yes
++ test '''' = Yes
+ createchain all2all yes
+ run_iptables -N all2all
+ iptables -N all2all
+ ''['' yes = yes '']''
+ run_iptables -A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ''['' -z '''' '']''
+ run_iptables -A all2all -m state --state NEW -p tcp ''!''
--syn -j newnotsyn
+ iptables -A all2all -m state --state NEW -p tcp ''!'' --syn -j
newnotsyn
+ eval all2all_exists=Yes
++ all2all_exists=Yes
+ policy_rules all2all REJECT info
+ local target=REJECT
+ run_iptables -A all2all -j common
+ iptables -A all2all -j common
+ target=reject
+ ''['' 3 -eq 3 -a xinfo ''!='' x-
'']''
+ log_rule info all2all REJECT
+ local level=info
+ local chain=all2all
+ local disposition=REJECT
+ local rulenum+ shift
+ shift
+ shift
+ ''['' -n '''' '']''
+ eval iptables -A all2all -j LOG --log-level info --log-prefix
''"`printf "$LOGFORMAT" $chain
$disposition`"''
+++ printf Shorewall:%s:%s: all2all REJECT
++ iptables -A all2all -j LOG --log-level info --log-prefix
Shorewall:all2all:REJECT:
+ ''['' 0 -ne 0 '']''
+ ''['' -n reject '']''
+ run_iptables -A all2all -j reject
+ iptables -A all2all -j reject
+ ''['' -n '''' '']''
+ chain=fw2fw
+ havechain fw2fw
+ eval test ''"$fw2fw_exists"'' = Yes
++ test '''' = Yes
+ chain=fw2net
+ havechain fw2net
+ eval test ''"$fw2net_exists"'' = Yes
++ test Yes = Yes
+ run_user_exit fw2net
++ find_file fw2net
++ ''['' -n '''' -a -f /fw2net
'']''
++ echo /etc/shorewall/fw2net
+ local user_exit=/etc/shorewall/fw2net
+ ''['' -f /etc/shorewall/fw2net '']''
+ default_policy fw net
+ local chain=fw2net
+ local policy+ local loglevel+ local chain1
+ eval ''chain1=$fw2net_policychain''
++ chain1=fw2net
+ ''['' -n fw2net '']''
+ apply_default fw net
+ eval ''policy=$fw2net_policy''
++ policy=ACCEPT
+ eval ''loglevel=$fw2net_loglevel''
++ loglevel+ eval ''synparams=$fw2net_synparams''
++ synparams+ ''['' fw2net = fw2net '']''
+ policy_rules fw2net ACCEPT
+ local target=ACCEPT
+ ''['' 2 -eq 3 -a x ''!='' x-
'']''
+ ''['' -n ACCEPT '']''
+ run_iptables -A fw2net -j ACCEPT
+ iptables -A fw2net -j ACCEPT
+ echo '' Policy ACCEPT for fw to net using chain fw2net''
+ chain=fw2loc
+ havechain fw2loc
+ eval test ''"$fw2loc_exists"'' = Yes
++ test Yes = Yes
+ run_user_exit fw2loc
++ find_file fw2loc
++ ''['' -n '''' -a -f /fw2loc
'']''
++ echo /etc/shorewall/fw2loc
+ local user_exit=/etc/shorewall/fw2loc
+ ''['' -f /etc/shorewall/fw2loc '']''
+ default_policy fw loc
+ local chain=fw2loc
+ local policy+ local loglevel+ local chain1
+ eval ''chain1=$fw2loc_policychain''
++ chain1=fw2loc
+ ''['' -n fw2loc '']''
+ apply_default fw loc
+ eval ''policy=$fw2loc_policy''
++ policy=ACCEPT
+ eval ''loglevel=$fw2loc_loglevel''
++ loglevel+ eval ''synparams=$fw2loc_synparams''
++ synparams+ ''['' fw2loc = fw2loc '']''
+ policy_rules fw2loc ACCEPT
+ local target=ACCEPT
+ ''['' 2 -eq 3 -a x ''!='' x-
'']''
+ ''['' -n ACCEPT '']''
+ run_iptables -A fw2loc -j ACCEPT
+ iptables -A fw2loc -j ACCEPT
+ echo '' Policy ACCEPT for fw to loc using chain fw2loc''
+ chain=net2fw
+ havechain net2fw
+ eval test ''"$net2fw_exists"'' = Yes
++ test Yes = Yes
+ run_user_exit net2fw
++ find_file net2fw
++ ''['' -n '''' -a -f /net2fw
'']''
++ echo /etc/shorewall/net2fw
+ local user_exit=/etc/shorewall/net2fw
+ ''['' -f /etc/shorewall/net2fw '']''
+ default_policy net fw
+ local chain=net2fw
+ local policy+ local loglevel+ local chain1
+ eval ''chain1=$net2fw_policychain''
++ chain1=net2all
+ ''['' -n net2all '']''
+ apply_default net fw
+ eval ''policy=$net2all_policy''
++ policy=DROP
+ eval ''loglevel=$net2all_loglevel''
++ loglevel=info
+ eval ''synparams=$net2all_synparams''
++ synparams+ ''['' net2fw = net2all '']''
+ ''['' -n '''' '']''
+ jump_to_policy_chain
+ run_iptables -A net2fw -j net2all
+ iptables -A net2fw -j net2all
+ chain=net2all
+ echo '' Policy DROP for net to fw using chain net2all''
+ chain=net2net
+ havechain net2net
+ eval test ''"$net2net_exists"'' = Yes
++ test '''' = Yes
+ chain=net2loc
+ havechain net2loc
+ eval test ''"$net2loc_exists"'' = Yes
++ test '''' = Yes
+ chain=loc2fw
+ havechain loc2fw
+ eval test ''"$loc2fw_exists"'' = Yes
++ test Yes = Yes
+ run_user_exit loc2fw
++ find_file loc2fw
++ ''['' -n '''' -a -f /loc2fw
'']''
++ echo /etc/shorewall/loc2fw
+ local user_exit=/etc/shorewall/loc2fw
+ ''['' -f /etc/shorewall/loc2fw '']''
+ default_policy loc fw
+ local chain=loc2fw
+ local policy+ local loglevel+ local chain1
+ eval ''chain1=$loc2fw_policychain''
++ chain1=loc2fw
+ ''['' -n loc2fw '']''
+ apply_default loc fw
+ eval ''policy=$loc2fw_policy''
++ policy=ACCEPT
+ eval ''loglevel=$loc2fw_loglevel''
++ loglevel+ eval ''synparams=$loc2fw_synparams''
++ synparams+ ''['' loc2fw = loc2fw '']''
+ policy_rules loc2fw ACCEPT
+ local target=ACCEPT
+ ''['' 2 -eq 3 -a x ''!='' x-
'']''
+ ''['' -n ACCEPT '']''
+ run_iptables -A loc2fw -j ACCEPT
+ iptables -A loc2fw -j ACCEPT
+ echo '' Policy ACCEPT for loc to fw using chain loc2fw''
+ chain=loc2net
+ havechain loc2net
+ eval test ''"$loc2net_exists"'' = Yes
++ test Yes = Yes
+ run_user_exit loc2net
++ find_file loc2net
++ ''['' -n '''' -a -f /loc2net
'']''
++ echo /etc/shorewall/loc2net
+ local user_exit=/etc/shorewall/loc2net
+ ''['' -f /etc/shorewall/loc2net '']''
+ default_policy loc net
+ local chain=loc2net
+ local policy+ local loglevel+ local chain1
+ eval ''chain1=$loc2net_policychain''
++ chain1=loc2net
+ ''['' -n loc2net '']''
+ apply_default loc net
+ eval ''policy=$loc2net_policy''
++ policy=ACCEPT
+ eval ''loglevel=$loc2net_loglevel''
++ loglevel+ eval ''synparams=$loc2net_synparams''
++ synparams+ ''['' loc2net = loc2net '']''
+ policy_rules loc2net ACCEPT
+ local target=ACCEPT
+ ''['' 2 -eq 3 -a x ''!='' x-
'']''
+ ''['' -n ACCEPT '']''
+ run_iptables -A loc2net -j ACCEPT
+ iptables -A loc2net -j ACCEPT
+ echo '' Policy ACCEPT for loc to net using chain loc2net''
+ chain=loc2loc
+ havechain loc2loc
+ eval test ''"$loc2loc_exists"'' = Yes
++ test '''' = Yes
++ find_file masq
++ ''['' -n '''' -a -f /masq
'']''
++ echo /etc/shorewall/masq
+ masq=/etc/shorewall/masq
+ ''['' -f /etc/shorewall/masq '']''
+ setup_masq /etc/shorewall/masq
+ strip_file masq /etc/shorewall/masq
+ local fname
+ ''['' 2 = 1 '']''
+ fname=/etc/shorewall/masq
+ ''['' -f /etc/shorewall/masq '']''
+ read_file /etc/shorewall/masq 0
+ local first rest
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Shorewall 1.4 - Masquerade file''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/masq''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Use this file to define dynamic NAT (Masquerading) and to
define Source NAT''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# (SNAT).''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Columns are:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE -- Outgoing interface. This is usually your
internet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface. If ADD_SNAT_ALIASES=Yes in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/shorewall.conf, you may add ":"
and''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a digit to indicate that you want the alias added
with''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# that name (e.g., eth0:0). This will allow the alias
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# be displayed with ifconfig. THAT IS THE ONLY USE
FOR''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# PLACE IN YOUR SHOREWALL CONFIGURATION.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This may be qualified by adding the character''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ":" followed by a destination host or
subnet.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# SUBNET -- Subnet that you wish to masquerade. You can specify
this as''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a subnet or as an interface. If you give the name of
an''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# interface, you must have iproute installed and the
interface''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# must be up before you start the firewall.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In order to exclude a subset of the specified SUBNET,
you''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# may append "!" and a comma-separated list of IP
addresses''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# and/or subnets that you wish to exclude.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: eth1!192.168.1.4,192.168.32.0/27''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# In that example traffic from eth1 would be masqueraded
unless''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# it came from 192.168.1.4 or 196.168.32.0/27''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ADDRESS -- (Optional). If you specify an address here, SNAT
will be''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# used and this will be the source address. If''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ADD_SNAT_ALIASES is set to Yes or yes in''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# /etc/shorewall/shorewall.conf then Shorewall''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# will automatically add this address to the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# INTERFACE named in the first column.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You may also specify a range of up to 256''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# IP addresses if you want the SNAT address to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# be assigned from that range in a round-robin''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# range by connection. The range is specified by''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# <first ip in range>-<last ip in range>.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example: 206.124.146.177-206.124.146.180''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# This column may not contain DNS Names.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 1:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You have a simple masquerading setup where eth0 connects
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# a DSL or cable modem and eth1 connects to your local
network''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# with subnet 192.168.0.0/24.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Your entry in the file can be either:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth0 eth1''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# or''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth0 192.168.0.0/24''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 2:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You add a router to your local network to connect
subnet''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# 192.168.1.0/24 which you also want to masquerade. You
then''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# add a second entry for eth0 to this file:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth0 192.168.1.0/24''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 3:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You have an IPSEC tunnel through ipsec0 and you want
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# masquerade packets coming from 192.168.1.0/24 but only
if''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# these packets are destined for hosts in
10.1.1.0/24:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ipsec0:10.1.1.0/24 196.168.1.0/24''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# Example 4:''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# You want all outgoing traffic from 192.168.1.0/24
through''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth0 to use source address 206.124.146.176 which is NOT
the''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# primary address of eth0. You want 206.124.146.176 added
to''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# be added to eth0 with name eth0:0.''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# eth0:0 192.168.1.0/24 206.124.146.176''
+ read first rest
+ ''['' x# = xINCLUDE '']''
+ echo ''# ''
+ read first rest
+ ''[''
x##############################################################################
= xINCLUDE '']''
+ echo
''##############################################################################
''
+ read first rest
+ ''['' x#INTERFACE = xINCLUDE '']''
+ echo ''#INTERFACE SUBNET ADDRESS''
+ read first rest
+ ''['' xppp0 = xINCLUDE '']''
+ echo ''ppp0 eth0''
+ read first rest
+ ''['' xppp0 = xINCLUDE '']''
+ echo ''ppp0 192.168.58.0/24''
+ read first rest
+ ''['' x#LAST = xINCLUDE '']''
+ echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT
REMOVE''
+ read first rest
+ cut -d# -f1
+ grep -v ''^[[:space:]]*$''
+ ''['' -n Yes '']''
+ echo ''Masqueraded Subnets and Hosts:''
+ read fullinterface subnet address
+ expandv fullinterface subnet address
+ local varval
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$fullinterface''
++ varval=ppp0
+ eval ''fullinterface="ppp0"''
++ fullinterface=ppp0
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=eth0
+ eval ''subnet="eth0"''
++ subnet=eth0
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$address''
++ varval+ eval ''address=""''
++ address+ shift
+ ''['' 0 -gt 0 '']''
+ ''['' -n Yes '']''
+ setup_one
+ local using
+ destnet=0.0.0.0/0
+ interface=ppp0
+ list_search ppp0 ppp0 eth0 vmnet1 vmnet8
+ local e=ppp0
+ ''['' 5 -gt 1 '']''
+ shift
+ ''['' xppp0 = xppp0 '']''
+ return 0
+ ''['' eth0 = eth0 '']''
+ nomasq++ masq_chain ppp0
+++ chain_base ppp0
+++ local c=ppp0
+++ echo ppp0
++ echo ppp0_masq
+ chain=ppp0_masq
+ iface+ source=eth0
++ get_routed_subnets eth0
++ local address
++ local rest
++ ip route show dev eth0
++ read address rest
++ ''['' x192.168.0.0/24 = xdefault '']''
++ ''['' 192.168.0.0/24 = 192.168.0.0 '']''
++ echo 192.168.0.0/24
++ read address rest
+ subnets=192.168.0.0/24
+ ''['' -z 192.168.0.0/24 '']''
+ subnet=192.168.0.0/24
+ ''['' -n '''' -a -n ''''
'']''
+ destination=0.0.0.0/0
+ ''['' -n '''' '']''
+ destnet=-d 0.0.0.0/0
+ ''['' -n 192.168.0.0/24 '']''
+ ''['' -n '''' '']''
+ addnatrule ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ensurenatchain ppp0_masq
+ havenatchain ppp0_masq
+ eval test ''"$ppp0_masq_nat_exists"'' = Yes
++ test '''' = Yes
+ createnatchain ppp0_masq
+ run_iptables -t nat -N ppp0_masq
+ iptables -t nat -N ppp0_masq
+ eval ppp0_masq_nat_exists=Yes
++ ppp0_masq_nat_exists=Yes
+ run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d
0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A ppp0_masq -s
192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']''
+ run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
+ iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE
iptables: Invalid argument
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x
Tom Eastep
2003-Sep-14 19:34 UTC
[Shorewall-users] Masquerading failure due to 2.6test kernel strictness
On Wed, 10 Sep 2003, Duncan Sands wrote:> In the iptables (v1.2.8) man page it states: > > MASQUERADE > This target is only valid in the nat table, in the > POSTROUTING chain. > > However shorewall does the following: > > + iptables -t nat -N ppp0_masq > + eval ppp0_masq_nat_exists=Yes > ++ ppp0_masq_nat_exists=Yes > + run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > + ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']'' > + run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > + iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > > Note the -j MASQUERADE with the ppp0_masq chain. This is invalid according to the above man page > snippet. >NO IT IS NOT -- Note the "-t nat" which specifies that the Shorewall-generated rule applies to the NAT table. You probably have a kernel/iptables mismatch. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Jerry Vonau
2003-Sep-15 07:22 UTC
[Shorewall-users] Masquerading failure due to 2.6test kernel strictness
Duncan: At the archives check out the threads called: Re: [Shorewall-users] OT: Mismatched Kernel Source / IPTables (Was:Shorewall will not start under linux) and Re: [Shorewall-users] iptables: Invalid argument (found problem) I think you have to rebuild iptables against your present kernel sources. Jerry Vonau ----- Original Message ----- From: "Duncan Sands" <duncan.sands@wanadoo.fr> To: <shorewall-users@lists.shorewall.net> Sent: Sunday, August 31, 2003 06:00 AM Subject: [Shorewall-users] Masquerading failure due to 2.6test kernel strictness> In the iptables (v1.2.8) man page it states: > > MASQUERADE > This target is only valid in the nat table, in the > POSTROUTING chain. > > However shorewall does the following: > > + iptables -t nat -N ppp0_masq > + eval ppp0_masq_nat_exists=Yes > ++ ppp0_masq_nat_exists=Yes > + run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> + ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE''= ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']''> + run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> + iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> > Note the -j MASQUERADE with the ppp0_masq chain. This is invalidaccording to the above man page> snippet. > > With 2.4 kernels this works fine. However with 2.6test kernels it nolonger works:> > iptables: Invalid argument > > Testing shows that the "invalid argument" is -j MASQUERADE. On the otherhand,> > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> > works fine, showing that the problem is indeed due to using MASQUERADEwith> a chain that is not POSTROUTING. > > So it looks as if the 2.6 kernel is stricter than 2.4. > > Any ideas for how to deal with this? > > Thanks, > > Duncan. > > Shorewall version 1.4.6a > > ip addr show: > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 > 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 9178 qdisc pfifo_fast qlen 3 > link/ppp > inet 81.49.162.240 peer 193.253.160.3/32 scope global ppp0 > > ip route show: > 193.253.160.3 dev ppp0 proto kernel scope link src 81.49.162.240 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 > 127.0.0.0/8 via 127.0.0.1 dev lo scope link > default via 193.253.160.3 dev ppp0 > > shorewall debug start: > + shift > + nolock> + ''['' 1 -gt 1 '']'' > + trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9 > + command=start > + ''['' 1 -ne 1 '']'' > + do_initialize > + export LC_ALL=C > + LC_ALL=C > + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin > + terminator=startup_error > + version> + FW> + SUBSYSLOCK> + STATEDIR> + ALLOWRELATED=Yes > + LOGRATE> + LOGBURST> + LOGPARMS> + ADD_IP_ALIASES> + ADD_SNAT_ALIASES> + TC_ENABLED> + LOGUNCLEAN> + BLACKLIST_DISPOSITION> + BLACKLIST_LOGLEVEL> + CLAMPMSS> + ROUTE_FILTER> + NAT_BEFORE_RULES> + DETECT_DNAT_IPADDRS> + MUTEX_TIMEOUT> + NEWNOTSYN> + LOGNEWNOTSYN> + FORWARDPING> + MACLIST_DISPOSITION> + MACLIST_LOG_LEVEL> + TCP_FLAGS_DISPOSITION> + TCP_FLAGS_LOG_LEVEL> + RFC1918_LOG_LEVEL> + MARK_IN_FORWARD_CHAIN> + SHARED_DIR=/usr/share/shorewall > + FUNCTIONS> + VERSION_FILE> + LOGFORMAT> + LOGRULENUMBERS> + stopping> + have_mutex> + masq_seq=1 > + nonat_seq=1 > + aliases_to_add> + TMP_DIR=/tmp/shorewall-4750 > + rm -rf /tmp/shorewall-4750 > + mkdir -p /tmp/shorewall-4750 > + chmod 700 /tmp/shorewall-4750 > + trap ''rm -rf /tmp/shorewall-4750; my_mutex_off; exit 2'' 1 2 3 4 5 6 9 > + FUNCTIONS=/usr/share/shorewall/functions > + ''['' -f /usr/share/shorewall/functions '']'' > + echo ''Loading /usr/share/shorewall/functions...'' > + . /usr/share/shorewall/functions > ++ LEFTSHIFT=<< > + VERSION_FILE=/usr/share/shorewall/version > + ''['' -f /usr/share/shorewall/version '']'' > ++ cat /usr/share/shorewall/version > + version=1.4.6a > + run_user_exit params > ++ find_file params > ++ ''['' -n '''' -a -f /params '']'' > ++ echo /etc/shorewall/params > + local user_exit=/etc/shorewall/params > + ''['' -f /etc/shorewall/params '']'' > + echo ''Processing /etc/shorewall/params ...'' > + . /etc/shorewall/params > ++ find_file shorewall.conf > ++ ''['' -n '''' -a -f /shorewall.conf '']'' > ++ echo /etc/shorewall/shorewall.conf > + config=/etc/shorewall/shorewall.conf > + ''['' -f /etc/shorewall/shorewall.conf '']'' > + echo ''Processing /etc/shorewall/shorewall.conf...'' > + . /etc/shorewall/shorewall.conf > ++ LOGFILE=/var/log/messages > ++ LOGFORMAT=Shorewall:%s:%s: > ++ LOGRATE> ++ LOGBURST> ++ LOGUNCLEAN=info > ++ BLACKLIST_LOGLEVEL> ++ LOGNEWNOTSYN=info > ++ MACLIST_LOG_LEVEL=info > ++ TCP_FLAGS_LOG_LEVEL=info > ++ RFC1918_LOG_LEVEL=info > ++ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > ++ SHOREWALL_SHELL=/bin/sh > ++ SUBSYSLOCK=/var/lock/subsys/shorewall > ++ STATEDIR=/var/lib/shorewall > ++ MODULESDIR> ++ FW=fw > ++ IP_FORWARDING=On > ++ ADD_IP_ALIASES=Yes > ++ ADD_SNAT_ALIASES=No > ++ TC_ENABLED=No > ++ CLEAR_TC=Yes > ++ MARK_IN_FORWARD_CHAIN=No > ++ CLAMPMSS=No > ++ ROUTE_FILTER=No > ++ NAT_BEFORE_RULES=Yes > ++ DETECT_DNAT_IPADDRS=No > ++ MUTEX_TIMEOUT=60 > ++ NEWNOTSYN=No > ++ BLACKLIST_DISPOSITION=DROP > ++ MACLIST_DISPOSITION=REJECT > ++ TCP_FLAGS_DISPOSITION=DROP > + determine_capabilities > + qt iptables -t nat -L -n > + iptables -t nat -L -n > + NAT_ENABLED=Yes > + qt iptables -t mangle -L -n > + iptables -t mangle -L -n > + MANGLE_ENABLED=Yes > + CONNTRACK_MATCH> + MULTIPORT> + qt iptables -N fooX1234 > + iptables -N fooX1234 > + qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT > + iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT > + qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT > + iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT > + MULTIPORT=Yes > + qt iptables -F fooX1234 > + iptables -F fooX1234 > + qt iptables -X fooX1234 > + iptables -X fooX1234 > + ''['' -z /var/lib/shorewall '']'' > + ''['' -d /var/lib/shorewall '']'' > + ''['' -z fw '']'' > ++ added_param_value_yes ALLOWRELATED Yes > ++ local val=Yes > ++ ''['' -z Yes '']'' > ++ echo Yes > + ALLOWRELATED=Yes > + ''['' -n Yes '']'' > ++ added_param_value_yes ADD_IP_ALIASES Yes > ++ local val=Yes > ++ ''['' -z Yes '']'' > ++ echo Yes > + ADD_IP_ALIASES=Yes > ++ added_param_value_yes TC_ENABLED No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + TC_ENABLED> + ''['' -n '''' '']'' > + ''['' -n On '']'' > + ''['' -n '''' -a -z Yes '']'' > + ''['' -z DROP '']'' > ++ added_param_value_no CLAMPMSS No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + CLAMPMSS> ++ added_param_value_no ADD_SNAT_ALIASES No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + ADD_SNAT_ALIASES> ++ added_param_value_no ROUTE_FILTER No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + ROUTE_FILTER> ++ added_param_value_yes NAT_BEFORE_RULES Yes > ++ local val=Yes > ++ ''['' -z Yes '']'' > ++ echo Yes > + NAT_BEFORE_RULES=Yes > ++ added_param_value_no DETECT_DNAT_IPADDRS No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + DETECT_DNAT_IPADDRS> ++ added_param_value_no FORWARDPING > ++ local val> ++ ''['' -z '''' '']'' > ++ echo '''' > + FORWARDPING> + ''['' -n '''' '']'' > ++ added_param_value_yes NEWNOTSYN No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + NEWNOTSYN> + maclist_target=reject > + ''['' -n REJECT '']'' > + ''['' -n DROP '']'' > + ''['' -z info '']'' > ++ added_param_value_no MARK_IN_FORWARD_CHAIN No > ++ local val=No > ++ ''['' -z No '']'' > ++ echo '''' > + MARK_IN_FORWARD_CHAIN> + ''['' -n '''' '']'' > + marking_chain=tcpre > + ''['' -n '''' '']'' > + CLEAR_TC> + ''['' -n Shorewall:%s:%s: '']'' > ++ echo Shorewall:%s:%s: > ++ grep %d > + ''['' -n '''' '']'' > ++ printf Shorewall:%s:%s: fooxx barxx > + temp=Shorewall:fooxx:barxx: > + ''['' 0 -ne 0 '']'' > + ''['' 22 -gt 29 '']'' > + strip_file interfaces > + local fname > + ''['' 1 = 1 '']'' > ++ find_file interfaces > ++ ''['' -n '''' -a -f /interfaces '']'' > ++ echo /etc/shorewall/interfaces > + fname=/etc/shorewall/interfaces > + ''['' -f /etc/shorewall/interfaces '']'' > + read_file /etc/shorewall/interfaces 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 -- Interfaces File'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/interfaces'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You must add an entry in this file for each network interface onyour''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# firewall system.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ZONE Zone for this interface. Must match the short name'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# of a zone defined in /etc/shorewall/zones.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If the interface serves multiple zones that will be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# defined in the /etc/shorewall/hosts file, you should'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# place "-" in this column.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE Name of interface. Each interface may be listed only'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# once in this file. You may NOT specify the name of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# an alias (e.g., eth0:0) here; see'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# http://www.shorewall.net/FAQ.htm#faq18'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You may specify wildcards here. For example, if you'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# want to make an entry that applies to all PPP'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interfaces, use ''\''''ppp+''\''''.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# BROADCAST The broadcast address for the subnetwork to which the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface belongs. For P-T-P interfaces, this'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# column is left black.If the interface has multiple'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# addresses on multiple subnets then list the broadcast'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# addresses as a comma-separated list.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If you use the special value "detect", the firewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# will detect the broadcast address for you. If you'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# select this option, the interface must be up before'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the firewall is started, you must have iproute'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# installed and the interface must only be associated'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# with a single subnet.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If you don''\''''t want to give a value for this column but'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# you want to enter a value in the OPTIONS column, enter'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "-" in this column.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# OPTIONS A comma-separated list of options including the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# following:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# dhcp - interface is managed by DHCP or used by'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a DHCP server running on the firewall or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# you have a static IP but are on a LAN'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# segment with lots of Laptop DHCP clients.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# norfc1918 - This interface should not receive'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# any packets whose source is in one'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# of the ranges reserved by RFC 1918'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (i.e., private or "non-routable"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# addresses. If packet mangling is'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# enabled in shorewall.conf, packets'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# whose destination addresses are'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# reserved by RFC 1918 are also rejected.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# routefilter - turn on kernel route filtering for this'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface (anti-spoofing measure). This'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# option can also be enabled globally in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the /etc/shorewall/shorewall.conf file.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# dropunclean - Logs and drops mangled/invalid packets'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# logunclean - Logs mangled/invalid packets but does'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# not drop them.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# . . blacklist - Check packets arriving on this interface'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# against the /etc/shorewall/blacklist'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# file.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# maclist - Connection requests from this interface'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# are compared against the contents of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/maclist. If this option'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# is specified, the interface must be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# an ethernet NIC and must be up before'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall is started.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# tcpflags - Packets arriving on this interface are'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# checked for certain illegal combinations'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# of TCP flags. Packets found to have'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# such a combination of flags are handled'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# according to the setting of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# TCP_FLAGS_DISPOSITION after having been'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# logged according to the setting of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# TCP_FLAGS_LOG_LEVEL.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# proxyarp -'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Sets'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Do NOT use this option if you are'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# employing Proxy ARP through entries in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/proxyarp. This option is'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# intended soley for use with Proxy ARP'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# sub-networking as described at:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# newnotsyn - TCP packets that don''\''''t have the SYN'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# flag set and which are not part of an'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# established connection will be accepted'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# from this interface, even if'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# NEWNOTSYN=No has been specified in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/shorewall.conf.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This option has no effect if'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# NEWNOTSYN=Yes.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The order in which you list the options is not'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# significant but the list should have no embedded white'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# space.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 1: Suppose you have eth0 connected to a DSL modem and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth1 connected to your local network and that your'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# local subnet is 192.168.1.0/24. The interface gets'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# it''\''''s IP address via DHCP from subnet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 206.191.149.192/27. You have a DMZ with subnet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 192.168.2.0/24 using eth2.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Your entries for this setup would look like:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# net eth0 206.191.149.223 dhcp'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# local eth1 192.168.1.255'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# dmz eth2 192.168.2.255'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 2: The same configuration without specifying broadcast'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# addresses is:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# net eth0 detect dhcp'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# loc eth1 detect'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# dmz eth2 detect'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 3: You have a simple dial-in system with no ethernet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# connections.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# net ppp0 -'' > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x#ZONE = xINCLUDE '']'' > + echo ''#ZONE INTERFACE BROADCAST OPTIONS'' > + read first rest > + ''['' xnet = xINCLUDE '']'' > + echo ''net ppp0 - routefilter,norfc1918'' > + read first rest > + ''['' xloc = xINCLUDE '']'' > + echo ''loc eth0 detect'' > + read first rest > + ''['' xloc = xINCLUDE '']'' > + echo ''loc vmnet1 detect'' > + read first rest > + ''['' xloc = xINCLUDE '']'' > + echo ''loc vmnet8 detect'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'' > + read first rest > + strip_file hosts > + local fname > + ''['' 1 = 1 '']'' > ++ find_file hosts > ++ ''['' -n '''' -a -f /hosts '']'' > ++ echo /etc/shorewall/hosts > + fname=/etc/shorewall/hosts > + ''['' -f /etc/shorewall/hosts '']'' > + read_file /etc/shorewall/hosts 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 - /etc/shorewall/hosts'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# BETWEEN THESE NETWORKS.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# IF YOU DON''\''''T HAVE EITHER OF THESE SITUATIONS THEN DON''\''''TTOUCH''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# THIS FILE.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This file is used to define zones in terms of subnets and/or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# individual IP addresses. Most simple setups don''\''''t need to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (should not) place anything in this file.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ZONE - The name of a zone defined in /etc/shorewall/zones'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# HOST(S) - The name of an interface followed by a colon (":")and''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a comma-separated list whose elements are either:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + cut -d# -f1 > + echo ''# a) The IP address of a host'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# b) A subnetwork in the form'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# <subnet-address>/<mask width>'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The interface must be defined in the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/interfaces file.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Examples:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth1:192.168.1.3'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth2:192.168.2.0/24'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth3:192.168.2.0/24,192.168.3.1'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# OPTIONS - A comma-separated list of options. Currently-defined'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# options are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# maclist - Connection requests from these hosts'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# are compared against the contents of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/maclist. If this option'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# is specified, the interface must be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# an ethernet NIC and must be up before'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall is started.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# routeback - Shorewall show set up the infrastructure'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to pass packets from this/these'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address(es) back to themselves. This is'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# necessary of hosts in this group use the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# services of a transparent proxy that is'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a member of the group or if DNAT is used'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to send requests originating from this'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# group to a server in the group.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x#ZONE = xINCLUDE '']'' > + echo ''#ZONE HOST(S) OPTIONS'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE'' > + read first rest > + grep -v ''^[[:space:]]*$'' > + ''['' -n /bin/sh '']'' > ++ decodeaddr 192.168.1.1 > ++ local x > ++ local temp=0 > ++ local ''ifs> '' > ++ IFS=. > ++ temp=192 > ++ temp=49320 > ++ temp=12625921 > ++ temp=3232235777 > ++ echo 3232235777 > ++ IFS> > + temp=3232235777 > ++ encodeaddr 3232235777 > ++ addr=3232235777 > ++ local x > ++ local y=1 > ++ addr=12625921 > ++ y=1.1 > ++ addr=49320 > ++ y=168.1.1 > ++ addr=192 > ++ y=192.168.1.1 > ++ echo 192.168.1.1 > + ''['' 192.168.1.1 ''!='' 192.168.1.1 '']'' > + my_mutex_on > + ''['' -n '''' '']'' > + mutex_on > + local try=0 > + local lockf=/var/lib/shorewall/lock > + MUTEX_TIMEOUT=60 > + ''['' 60 -gt 0 '']'' > + ''['' -d /var/lib/shorewall '']'' > + qt which lockfile > + which lockfile > + ''['' -f /var/lib/shorewall/lock -a 0 -lt 60 '']'' > + ''['' 0 -lt 60 '']'' > + echo 4750 > + have_mutex=Yes > + qt iptables -L shorewall -n > + iptables -L shorewall -n > + define_firewall Start > + ''['' -f /etc/shorewall/startup_disabled '']'' > + echo ''Starting Shorewall...'' > + verify_os_version > ++ uname -r > + osversion=2.6.0-test4 > ++ lsmod > ++ grep ''^ipchains'' > + ''['' start = start -a -n '''' '']'' > + verify_ip > + qt ip link ls > + ip link ls > + load_kernel_modules > + ''['' -z '''' '']'' > + MODULESDIR=/lib/modules/2.6.0-test4/kernel/net/ipv4/netfilter > ++ find_file modules > ++ ''['' -n '''' -a -f /modules '']'' > ++ echo /etc/shorewall/modules > + modules=/etc/shorewall/modules > + ''['' -f /etc/shorewall/modules -a -d/lib/modules/2.6.0-test4/kernel/net/ipv4/netfilter '']''> + echo Initializing... > + initialize_netfilter > + report_capabilities > + echo ''Shorewall has detected the following iptables/netfiltercapabilities:''> + report_capability Yes NAT > + local setting> + ''['' xYes = xYes '']'' > + setting=Available > + shift > + echo '' '' NAT: Available > + report_capability Yes ''Packet Mangling'' > + local setting> + ''['' xYes = xYes '']'' > + setting=Available > + shift > + echo '' '' Packet Mangling: Available > + report_capability Yes ''Multi-port Match'' > + local setting> + ''['' xYes = xYes '']'' > + setting=Available > + shift > + echo '' '' Multi-port Match: Available > + report_capability ''Connection Tracking Match'' > + local setting> + ''['' ''xConnection Tracking Match'' = xYes '']'' > + setting=Not available > + echo '' '' Connection Tracking Match: Not available > + echo ''Determining Zones...'' > + determine_zones > ++ find_file zones > ++ ''['' -n '''' -a -f /zones '']'' > ++ echo /etc/shorewall/zones > + local zonefile=/etc/shorewall/zones > + multi_display=Multi-zone > + strip_file zones /etc/shorewall/zones > + local fname > + ''['' 2 = 1 '']'' > + fname=/etc/shorewall/zones > + ''['' -f /etc/shorewall/zones '']'' > + read_file /etc/shorewall/zones 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 /etc/shorewall/zones'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This file determines your network zones. Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ZONE Short name of the zone (5 Characters or less in length).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DISPLAY Display name of the zone'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# COMMENTS Comments about the zone'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x#ZONE = xINCLUDE '']'' > + echo ''#ZONE DISPLAY COMMENTS'' > + read first rest > + ''['' xnet = xINCLUDE '']'' > + echo ''net Net Internet'' > + read first rest > + ''['' xloc = xINCLUDE '']'' > + echo ''loc Local Local Networks'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > ++ find_zones /tmp/shorewall-4750/zones > ++ read zone display comments > ++ ''['' -n net '']'' > ++ echo net > ++ read zone display comments > ++ ''['' -n loc '']'' > ++ echo loc > ++ read zone display comments > + zones=net > loc > ++ echo net loc > + zones=net loc > ++ find_display net /tmp/shorewall-4750/zones > ++ grep ''^net'' /tmp/shorewall-4750/zones > ++ read z display comments > ++ ''['' xnet = xnet '']'' > ++ echo Net > ++ read z display comments > + dsply=Net > + eval ''net_display=$dsply'' > ++ net_display=Net > ++ find_display loc /tmp/shorewall-4750/zones > ++ grep ''^loc'' /tmp/shorewall-4750/zones > ++ read z display comments > ++ ''['' xloc = xloc '']'' > ++ echo Local > ++ read z display comments > + dsply=Local > + eval ''loc_display=$dsply'' > ++ loc_display=Local > + ''['' -z ''net loc'' '']'' > + display_list Zones: net loc > + ''['' 3 -gt 1 '']'' > + echo '' Zones: net loc'' > + echo ''Validating interfaces file...'' > + validate_interfaces_file > + read z interface subnet options > + expandv z interface subnet options > + local varval > + ''['' 4 -gt 0 '']'' > + eval ''varval=$z'' > ++ varval=net > + eval ''z="net"'' > ++ z=net > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$interface'' > ++ varval=ppp0 > + eval ''interface="ppp0"'' > ++ interface=ppp0 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$subnet'' > ++ varval=- > + eval ''subnet="-"'' > ++ subnet=- > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$options'' > ++ varval=routefilter,norfc1918 > + eval ''options="routefilter,norfc1918"'' > ++ options=routefilter,norfc1918 > + shift > + ''['' 0 -gt 0 '']'' > + r=net ppp0 - routefilter,norfc1918 > + ''['' xnet = x- '']'' > + ''['' -n net '']'' > + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > ++ ip link show ppp0 > ++ grep LOOPBACK > + ''['' -n '''' '']'' > + list_search ppp0 > + local e=ppp0 > + ''['' 1 -gt 1 '']'' > + return 1 > + all_interfaces= ppp0 > ++ separate_list routefilter,norfc1918 > ++ local list > ++ local part > ++ local newlist > ++ list=routefilter,norfc1918 > ++ part=routefilter > ++ newlist=routefilter > ++ ''['' xroutefilter ''!='' xroutefilter,norfc1918 '']'' > ++ list=norfc1918 > ++ part=norfc1918 > ++ newlist=routefilter norfc1918 > ++ ''['' xnorfc1918 ''!='' xnorfc1918 '']'' > ++ echo ''routefilter norfc1918'' > + options=routefilter norfc1918 > ++ chain_base ppp0 > ++ local c=ppp0 > ++ echo ppp0 > + interface=ppp0 > + eval ppp0_broadcast=- > ++ ppp0_broadcast=- > + eval ppp0_zone=net > ++ ppp0_zone=net > + eval ''ppp0_options="routefilter'' ''norfc1918"'' > ++ ppp0_options=routefilter norfc1918 > + ''['' -z '' ppp0'' '']'' > + read z interface subnet options > + expandv z interface subnet options > + local varval > + ''['' 4 -gt 0 '']'' > + eval ''varval=$z'' > ++ varval=loc > + eval ''z="loc"'' > ++ z=loc > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$interface'' > ++ varval=eth0 > + eval ''interface="eth0"'' > ++ interface=eth0 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$subnet'' > ++ varval=detect > + eval ''subnet="detect"'' > ++ subnet=detect > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$options'' > ++ varval> + eval ''options=""'' > ++ options> + shift > + ''['' 0 -gt 0 '']'' > + r=loc eth0 detect > + ''['' xloc = x- '']'' > + ''['' -n loc '']'' > + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > ++ ip link show eth0 > ++ grep LOOPBACK > + ''['' -n '''' '']'' > + list_search eth0 ppp0 > + local e=eth0 > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xeth0 = xppp0 '']'' > + ''['' 1 -gt 1 '']'' > + return 1 > + all_interfaces= ppp0 eth0 > ++ separate_list > ++ local list > ++ local part > ++ local newlist > ++ list> ++ part> ++ newlist> ++ ''['' x ''!='' x '']'' > ++ echo '''' > + options> ++ chain_base eth0 > ++ local c=eth0 > ++ echo eth0 > + interface=eth0 > + eval eth0_broadcast=detect > ++ eth0_broadcast=detect > + eval eth0_zone=loc > ++ eth0_zone=loc > + eval ''eth0_options=""'' > ++ eth0_options> + ''['' -z '' ppp0 eth0'' '']'' > + read z interface subnet options > + expandv z interface subnet options > + local varval > + ''['' 4 -gt 0 '']'' > + eval ''varval=$z'' > ++ varval=loc > + eval ''z="loc"'' > ++ z=loc > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$interface'' > ++ varval=vmnet1 > + eval ''interface="vmnet1"'' > ++ interface=vmnet1 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$subnet'' > ++ varval=detect > + eval ''subnet="detect"'' > ++ subnet=detect > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$options'' > ++ varval> + eval ''options=""'' > ++ options> + shift > + ''['' 0 -gt 0 '']'' > + r=loc vmnet1 detect > + ''['' xloc = x- '']'' > + ''['' -n loc '']'' > + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > ++ ip link show vmnet1 > ++ grep LOOPBACK > + ''['' -n '''' '']'' > + list_search vmnet1 ppp0 eth0 > + local e=vmnet1 > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xvmnet1 = xppp0 '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xvmnet1 = xeth0 '']'' > + ''['' 1 -gt 1 '']'' > + return 1 > + all_interfaces= ppp0 eth0 vmnet1 > ++ separate_list > ++ local list > ++ local part > ++ local newlist > ++ list> ++ part> ++ newlist> ++ ''['' x ''!='' x '']'' > ++ echo '''' > + options> ++ chain_base vmnet1 > ++ local c=vmnet1 > ++ echo vmnet1 > + interface=vmnet1 > + eval vmnet1_broadcast=detect > ++ vmnet1_broadcast=detect > + eval vmnet1_zone=loc > ++ vmnet1_zone=loc > + eval ''vmnet1_options=""'' > ++ vmnet1_options> + ''['' -z '' ppp0 eth0 vmnet1'' '']'' > + read z interface subnet options > + expandv z interface subnet options > + local varval > + ''['' 4 -gt 0 '']'' > + eval ''varval=$z'' > ++ varval=loc > + eval ''z="loc"'' > ++ z=loc > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$interface'' > ++ varval=vmnet8 > + eval ''interface="vmnet8"'' > ++ interface=vmnet8 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$subnet'' > ++ varval=detect > + eval ''subnet="detect"'' > ++ subnet=detect > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$options'' > ++ varval> + eval ''options=""'' > ++ options> + shift > + ''['' 0 -gt 0 '']'' > + r=loc vmnet8 detect > + ''['' xloc = x- '']'' > + ''['' -n loc '']'' > + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > ++ ip link show vmnet8 > ++ grep LOOPBACK > + ''['' -n '''' '']'' > + list_search vmnet8 ppp0 eth0 vmnet1 > + local e=vmnet8 > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xvmnet8 = xppp0 '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xvmnet8 = xeth0 '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xvmnet8 = xvmnet1 '']'' > + ''['' 1 -gt 1 '']'' > + return 1 > + all_interfaces= ppp0 eth0 vmnet1 vmnet8 > ++ separate_list > ++ local list > ++ local part > ++ local newlist > ++ list> ++ part> ++ newlist> ++ ''['' x ''!='' x '']'' > ++ echo '''' > + options> ++ chain_base vmnet8 > ++ local c=vmnet8 > ++ echo vmnet8 > + interface=vmnet8 > + eval vmnet8_broadcast=detect > ++ vmnet8_broadcast=detect > + eval vmnet8_zone=loc > ++ vmnet8_zone=loc > + eval ''vmnet8_options=""'' > ++ vmnet8_options> + ''['' -z '' ppp0 eth0 vmnet1 vmnet8'' '']'' > + read z interface subnet options > + echo ''Validating hosts file...'' > + validate_hosts_file > + read z hosts options > + echo ''Validating Policy file...'' > + validate_policy > + local clientwild > + local serverwild > + local zone > + local zone1 > + local pc > + local chain > + local policy > + local loglevel > + local synparams > + all_policy_chains> + strip_file policy > + local fname > + ''['' 1 = 1 '']'' > ++ find_file policy > ++ ''['' -n '''' -a -f /policy '']'' > ++ echo /etc/shorewall/policy > + fname=/etc/shorewall/policy > + ''['' -f /etc/shorewall/policy '']'' > + read_file /etc/shorewall/policy 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 -- Policy File'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/policy'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This file determines what to do with a new connection request ifwe''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# don''\''''t get a match from the /etc/shorewall/rules file or fromthe''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/common[.def] file. For each source/destinationpair, the''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# file is processed in order until a match is found ("all" willmatch''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# any client or server).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# SOURCE Source zone. Must be the name of a zone defined'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# in /etc/shorewall/zones, $FW or "all".'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DEST Destination zone. Must be the name of a zone defined'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# in /etc/shorewall/zones, $FW or "all"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# WARNING: Firewall->Firewall policies are not allowed; if'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# you have a policy where both SOURCE and DEST are $FW,'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall will not start!'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# POLICY Policy if no match from the rules file is found. Must'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ACCEPT - Accept the connection'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DROP - Ignore the connection request'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REJECT - For TCP, send RST. For all other, send'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "port unreachable" ICMP.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# CONTINUE - Pass the connection request past'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# any other rules that it might also'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# match (where the source or destination'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# zone in those rules is a superset of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the SOURCE or DEST in this policy).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# NONE - Assume that there will never be any'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# packets from this SOURCE'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to this DEST. Shorewall will not set up'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# any infrastructure to handle such'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# packets and you may not have any rules'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# with this SOURCE and DEST in the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/rules file. If such a'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# packet _is_ received, the result is'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# undefined.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# LOG LEVEL If supplied, each connection handled under thedefault''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# POLICY is logged at that level. If not supplied, no'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# log message is generated. See syslog.conf(5) for a'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# description of log levels.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Beginning with Shorewall version 1.3.12, you may'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# also specify ULOG (must be in upper case). This will'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# log to the ULOG target and sent to a separate log'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# through use of ulogd'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (http://www.gnumonks.org/projects/ulogd).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If you don''\''''t want to log but need to specify the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# following column, place "_" here.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# LIMIT:BURST If passed, specifies the maximum TCP connectionrate''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# and the size of an acceptable burst. If not specified,'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# TCP connections are not limited.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# As shipped, the default policies are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a) All connections from the local network to the internet areallowed''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# b) All connections from the internet are ignored but logged atsyslog''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# level KERNEL.INFO.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# d) All other connection requests are rejected and logged atlevel''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# KERNEL.INFO.'' > + read first rest > + ''[''x########################################################################### #### = xINCLUDE '']''> + echo''########################################################################### #### ''> + read first rest > + ''['' x#SOURCE = xINCLUDE '']'' > + echo ''#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST'' > + read first rest > + ''['' xloc = xINCLUDE '']'' > + echo ''loc net ACCEPT'' > + read first rest > + ''['' xloc = xINCLUDE '']'' > + echo ''loc fw ACCEPT'' > + read first rest > + ''['' xfw = xINCLUDE '']'' > + echo ''fw net ACCEPT'' > + read first rest > + ''['' xfw = xINCLUDE '']'' > + echo ''fw loc ACCEPT'' > + read first rest > + ''['' xnet = xINCLUDE '']'' > + echo ''net all DROP info'' > + read first rest > + ''['' xall = xINCLUDE '']'' > + echo ''all all REJECT info'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + read client server policy loglevel synparams > + expandv client server policy loglevel synparams > + local varval > + ''['' 5 -gt 0 '']'' > + eval ''varval=$client'' > ++ varval=loc > + eval ''client="loc"'' > ++ client=loc > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$server'' > ++ varval=net > + eval ''server="net"'' > ++ server=net > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$policy'' > ++ varval=ACCEPT > + eval ''policy="ACCEPT"'' > ++ policy=ACCEPT > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$loglevel'' > ++ varval> + eval ''loglevel=""'' > ++ loglevel> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$synparams'' > ++ varval> + eval ''synparams=""'' > ++ synparams> + shift > + ''['' 0 -gt 0 '']'' > + clientwild> + serverwild> + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + chain=loc2net > + ''['' xloc2net = xfw2fw '']'' > + is_policy_chain loc2net > + eval test ''"$loc2net_is_policy"'' = Yes > ++ test '''' = Yes > + ''['' x = x- '']'' > + chain=loc2net > + ''['' ACCEPT = NONE '']'' > + all_policy_chains= loc2net > + eval loc2net_is_policy=Yes > ++ loc2net_is_policy=Yes > + eval loc2net_policy=ACCEPT > ++ loc2net_policy=ACCEPT > + eval loc2net_loglevel> ++ loc2net_loglevel> + eval loc2net_synparams> ++ loc2net_synparams> + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + eval loc2net_policychain=loc2net > ++ loc2net_policychain=loc2net > + print_policy loc net > + ''['' start ''!='' check '']'' > + read client server policy loglevel synparams > + expandv client server policy loglevel synparams > + local varval > + ''['' 5 -gt 0 '']'' > + eval ''varval=$client'' > ++ varval=loc > + eval ''client="loc"'' > ++ client=loc > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$server'' > ++ varval=fw > + eval ''server="fw"'' > ++ server=fw > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$policy'' > ++ varval=ACCEPT > + eval ''policy="ACCEPT"'' > ++ policy=ACCEPT > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$loglevel'' > ++ varval> + eval ''loglevel=""'' > ++ loglevel> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$synparams'' > ++ varval> + eval ''synparams=""'' > ++ synparams> + shift > + ''['' 0 -gt 0 '']'' > + clientwild> + serverwild> + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + chain=loc2fw > + ''['' xloc2fw = xfw2fw '']'' > + is_policy_chain loc2fw > + eval test ''"$loc2fw_is_policy"'' = Yes > ++ test '''' = Yes > + ''['' x = x- '']'' > + chain=loc2fw > + ''['' ACCEPT = NONE '']'' > + all_policy_chains= loc2net loc2fw > + eval loc2fw_is_policy=Yes > ++ loc2fw_is_policy=Yes > + eval loc2fw_policy=ACCEPT > ++ loc2fw_policy=ACCEPT > + eval loc2fw_loglevel> ++ loc2fw_loglevel> + eval loc2fw_synparams> ++ loc2fw_synparams> + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + eval loc2fw_policychain=loc2fw > ++ loc2fw_policychain=loc2fw > + print_policy loc fw > + ''['' start ''!='' check '']'' > + read client server policy loglevel synparams > + expandv client server policy loglevel synparams > + local varval > + ''['' 5 -gt 0 '']'' > + eval ''varval=$client'' > ++ varval=fw > + eval ''client="fw"'' > ++ client=fw > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$server'' > ++ varval=net > + eval ''server="net"'' > ++ server=net > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$policy'' > ++ varval=ACCEPT > + eval ''policy="ACCEPT"'' > ++ policy=ACCEPT > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$loglevel'' > ++ varval> + eval ''loglevel=""'' > ++ loglevel> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$synparams'' > ++ varval> + eval ''synparams=""'' > ++ synparams> + shift > + ''['' 0 -gt 0 '']'' > + clientwild> + serverwild> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + chain=fw2net > + ''['' xfw2net = xfw2fw '']'' > + is_policy_chain fw2net > + eval test ''"$fw2net_is_policy"'' = Yes > ++ test '''' = Yes > + ''['' x = x- '']'' > + chain=fw2net > + ''['' ACCEPT = NONE '']'' > + all_policy_chains= loc2net loc2fw fw2net > + eval fw2net_is_policy=Yes > ++ fw2net_is_policy=Yes > + eval fw2net_policy=ACCEPT > ++ fw2net_policy=ACCEPT > + eval fw2net_loglevel> ++ fw2net_loglevel> + eval fw2net_synparams> ++ fw2net_synparams> + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + eval fw2net_policychain=fw2net > ++ fw2net_policychain=fw2net > + print_policy fw net > + ''['' start ''!='' check '']'' > + read client server policy loglevel synparams > + expandv client server policy loglevel synparams > + local varval > + ''['' 5 -gt 0 '']'' > + eval ''varval=$client'' > ++ varval=fw > + eval ''client="fw"'' > ++ client=fw > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$server'' > ++ varval=loc > + eval ''server="loc"'' > ++ server=loc > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$policy'' > ++ varval=ACCEPT > + eval ''policy="ACCEPT"'' > ++ policy=ACCEPT > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$loglevel'' > ++ varval> + eval ''loglevel=""'' > ++ loglevel> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$synparams'' > ++ varval> + eval ''synparams=""'' > ++ synparams> + shift > + ''['' 0 -gt 0 '']'' > + clientwild> + serverwild> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > + chain=fw2loc > + ''['' xfw2loc = xfw2fw '']'' > + is_policy_chain fw2loc > + eval test ''"$fw2loc_is_policy"'' = Yes > ++ test '''' = Yes > + ''['' x = x- '']'' > + chain=fw2loc > + ''['' ACCEPT = NONE '']'' > + all_policy_chains= loc2net loc2fw fw2net fw2loc > + eval fw2loc_is_policy=Yes > ++ fw2loc_is_policy=Yes > + eval fw2loc_policy=ACCEPT > ++ fw2loc_policy=ACCEPT > + eval fw2loc_loglevel> ++ fw2loc_loglevel> + eval fw2loc_synparams> ++ fw2loc_synparams> + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + eval fw2loc_policychain=fw2loc > ++ fw2loc_policychain=fw2loc > + print_policy fw loc > + ''['' start ''!='' check '']'' > + read client server policy loglevel synparams > + expandv client server policy loglevel synparams > + local varval > + ''['' 5 -gt 0 '']'' > + eval ''varval=$client'' > ++ varval=net > + eval ''client="net"'' > ++ client=net > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$server'' > ++ varval=all > + eval ''server="all"'' > ++ server=all > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$policy'' > ++ varval=DROP > + eval ''policy="DROP"'' > ++ policy=DROP > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$loglevel'' > ++ varval=info > + eval ''loglevel="info"'' > ++ loglevel=info > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$synparams'' > ++ varval> + eval ''synparams=""'' > ++ synparams> + shift > + ''['' 0 -gt 0 '']'' > + clientwild> + serverwild> + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + serverwild=Yes > + chain=net2all > + ''['' xnet2all = xfw2fw '']'' > + is_policy_chain net2all > + eval test ''"$net2all_is_policy"'' = Yes > ++ test '''' = Yes > + ''['' xinfo = x- '']'' > + chain=net2all > + ''['' DROP = NONE '']'' > + all_policy_chains= loc2net loc2fw fw2net fw2loc net2all > + eval net2all_is_policy=Yes > ++ net2all_is_policy=Yes > + eval net2all_policy=DROP > ++ net2all_policy=DROP > + eval net2all_loglevel=info > ++ net2all_loglevel=info > + eval net2all_synparams> ++ net2all_synparams> + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + eval ''pc=$net2net_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval net2net_policychain=net2all > ++ net2net_policychain=net2all > + eval net2net_policy=DROP > ++ net2net_policy=DROP > + print_policy net net > + ''['' start ''!='' check '']'' > + eval ''pc=$net2loc_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval net2loc_policychain=net2all > ++ net2loc_policychain=net2all > + eval net2loc_policy=DROP > ++ net2loc_policy=DROP > + print_policy net loc > + ''['' start ''!='' check '']'' > + eval ''pc=$net2fw_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval net2fw_policychain=net2all > ++ net2fw_policychain=net2all > + eval net2fw_policy=DROP > ++ net2fw_policy=DROP > + print_policy net fw > + ''['' start ''!='' check '']'' > + eval ''pc=$net2all_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval net2all_policychain=net2all > ++ net2all_policychain=net2all > + eval net2all_policy=DROP > ++ net2all_policy=DROP > + print_policy net all > + ''['' start ''!='' check '']'' > + read client server policy loglevel synparams > + expandv client server policy loglevel synparams > + local varval > + ''['' 5 -gt 0 '']'' > + eval ''varval=$client'' > ++ varval=all > + eval ''client="all"'' > ++ client=all > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$server'' > ++ varval=all > + eval ''server="all"'' > ++ server=all > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$policy'' > ++ varval=REJECT > + eval ''policy="REJECT"'' > ++ policy=REJECT > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$loglevel'' > ++ varval=info > + eval ''loglevel="info"'' > ++ loglevel=info > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$synparams'' > ++ varval> + eval ''synparams=""'' > ++ synparams> + shift > + ''['' 0 -gt 0 '']'' > + clientwild> + serverwild> + clientwild=Yes > + serverwild=Yes > + chain=all2all > + ''['' xall2all = xfw2fw '']'' > + is_policy_chain all2all > + eval test ''"$all2all_is_policy"'' = Yes > ++ test '''' = Yes > + ''['' xinfo = x- '']'' > + chain=all2all > + ''['' REJECT = NONE '']'' > + all_policy_chains= loc2net loc2fw fw2net fw2loc net2all all2all > + eval all2all_is_policy=Yes > ++ all2all_is_policy=Yes > + eval all2all_policy=REJECT > ++ all2all_policy=REJECT > + eval all2all_loglevel=info > ++ all2all_loglevel=info > + eval all2all_synparams> ++ all2all_synparams> + ''['' -n Yes '']'' > + ''['' -n Yes '']'' > + eval ''pc=$net2net_policychain'' > ++ pc=net2all > + ''['' -z net2all '']'' > + eval ''pc=$net2loc_policychain'' > ++ pc=net2all > + ''['' -z net2all '']'' > + eval ''pc=$net2fw_policychain'' > ++ pc=net2all > + ''['' -z net2all '']'' > + eval ''pc=$net2all_policychain'' > ++ pc=net2all > + ''['' -z net2all '']'' > + eval ''pc=$loc2net_policychain'' > ++ pc=loc2net > + ''['' -z loc2net '']'' > + eval ''pc=$loc2loc_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval loc2loc_policychain=all2all > ++ loc2loc_policychain=all2all > + eval loc2loc_policy=REJECT > ++ loc2loc_policy=REJECT > + print_policy loc loc > + ''['' start ''!='' check '']'' > + eval ''pc=$loc2fw_policychain'' > ++ pc=loc2fw > + ''['' -z loc2fw '']'' > + eval ''pc=$loc2all_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval loc2all_policychain=all2all > ++ loc2all_policychain=all2all > + eval loc2all_policy=REJECT > ++ loc2all_policy=REJECT > + print_policy loc all > + ''['' start ''!='' check '']'' > + eval ''pc=$fw2net_policychain'' > ++ pc=fw2net > + ''['' -z fw2net '']'' > + eval ''pc=$fw2loc_policychain'' > ++ pc=fw2loc > + ''['' -z fw2loc '']'' > + eval ''pc=$fw2fw_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval fw2fw_policychain=all2all > ++ fw2fw_policychain=all2all > + eval fw2fw_policy=REJECT > ++ fw2fw_policy=REJECT > + print_policy fw fw > + ''['' start ''!='' check '']'' > + eval ''pc=$fw2all_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval fw2all_policychain=all2all > ++ fw2all_policychain=all2all > + eval fw2all_policy=REJECT > ++ fw2all_policy=REJECT > + print_policy fw all > + ''['' start ''!='' check '']'' > + eval ''pc=$all2net_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval all2net_policychain=all2all > ++ all2net_policychain=all2all > + eval all2net_policy=REJECT > ++ all2net_policy=REJECT > + print_policy all net > + ''['' start ''!='' check '']'' > + eval ''pc=$all2loc_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval all2loc_policychain=all2all > ++ all2loc_policychain=all2all > + eval all2loc_policy=REJECT > ++ all2loc_policy=REJECT > + print_policy all loc > + ''['' start ''!='' check '']'' > + eval ''pc=$all2fw_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval all2fw_policychain=all2all > ++ all2fw_policychain=all2all > + eval all2fw_policy=REJECT > ++ all2fw_policy=REJECT > + print_policy all fw > + ''['' start ''!='' check '']'' > + eval ''pc=$all2all_policychain'' > ++ pc> + ''['' -z '''' '']'' > + eval all2all_policychain=all2all > ++ all2all_policychain=all2all > + eval all2all_policy=REJECT > ++ all2all_policy=REJECT > + print_policy all all > + ''['' start ''!='' check '']'' > + read client server policy loglevel synparams > + echo ''Determining Hosts in Zones...'' > + determine_interfaces > ++ find_interfaces net > ++ local zne=net > ++ local z > ++ local interface > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''z=$ppp0_zone'' > +++ z=net > ++ ''['' xnet = xnet '']'' > ++ echo ppp0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''z=$eth0_zone'' > +++ z=loc > ++ ''['' xloc = xnet '']'' > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''z=$vmnet1_zone'' > +++ z=loc > ++ ''['' xloc = xnet '']'' > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''z=$vmnet8_zone'' > +++ z=loc > ++ ''['' xloc = xnet '']'' > + interfaces=ppp0 > ++ echo ppp0 > + interfaces=ppp0 > + eval ''net_interfaces="$interfaces"'' > ++ net_interfaces=ppp0 > ++ find_interfaces loc > ++ local zne=loc > ++ local z > ++ local interface > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''z=$ppp0_zone'' > +++ z=net > ++ ''['' xnet = xloc '']'' > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''z=$eth0_zone'' > +++ z=loc > ++ ''['' xloc = xloc '']'' > ++ echo eth0 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''z=$vmnet1_zone'' > +++ z=loc > ++ ''['' xloc = xloc '']'' > ++ echo vmnet1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''z=$vmnet8_zone'' > +++ z=loc > ++ ''['' xloc = xloc '']'' > ++ echo vmnet8 > + interfaces=eth0 > vmnet1 > vmnet8 > ++ echo eth0 vmnet1 vmnet8 > + interfaces=eth0 vmnet1 vmnet8 > + eval ''loc_interfaces="$interfaces"'' > ++ loc_interfaces=eth0 vmnet1 vmnet8 > + determine_hosts > ++ find_hosts net > ++ local hosts interface address addresses > ++ read z hosts options > + hosts> ++ echo > + hosts> + eval ''interfaces=$net_interfaces'' > ++ interfaces=ppp0 > + ''['' -z '''' '']'' > + hosts=ppp0:0.0.0.0/0 > + interfaces> + interface=ppp0 > + list_search ppp0 > + local e=ppp0 > + ''['' 1 -gt 1 '']'' > + return 1 > + ''['' -z '''' '']'' > + interfaces=ppp0 > + ''['' 0.0.0.0/0 = 0.0.0.0/0 '']'' > + eval ''net_interfaces=$interfaces'' > ++ net_interfaces=ppp0 > + eval ''net_hosts=$hosts'' > ++ net_hosts=ppp0:0.0.0.0/0 > + ''['' -n ppp0:0.0.0.0/0 '']'' > + eval ''display=$net_display'' > ++ display=Net > + display_list ''Net Zone:'' ppp0:0.0.0.0/0 > + ''['' 2 -gt 1 '']'' > + echo '' Net Zone: ppp0:0.0.0.0/0'' > ++ find_hosts loc > ++ local hosts interface address addresses > ++ read z hosts options > + hosts> ++ echo > + hosts> + eval ''interfaces=$loc_interfaces'' > ++ interfaces=eth0 vmnet1 vmnet8 > + ''['' -z '''' '']'' > + hosts=eth0:0.0.0.0/0 > + ''['' -z eth0:0.0.0.0/0 '']'' > + hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 > + ''['' -z ''eth0:0.0.0.0/0 vmnet1:0.0.0.0/0'' '']'' > + hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0 > + interfaces> + interface=eth0 > + list_search eth0 > + local e=eth0 > + ''['' 1 -gt 1 '']'' > + return 1 > + ''['' -z '''' '']'' > + interfaces=eth0 > + ''['' 0.0.0.0/0 = 0.0.0.0/0 '']'' > + interface=vmnet1 > + list_search vmnet1 eth0 > + local e=vmnet1 > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xvmnet1 = xeth0 '']'' > + ''['' 1 -gt 1 '']'' > + return 1 > + ''['' -z eth0 '']'' > + interfaces=eth0 vmnet1 > + ''['' 0.0.0.0/0 = 0.0.0.0/0 '']'' > + interface=vmnet8 > + list_search vmnet8 eth0 vmnet1 > + local e=vmnet8 > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xvmnet8 = xeth0 '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xvmnet8 = xvmnet1 '']'' > + ''['' 1 -gt 1 '']'' > + return 1 > + ''['' -z ''eth0 vmnet1'' '']'' > + interfaces=eth0 vmnet1 vmnet8 > + ''['' 0.0.0.0/0 = 0.0.0.0/0 '']'' > + eval ''loc_interfaces=$interfaces'' > ++ loc_interfaces=eth0 vmnet1 vmnet8 > + eval ''loc_hosts=$hosts'' > ++ loc_hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0 > + ''['' -n ''eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0'' '']'' > + eval ''display=$loc_display'' > ++ display=Local > + display_list ''Local Zone:'' eth0:0.0.0.0/0 vmnet1:0.0.0.0/0vmnet8:0.0.0.0/0> + ''['' 4 -gt 1 '']'' > + echo '' Local Zone: eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0'' > + run_user_exit init > ++ find_file init > ++ ''['' -n '''' -a -f /init '']'' > ++ echo /etc/shorewall/init > + local user_exit=/etc/shorewall/init > + ''['' -f /etc/shorewall/init '']'' > + echo ''Processing /etc/shorewall/init ...'' > + . /etc/shorewall/init > + strip_file rules > + local fname > + ''['' 1 = 1 '']'' > ++ find_file rules > ++ ''['' -n '''' -a -f /rules '']'' > ++ echo /etc/shorewall/rules > + fname=/etc/shorewall/rules > + ''['' -f /etc/shorewall/rules '']'' > + read_file /etc/shorewall/rules 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall version 1.4 - Rules File'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/rules'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Rules in this file govern connection establishment. Requestsand''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# responses are automatically allowed using connection tracking.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# In most places where an IP address or subnet is allowed, you'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24)to''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# indicate that the rule matches all addresses except theaddress/subnet''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# given. Notice that no white space is permitted between "!" andthe''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address/subnet.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# or LOG.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ACCEPT -- allow the connection request'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DROP -- ignore the request'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REJECT -- disallow the request and return an'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# icmp-unreachable or an RST packet.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DNAT -- Forward the request to another'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# system (and optionally another'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# port).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DNAT- -- Advanced users only.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Like DNAT but only generates the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DNAT iptables rule and not'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the companion ACCEPT rule.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REDIRECT -- Redirect the request to a local'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# port on the firewall.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REDIRECT-'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# -- Advanced users only.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Like REDIRET but only generates the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REDIRECT iptables rule and not'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the companion ACCEPT rule.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# CONTINUE -- (For experts only). Do not process'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# any of the following rules for this'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (source zone,destination zone). If'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The source and/or destination IP'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address falls into a zone defined'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# later in /etc/shorewall/zones, this'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# connection request will be passed'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to the rules defined for that'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (those) zone(s).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# LOG -- Simply log the packet and continue.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# May optionally be followed by ":" and a syslog log'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# level (e.g, REJECT:info). This causes the packet to be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# logged at the specified level.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You may also specify ULOG (must be in upper case) as a'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# log level.This will log to the ULOG target for routing'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to a separate log through use of ulogd'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (http://www.gnumonks.org/projects/ulogd).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# SOURCE Source hosts to which the rule applies. May be a zone'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# defined in /etc/shorewall/zones, $FW to indicate the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# firewall itself, or "all" If the ACTION is DNAT or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REDIRECT, sub-zones of the specified zone may be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# excluded from the rule by following the zone name with'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "!''\'''' and a comma-separated list of sub-zone names.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Except when "all" is specified, clients may be further'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# restricted to a list of subnets and/or hosts by'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# appending ":" and a comma-separated list of subnets'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# and/or hosts. Hosts may be specified by IP or MAC'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address; mac addresses must begin with "~" and must use'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "-" as a separator.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Internet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# loc:192.168.1.1,192.168.1.2'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Hosts 192.168.1.1 and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 192.168.1.2 in the local zone.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# loc:~00-A0-C9-15-39-78 Host in the local zone with'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# MAC address 00:A0:C9:15:39:78.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Alternatively, clients may be specified by interface'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# by appending ":" to the zone name followed by the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface name. For example, loc:eth1 specifies a'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# client that communicates with the firewall system'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# through eth1. This may be optionally followed by'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# another colon (":") and an IP/MAC/subnet address'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# as described above (e.g., loc:eth1:192.168.1.5).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DEST Location of Server. May be a zone defined in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/zones, $FW to indicate the firewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# itself or "all"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Except when "all" is specified, the server may be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# further restricted to a particular subnet, host or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface by appending ":" and the subnet, host or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface. See above.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Restrictions:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 1. MAC addresses are not allowed.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 2. In DNAT rules, only IP addresses are'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# allowed; no FQDNs or subnet addresses'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# are permitted.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 3. You may not specify both an interface and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# an address.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Unlike in the SOURCE column, you may specify a range of'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# up to 256 IP addresses using the syntax'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the connections will be assigned to addresses in the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# range in a round-robin fashion.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The port that the server is listening on may be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# included and separated from the server''\''''s IP address by'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ":". If omitted, the firewall will not modifiy the'' > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# destination port. A destination port may only be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# included if the ACTION is DNAT or REDIRECT.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: loc:192.168.1.3:3128 specifies a local'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# server at IP address 192.168.1.3 and listening on port'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 3128. The port number MUST be specified as an integer'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# and not as a name from /etc/services.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# if the ACTION is REDIRECT, this column needs only to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# contain the port number on the firewall that the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# request should be redirected to.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "all".'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DEST PORT(S) Destination Ports. A comma-separated list ofPort''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# names (from /etc/services), port numbers or port'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ranges; if the protocol is "icmp", this column is'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interpreted as the destination icmp-type(s).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# A port range is expressed as <low port>:<high port>.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This column is ignored if PROTOCOL = all but must be'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# entered if any of the following ields are supplied.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# In that case, it is suggested that this field contain'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "-"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If your kernel contains multi-port match support, then'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# only a single Netfilter rule will be generated if in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# this list and the CLIENT PORT(S) list below:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 1. There are 15 or less ports listed.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 2. No port ranges are included.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Otherwise, a separate rule will be generated for each'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# port.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# CLIENT PORT(S) (Optional) Port(s) used by the client. Ifomitted,''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# any source port is acceptable. Specified as a comma-'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# separated list of port names, port numbers or port'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ranges.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If you don''\''''t want to restrict client ports but need to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# specify an ADDRESS in the next column, then place "-"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# in this column.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If your kernel contains multi-port match support, then'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# only a single Netfilter rule will be generated if in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# this list and the DEST PORT(S) list above:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 1. There are 15 or less ports listed.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 2. No port ranges are included.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Otherwise, a separate rule will be generated for each'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# port.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REDIRECT[-]) If included and different from the IP'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address given in the SERVER column, this is an address'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# on some interface on the firewall and connections to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# that address will be forwarded to the IP and port'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# specified in the DEST column.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# A comma-separated list of addresses may also be used.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This is usually most useful with the REDIRECT target'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# where you want to redirect traffic destined for'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# particular set of hosts.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Finally, if the list of addresses begins with "!" then'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the rule will be followed only if the original'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# destination address in the connection request does not'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# match any of the addresses listed.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The address (list) may optionally be followed by'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a colon (":") and a second IP address. This causes'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall to use the second IP address as the source'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address in forwarded packets. See the Shorewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# documentation for restrictions concerning this feature.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If no source IP address is given, the original source'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# address is not altered.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: Accept SMTP requests from the DMZ to the internet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# # PORT PORT(S) DEST'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ACCEPT dmz net tcp smtp'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: Forward all ssh and http connection requests from theinternet''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to local system 192.168.1.3'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# # PORT PORT(S) DEST'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DNAT net loc:192.168.1.3 tcp ssh,http'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: Redirect all locally-originating www connectionrequests to''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# port 3128 on the firewall (Squid running on the firewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# system) except when the destination address is 192.168.2.2'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# # PORT PORT(S) DEST'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# REDIRECT loc 3128 tcp www - !192.168.2.2'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: All http requests from the internet to address'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 130.252.100.69 are to be forwarded to 192.168.1.3'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# # PORT PORT(S) DEST'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DNAT net loc:192.168.1.3 tcp 80 -130.252.100.69''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: You want to accept SSH connections to your firewallonly''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# from internet IP addresses 130.252.100.69 and 130.252.100.70'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# # PORT PORT(S) DEST'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ACCEPT net:130.252.100.69,130.252.100.70 # tcp 22'' > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x#ACTION = xINCLUDE '']'' > + echo ''#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# PORT PORT(S) DEST'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Accept DNS connections from the firewall to the network'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT fw net tcp 53'' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT fw net udp 53'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Accept SSH connections from the local network foradministration''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT loc fw tcp 22'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Allow Ping To And From Firewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT loc fw icmp 8'' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT net fw icmp 8'' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT fw loc icmp 8'' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT fw net icmp 8'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Dunc''\''''s rules:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' xACCEPT = xINCLUDE '']'' > + echo ''ACCEPT net fw tcp 22'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'' > + read first rest > + strip_file proxyarp > + local fname > + ''['' 1 = 1 '']'' > ++ find_file proxyarp > ++ ''['' -n '''' -a -f /proxyarp '']'' > ++ echo /etc/shorewall/proxyarp > + fname=/etc/shorewall/proxyarp > + ''['' -f /etc/shorewall/proxyarp '']'' > + read_file /etc/shorewall/proxyarp 0 > + local first rest > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 -- Proxy ARP'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/proxyarp'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This file is used to define Proxy ARP.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns must be separated by white space and are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ADDRESS IP Address'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE Local interface where system is connected. If the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# local interface is obvious from the subnetting,'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# you may enter "-" in this column.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# EXTERNAL External Interface to be used to access this system'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# HAVEROUTE If there is already a route from the firewall to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the host whose address is given, enter "Yes" or "yes"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# in this column. Otherwise, entry "no", "No" or leave'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the column empty.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: Host with IP 155.186.235.6 is connected to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface eth1 and we want hosts attached via eth0'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# to be able to access it using that address.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# #ADDRESS INTERFACE EXTERNAL HAVEROUTE'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 155.186.235.6 eth1 eth0 No'' > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x#ADDRESS = xINCLUDE '']'' > + echo ''#ADDRESS INTERFACE EXTERNAL HAVEROUTE'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + strip_file maclist > + local fname > + ''['' 1 = 1 '']'' > ++ find_file maclist > ++ ''['' -n '''' -a -f /maclist '']'' > ++ echo /etc/shorewall/maclist > + fname=/etc/shorewall/maclist > + ''['' -f /etc/shorewall/maclist '']'' > + read_file /etc/shorewall/maclist 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 - MAC list file'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/maclist'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE Network interface to a host'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# MAC MAC address of the host -- you do not need to use'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the Shorewall format for MAC addresses here'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# IP ADDRESSES Optional -- if specified, both the MAC and IPaddress''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# must match. This column can contain a comma-separated'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# list of host and/or subnet addresses.'' > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x#INTERFACE = xINCLUDE '']'' > + echo ''#INTERFACE MAC IP ADDRESSES (Optional)'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + strip_file nat > + local fname > + ''['' 1 = 1 '']'' > ++ find_file nat > ++ ''['' -n '''' -a -f /nat '']'' > ++ echo /etc/shorewall/nat > + fname=/etc/shorewall/nat > + ''['' -f /etc/shorewall/nat '']'' > + read_file /etc/shorewall/nat 0 > + local first rest > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 -- Network Address Translation Table'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/nat'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This file is used to define static Network Address Translation(NAT).''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# WARNING: If all you want to do is simple port forwarding, do NOTuse this''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# cases, Proxy ARP is a better solution that static NAT.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns must be separated by white space and are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# EXTERNAL External IP Address - this should NOT be the primary'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# IP address of the interface named in the next'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# column and must not be a DNS Name.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE Interface that we want to EXTERNAL address to appear'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# follow the interface name with ":" and a digit to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# indicate that you want Shorewall to add the alias'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# with this name (e.g., "eth0:0"). That allows you to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# see the alias with ifconfig. THAT IS THE ONLY THING'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERNAL Internal Address (must not be a DNS Name).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ALL INTERFACES If Yes or yes (or left empty), NAT will beeffective''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# from all hosts. If No or no then NAT will be effective'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# only through the interface named in the INTERFACE'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# column'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# LOCAL If Yes or yes and the ALL INTERFACES columncontains''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Yes or yes, NAT will be effective from the firewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# system'' > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x#EXTERNAL = xINCLUDE '']'' > + echo ''#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + terminator=fatal_error > + deletechain shorewall > + qt iptables -L shorewall -n > + iptables -L shorewall -n > + ''['' -n Yes '']'' > + delete_nat > + run_iptables -t nat -F > + iptables -t nat -F > + run_iptables -t nat -X > + iptables -t nat -X > + ''['' -f /var/lib/shorewall/nat '']'' > + read external interface > + rm -f ''{/var/lib/shorewall}/nat'' > + ''['' -d /var/lib/shorewall '']'' > + touch /var/lib/shorewall/nat > + delete_proxy_arp > + ''['' -f /var/lib/shorewall/proxyarp '']'' > + read address interface external haveroute > + rm -f /var/lib/shorewall/proxyarp > + ''['' -d /var/lib/shorewall '']'' > + touch /var/lib/shorewall/proxyarp > ++ ls /proc/sys/net/ipv4/conf/all/proxy_arp/proc/sys/net/ipv4/conf/default/proxy_arp /proc/sys/net/ipv4/conf/eth0/proxy_arp /proc/sys/net/ipv4/conf/lo/proxy_arp /proc/sys/net/ipv4/conf/ppp0/proxy_arp> + echo 0 > + echo 0 > + echo 0 > + echo 0 > + echo 0 > + ''['' -n Yes '']'' > + run_iptables -t mangle -F > + iptables -t mangle -F > + run_iptables -t mangle -X > + iptables -t mangle -X > + ''['' -n '''' '']'' > + echo ''Deleting user chains...'' > + setpolicy INPUT DROP > + run_iptables -P INPUT DROP > + iptables -P INPUT DROP > + setpolicy OUTPUT DROP > + run_iptables -P OUTPUT DROP > + iptables -P OUTPUT DROP > + setpolicy FORWARD DROP > + run_iptables -P FORWARD DROP > + iptables -P FORWARD DROP > + deleteallchains > + run_iptables -F > + iptables -F > + run_iptables -X > + iptables -X > + setcontinue FORWARD > + run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > + setcontinue INPUT > + run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > + setcontinue OUTPUT > + run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > + run_iptables -A INPUT -i lo -j ACCEPT > + iptables -A INPUT -i lo -j ACCEPT > + run_iptables -A OUTPUT -o lo -j ACCEPT > + iptables -A OUTPUT -o lo -j ACCEPT > + run_iptables -A INPUT -p udp --dport 53 -j ACCEPT > + iptables -A INPUT -p udp --dport 53 -j ACCEPT > + run_iptables -A INPUT -p ''!'' icmp -m state --state INVALID -j DROP > + iptables -A INPUT -p ''!'' icmp -m state --state INVALID -j DROP > + run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT > + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT > + run_iptables -A OUTPUT -p ''!'' icmp -m state --state INVALID -j DROP > + iptables -A OUTPUT -p ''!'' icmp -m state --state INVALID -j DROP > + run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT > + iptables -A FORWARD -p udp --dport 53 -j ACCEPT > + run_iptables -A FORWARD -p ''!'' icmp -m state --state INVALID -j DROP > + iptables -A FORWARD -p ''!'' icmp -m state --state INVALID -j DROP > + ''['' -n '''' '']'' > + ''['' -z '''' '']'' > + createchain newnotsyn no > + run_iptables -N newnotsyn > + iptables -N newnotsyn > + ''['' no = yes '']'' > + eval newnotsyn_exists=Yes > ++ newnotsyn_exists=Yes > ++ find_interfaces_by_option newnotsyn > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search newnotsyn routefilter norfc1918 > ++ local e=newnotsyn > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xnewnotsyn = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xnewnotsyn = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search newnotsyn > ++ local e=newnotsyn > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search newnotsyn > ++ local e=newnotsyn > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search newnotsyn > ++ local e=newnotsyn > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + run_user_exit newnotsyn > ++ find_file newnotsyn > ++ ''['' -n '''' -a -f /newnotsyn '']'' > ++ echo /etc/shorewall/newnotsyn > + local user_exit=/etc/shorewall/newnotsyn > + ''['' -f /etc/shorewall/newnotsyn '']'' > + ''['' -n info '']'' > + log_rule info newnotsyn DROP > + local level=info > + local chain=newnotsyn > + local disposition=DROP > + local rulenum> + shift > + shift > + shift > + ''['' -n '''' '']'' > + eval iptables -A newnotsyn -j LOG --log-level info --log-prefix''"`printf "$LOGFORMAT" $chain $disposition`"''> +++ printf Shorewall:%s:%s: newnotsyn DROP > ++ iptables -A newnotsyn -j LOG --log-level info --log-prefixShorewall:newnotsyn:DROP:> + ''['' 0 -ne 0 '']'' > + run_iptables -A newnotsyn -j DROP > + iptables -A newnotsyn -j DROP > + createchain icmpdef no > + run_iptables -N icmpdef > + iptables -N icmpdef > + ''['' no = yes '']'' > + eval icmpdef_exists=Yes > ++ icmpdef_exists=Yes > + createchain common no > + run_iptables -N common > + iptables -N common > + ''['' no = yes '']'' > + eval common_exists=Yes > ++ common_exists=Yes > + createchain reject no > + run_iptables -N reject > + iptables -N reject > + ''['' no = yes '']'' > + eval reject_exists=Yes > ++ reject_exists=Yes > + createchain dynamic no > + run_iptables -N dynamic > + iptables -N dynamic > + ''['' no = yes '']'' > + eval dynamic_exists=Yes > ++ dynamic_exists=Yes > + ''['' -f /var/lib/shorewall/save '']'' > + echo ''Creating Interface Chains...'' > ++ forward_chain ppp0 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ echo ppp0_fwd > + createchain ppp0_fwd no > + run_iptables -N ppp0_fwd > + iptables -N ppp0_fwd > + ''['' no = yes '']'' > + eval ppp0_fwd_exists=Yes > ++ ppp0_fwd_exists=Yes > ++ forward_chain ppp0 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ echo ppp0_fwd > + run_iptables -A ppp0_fwd -j dynamic > + iptables -A ppp0_fwd -j dynamic > ++ input_chain ppp0 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ echo ppp0_in > + createchain ppp0_in no > + run_iptables -N ppp0_in > + iptables -N ppp0_in > + ''['' no = yes '']'' > + eval ppp0_in_exists=Yes > ++ ppp0_in_exists=Yes > ++ input_chain ppp0 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ echo ppp0_in > + run_iptables -A ppp0_in -j dynamic > + iptables -A ppp0_in -j dynamic > ++ forward_chain eth0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ echo eth0_fwd > + createchain eth0_fwd no > + run_iptables -N eth0_fwd > + iptables -N eth0_fwd > + ''['' no = yes '']'' > + eval eth0_fwd_exists=Yes > ++ eth0_fwd_exists=Yes > ++ forward_chain eth0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ echo eth0_fwd > + run_iptables -A eth0_fwd -j dynamic > + iptables -A eth0_fwd -j dynamic > ++ input_chain eth0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ echo eth0_in > + createchain eth0_in no > + run_iptables -N eth0_in > + iptables -N eth0_in > + ''['' no = yes '']'' > + eval eth0_in_exists=Yes > ++ eth0_in_exists=Yes > ++ input_chain eth0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ echo eth0_in > + run_iptables -A eth0_in -j dynamic > + iptables -A eth0_in -j dynamic > ++ forward_chain vmnet1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ echo vmnet1_fwd > + createchain vmnet1_fwd no > + run_iptables -N vmnet1_fwd > + iptables -N vmnet1_fwd > + ''['' no = yes '']'' > + eval vmnet1_fwd_exists=Yes > ++ vmnet1_fwd_exists=Yes > ++ forward_chain vmnet1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ echo vmnet1_fwd > + run_iptables -A vmnet1_fwd -j dynamic > + iptables -A vmnet1_fwd -j dynamic > ++ input_chain vmnet1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ echo vmnet1_in > + createchain vmnet1_in no > + run_iptables -N vmnet1_in > + iptables -N vmnet1_in > + ''['' no = yes '']'' > + eval vmnet1_in_exists=Yes > ++ vmnet1_in_exists=Yes > ++ input_chain vmnet1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ echo vmnet1_in > + run_iptables -A vmnet1_in -j dynamic > + iptables -A vmnet1_in -j dynamic > ++ forward_chain vmnet8 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ echo vmnet8_fwd > + createchain vmnet8_fwd no > + run_iptables -N vmnet8_fwd > + iptables -N vmnet8_fwd > + ''['' no = yes '']'' > + eval vmnet8_fwd_exists=Yes > ++ vmnet8_fwd_exists=Yes > ++ forward_chain vmnet8 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ echo vmnet8_fwd > + run_iptables -A vmnet8_fwd -j dynamic > + iptables -A vmnet8_fwd -j dynamic > ++ input_chain vmnet8 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ echo vmnet8_in > + createchain vmnet8_in no > + run_iptables -N vmnet8_in > + iptables -N vmnet8_in > + ''['' no = yes '']'' > + eval vmnet8_in_exists=Yes > ++ vmnet8_in_exists=Yes > ++ input_chain vmnet8 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ echo vmnet8_in > + run_iptables -A vmnet8_in -j dynamic > + iptables -A vmnet8_in -j dynamic > + echo ''Configuring Proxy ARP'' > + setup_proxy_arp > + read address interface external haveroute > ++ find_interfaces_by_option proxyarp > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search proxyarp routefilter norfc1918 > ++ local e=proxyarp > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xproxyarp = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xproxyarp = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search proxyarp > ++ local e=proxyarp > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search proxyarp > ++ local e=proxyarp > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search proxyarp > ++ local e=proxyarp > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + interfaces> + setup_nat > + local allints > + echo ''Setting up NAT...'' > + read external interface internal allints localnat > + echo ''Adding Common Rules'' > + add_common_rules > + local savelogparms> + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset > + iptables -A reject -p tcp -j REJECT --reject-with tcp-reset > + run_iptables -A reject -p udp -j REJECT > + iptables -A reject -p udp -j REJECT > + qt iptables -A reject -p icmp -j REJECT --reject-withicmp-host-unreachable> + iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable > + qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited > + iptables -A reject -j REJECT --reject-with icmp-host-prohibited > ++ find_interfaces_by_option dropunclean > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search dropunclean routefilter norfc1918 > ++ local e=dropunclean > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xdropunclean = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xdropunclean = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search dropunclean > ++ local e=dropunclean > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search dropunclean > ++ local e=dropunclean > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search dropunclean > ++ local e=dropunclean > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + interfaces> + ''['' -n '''' '']'' > ++ find_interfaces_by_option logunclean > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search logunclean routefilter norfc1918 > ++ local e=logunclean > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xlogunclean = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xlogunclean = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search logunclean > ++ local e=logunclean > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search logunclean > ++ local e=logunclean > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search logunclean > ++ local e=logunclean > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + interfaces> + ''['' -n '''' '']'' > + build_common_chain > + run_user_exit icmpdef > ++ find_file icmpdef > ++ ''['' -n '''' -a -f /icmpdef '']'' > ++ echo /etc/shorewall/icmpdef > + local user_exit=/etc/shorewall/icmpdef > + ''['' -f /etc/shorewall/icmpdef '']'' > ++ find_file common > ++ ''['' -n '''' -a -f /common '']'' > ++ echo /etc/shorewall/common > + common=/etc/shorewall/common > + ''['' -f /etc/shorewall/common '']'' > ++ find_file common.def > ++ ''['' -n '''' -a -f /common.def '']'' > ++ echo /etc/shorewall/common.def > + . /etc/shorewall/common.def > ++ run_iptables -A common -p icmp -j icmpdef > ++ iptables -A common -p icmp -j icmpdef > ++ run_iptables -A common -p udp --dport 135 -j reject > ++ iptables -A common -p udp --dport 135 -j reject > ++ run_iptables -A common -p udp --dport 137:139 -j reject > ++ iptables -A common -p udp --dport 137:139 -j reject > ++ run_iptables -A common -p udp --dport 445 -j reject > ++ iptables -A common -p udp --dport 445 -j reject > ++ run_iptables -A common -p tcp --dport 139 -j reject > ++ iptables -A common -p tcp --dport 139 -j reject > ++ run_iptables -A common -p tcp --dport 445 -j reject > ++ iptables -A common -p tcp --dport 445 -j reject > ++ run_iptables -A common -p tcp --dport 135 -j reject > ++ iptables -A common -p tcp --dport 135 -j reject > ++ run_iptables -A common -p udp --dport 1900 -j DROP > ++ iptables -A common -p udp --dport 1900 -j DROP > ++ run_iptables -A common -d 255.255.255.255 -j DROP > ++ iptables -A common -d 255.255.255.255 -j DROP > ++ run_iptables -A common -d 224.0.0.0/4 -j DROP > ++ iptables -A common -d 224.0.0.0/4 -j DROP > ++ run_iptables -A common -p tcp --dport 113 -j reject > ++ iptables -A common -p tcp --dport 113 -j reject > ++ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP > ++ iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP > + ''['' -n '''' '']'' > ++ find_broadcasts > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''bcast=$ppp0_broadcast'' > +++ bcast=- > ++ ''['' x- = xdetect '']'' > ++ ''['' x- ''!='' x- '']'' > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''bcast=$eth0_broadcast'' > +++ bcast=detect > ++ ''['' xdetect = xdetect '']'' > +++ ip addr show eth0 > ++ addr=2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen100> link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 > +++ echo ''2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen100> link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0'' > +++ grep ''inet.*brd '' > ++ ''['' -n '' inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0'''']''> +++ echo ''2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen100> link/ether 00:50:22:b1:41:10 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0'' > +++ grep ''inet '' > +++ sed ''s/^.* inet.*brd //;s/scope.*//'' > ++ addr=192.168.0.255 > ++ echo 192.168.0.255 > ++ cut ''-d '' -f 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''bcast=$vmnet1_broadcast'' > +++ bcast=detect > ++ ''['' xdetect = xdetect '']'' > +++ ip addr show vmnet1 > ++ addr> +++ echo '''' > +++ grep ''inet.*brd '' > ++ ''['' -n '''' '']'' > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''bcast=$vmnet8_broadcast'' > +++ bcast=detect > ++ ''['' xdetect = xdetect '']'' > +++ ip addr show vmnet8 > ++ addr> +++ echo '''' > +++ grep ''inet.*brd '' > ++ ''['' -n '''' '']'' > + drop_broadcasts 192.168.0.255 > + ''['' 1 -gt 0 '']'' > + run_iptables -A common -d 192.168.0.255 -j DROP > + iptables -A common -d 192.168.0.255 -j DROP > + shift > + ''['' 0 -gt 0 '']'' > ++ find_interfaces_by_option dhcp > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search dhcp routefilter norfc1918 > ++ local e=dhcp > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xdhcp = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xdhcp = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search dhcp > ++ local e=dhcp > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search dhcp > ++ local e=dhcp > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search dhcp > ++ local e=dhcp > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + interfaces> + ''['' -n '''' '']'' > ++ find_interfaces_by_option norfc1918 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search norfc1918 routefilter norfc1918 > ++ local e=norfc1918 > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xnorfc1918 = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xnorfc1918 = xnorfc1918 '']'' > ++ return 0 > ++ echo ppp0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search norfc1918 > ++ local e=norfc1918 > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search norfc1918 > ++ local e=norfc1918 > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search norfc1918 > ++ local e=norfc1918 > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + norfc1918_interfaces=ppp0 > + ''['' -n ppp0 '']'' > + echo ''Enabling RFC1918 Filtering'' > + strip_file rfc1918 > + local fname > + ''['' 1 = 1 '']'' > ++ find_file rfc1918 > ++ ''['' -n '''' -a -f /rfc1918 '']'' > ++ echo /etc/shorewall/rfc1918 > + fname=/etc/shorewall/rfc1918 > + ''['' -f /etc/shorewall/rfc1918 '']'' > + read_file /etc/shorewall/rfc1918 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 -- RFC1918 File'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/rfc1918'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Lists the subnetworks that are blocked by the ''\''''norfc1918''\''''interface option.''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The default list includes those IP addresses listed in RFC 1918,those listed''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# as ''\''''reserved''\'''' by the IANA, the DHCP Autoconfig class B,and the class C''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# reserved for use in documentation and examples.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# SUBNET The subnet (host addresses also allowed)'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# TARGET Where to send packets to/from this subnet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# RETURN - let the packet be processed normally'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# DROP - silently drop the packet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# logdrop - log then drop'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''[''x########################################################################### #### = xINCLUDE '']''> + echo''########################################################################### #### ''> + read first rest > + ''['' x#SUBNET = xINCLUDE '']'' > + echo ''#SUBNET TARGET'' > + read first rest > + ''['' x255.255.255.255 = xINCLUDE '']'' > + echo ''255.255.255.255 RETURN # We need to allow limited broadcast'' > + read first rest > + ''['' x169.254.0.0/16 = xINCLUDE '']'' > + echo ''169.254.0.0/16 DROP # DHCP autoconfig'' > + read first rest > + ''['' x172.16.0.0/12 = xINCLUDE '']'' > + echo ''172.16.0.0/12 logdrop # RFC 1918'' > + read first rest > + ''['' x192.0.2.0/24 = xINCLUDE '']'' > + echo ''192.0.2.0/24 logdrop # Example addresses'' > + read first rest > + ''['' x192.168.0.0/16 = xINCLUDE '']'' > + echo ''192.168.0.0/16 logdrop # RFC 1918'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The following are generated with the help of the Python programfound at:''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The program was contributed by Andy Wiggin'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x0.0.0.0/7 = xINCLUDE '']'' > + echo ''0.0.0.0/7 logdrop # Reserved'' > + read first rest > + ''['' x2.0.0.0/8 = xINCLUDE '']'' > + echo ''2.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x5.0.0.0/8 = xINCLUDE '']'' > + echo ''5.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x7.0.0.0/8 = xINCLUDE '']'' > + echo ''7.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x10.0.0.0/8 = xINCLUDE '']'' > + echo ''10.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x23.0.0.0/8 = xINCLUDE '']'' > + echo ''23.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x27.0.0.0/8 = xINCLUDE '']'' > + echo ''27.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x31.0.0.0/8 = xINCLUDE '']'' > + echo ''31.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x36.0.0.0/7 = xINCLUDE '']'' > + echo ''36.0.0.0/7 logdrop # Reserved'' > + read first rest > + ''['' x39.0.0.0/8 = xINCLUDE '']'' > + echo ''39.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x41.0.0.0/8 = xINCLUDE '']'' > + echo ''41.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x42.0.0.0/8 = xINCLUDE '']'' > + echo ''42.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x49.0.0.0/8 = xINCLUDE '']'' > + echo ''49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98'' > + read first rest > + ''['' x50.0.0.0/8 = xINCLUDE '']'' > + echo ''50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98'' > + read first rest > + ''['' x58.0.0.0/7 = xINCLUDE '']'' > + echo ''58.0.0.0/7 logdrop # Reserved'' > + read first rest > + ''['' x60.0.0.0/8 = xINCLUDE '']'' > + echo ''60.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x70.0.0.0/7 = xINCLUDE '']'' > + echo ''70.0.0.0/7 logdrop # Reserved'' > + read first rest > + ''['' x72.0.0.0/5 = xINCLUDE '']'' > + echo ''72.0.0.0/5 logdrop # Reserved'' > + read first rest > + ''['' x83.0.0.0/8 = xINCLUDE '']'' > + echo ''83.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x84.0.0.0/6 = xINCLUDE '']'' > + echo ''84.0.0.0/6 logdrop # Reserved'' > + read first rest > + ''['' x88.0.0.0/5 = xINCLUDE '']'' > + echo ''88.0.0.0/5 logdrop # Reserved'' > + read first rest > + ''['' x96.0.0.0/3 = xINCLUDE '']'' > + echo ''96.0.0.0/3 logdrop # Reserved'' > + read first rest > + ''['' x127.0.0.0/8 = xINCLUDE '']'' > + echo ''127.0.0.0/8 logdrop # Loopback'' > + read first rest > + ''['' x197.0.0.0/8 = xINCLUDE '']'' > + echo ''197.0.0.0/8 logdrop # Reserved'' > + read first rest > + ''['' x198.18.0.0/15 = xINCLUDE '']'' > + echo ''198.18.0.0/15 logdrop # Reserved'' > + read first rest > + ''['' x201.0.0.0/8 = xINCLUDE '']'' > + echo ''201.0.0.0/8 logdrop # Reserved - Central & South America'' > + read first rest > + ''['' x240.0.0.0/4 = xINCLUDE '']'' > + echo ''240.0.0.0/4 logdrop # Reserved'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# End of generated entries'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + createchain rfc1918 no > + run_iptables -N rfc1918 > + iptables -N rfc1918 > + ''['' no = yes '']'' > + eval rfc1918_exists=Yes > ++ rfc1918_exists=Yes > + createchain logdrop no > + run_iptables -N logdrop > + iptables -N logdrop > + ''['' no = yes '']'' > + eval logdrop_exists=Yes > ++ logdrop_exists=Yes > + log_rule info logdrop DROP > + local level=info > + local chain=logdrop > + local disposition=DROP > + local rulenum> + shift > + shift > + shift > + ''['' -n '''' '']'' > + eval iptables -A logdrop -j LOG --log-level info --log-prefix ''"`printf"$LOGFORMAT" $chain $disposition`"''> +++ printf Shorewall:%s:%s: logdrop DROP > ++ iptables -A logdrop -j LOG --log-level info --log-prefixShorewall:logdrop:DROP:> + ''['' 0 -ne 0 '']'' > + run_iptables -A logdrop -j DROP > + iptables -A logdrop -j DROP > + ''['' -n Yes -a -z '''' '']'' > + run_iptables -t mangle -N man1918 > + iptables -t mangle -N man1918 > + run_iptables -t mangle -N logdrop > + iptables -t mangle -N logdrop > + log_rule info logdrop DROP -t mangle > + local level=info > + local chain=logdrop > + local disposition=DROP > + local rulenum> + shift > + shift > + shift > + ''['' -n '''' '']'' > + eval iptables -A logdrop -t mangle -j LOG --log-level info --log-prefix''"`printf "$LOGFORMAT" $chain $disposition`"''> +++ printf Shorewall:%s:%s: logdrop DROP > ++ iptables -A logdrop -t mangle -j LOG --log-level info --log-prefixShorewall:logdrop:DROP:> + ''['' 0 -ne 0 '']'' > + run_iptables -t mangle -A logdrop -j DROP > + iptables -t mangle -A logdrop -j DROP > + read subnet target > + run_iptables2 -A rfc1918 -s 255.255.255.255 -j RETURN > + ''['' ''x-A rfc1918 -s 255.255.255.255 -j RETURN'' = ''x-A rfc1918 -s255.255.255.255 -j RETURN'' '']''> + run_iptables -A rfc1918 -s 255.255.255.255 -j RETURN > + iptables -A rfc1918 -s 255.255.255.255 -j RETURN > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 255.255.255.255 -j RETURN > + ''['' ''x-t mangle -A man1918 -d 255.255.255.255 -j RETURN'' = ''x-tmangle -A man1918 -d 255.255.255.255 -j RETURN'' '']''> + run_iptables -t mangle -A man1918 -d 255.255.255.255 -j RETURN > + iptables -t mangle -A man1918 -d 255.255.255.255 -j RETURN > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 169.254.0.0/16 -j DROP > + ''['' ''x-A rfc1918 -s 169.254.0.0/16 -j DROP'' = ''x-A rfc1918 -s169.254.0.0/16 -j DROP'' '']''> + run_iptables -A rfc1918 -s 169.254.0.0/16 -j DROP > + iptables -A rfc1918 -s 169.254.0.0/16 -j DROP > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 169.254.0.0/16 -j DROP > + ''['' ''x-t mangle -A man1918 -d 169.254.0.0/16 -j DROP'' = ''x-t mangle -Aman1918 -d 169.254.0.0/16 -j DROP'' '']''> + run_iptables -t mangle -A man1918 -d 169.254.0.0/16 -j DROP > + iptables -t mangle -A man1918 -d 169.254.0.0/16 -j DROP > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 172.16.0.0/12 -j logdrop > + ''['' ''x-A rfc1918 -s 172.16.0.0/12 -j logdrop'' = ''x-A rfc1918 -s172.16.0.0/12 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 172.16.0.0/12 -j logdrop > + iptables -A rfc1918 -s 172.16.0.0/12 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 172.16.0.0/12 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 172.16.0.0/12 -j logdrop'' = ''x-t mangle -Aman1918 -d 172.16.0.0/12 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 172.16.0.0/12 -j logdrop > + iptables -t mangle -A man1918 -d 172.16.0.0/12 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 192.0.2.0/24 -j logdrop > + ''['' ''x-A rfc1918 -s 192.0.2.0/24 -j logdrop'' = ''x-A rfc1918 -s192.0.2.0/24 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 192.0.2.0/24 -j logdrop > + iptables -A rfc1918 -s 192.0.2.0/24 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 192.0.2.0/24 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 192.0.2.0/24 -j logdrop'' = ''x-t mangle -Aman1918 -d 192.0.2.0/24 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 192.0.2.0/24 -j logdrop > + iptables -t mangle -A man1918 -d 192.0.2.0/24 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 192.168.0.0/16 -j logdrop > + ''['' ''x-A rfc1918 -s 192.168.0.0/16 -j logdrop'' = ''x-A rfc1918 -s192.168.0.0/16 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 192.168.0.0/16 -j logdrop > + iptables -A rfc1918 -s 192.168.0.0/16 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 192.168.0.0/16 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 192.168.0.0/16 -j logdrop'' = ''x-tmangle -A man1918 -d 192.168.0.0/16 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 192.168.0.0/16 -j logdrop > + iptables -t mangle -A man1918 -d 192.168.0.0/16 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 0.0.0.0/7 -j logdrop > + ''['' ''x-A rfc1918 -s 0.0.0.0/7 -j logdrop'' = ''x-A rfc1918 -s 0.0.0.0/7 -jlogdrop'' '']''> + run_iptables -A rfc1918 -s 0.0.0.0/7 -j logdrop > + iptables -A rfc1918 -s 0.0.0.0/7 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 0.0.0.0/7 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 0.0.0.0/7 -j logdrop'' = ''x-t mangle -Aman1918 -d 0.0.0.0/7 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 0.0.0.0/7 -j logdrop > + iptables -t mangle -A man1918 -d 0.0.0.0/7 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 2.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 2.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s 2.0.0.0/8 -jlogdrop'' '']''> + run_iptables -A rfc1918 -s 2.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 2.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 2.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 2.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 2.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 2.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 2.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 5.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 5.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s 5.0.0.0/8 -jlogdrop'' '']''> + run_iptables -A rfc1918 -s 5.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 5.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 5.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 5.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 5.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 5.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 5.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 7.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 7.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s 7.0.0.0/8 -jlogdrop'' '']''> + run_iptables -A rfc1918 -s 7.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 7.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 7.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 7.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 7.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 7.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 7.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 10.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 10.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s10.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 10.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 10.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 10.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 10.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 10.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 10.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 10.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 23.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 23.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s23.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 23.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 23.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 23.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 23.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 23.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 23.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 23.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 27.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 27.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s27.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 27.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 27.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 27.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 27.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 27.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 27.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 27.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 31.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 31.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s31.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 31.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 31.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 31.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 31.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 31.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 31.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 31.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 36.0.0.0/7 -j logdrop > + ''['' ''x-A rfc1918 -s 36.0.0.0/7 -j logdrop'' = ''x-A rfc1918 -s36.0.0.0/7 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 36.0.0.0/7 -j logdrop > + iptables -A rfc1918 -s 36.0.0.0/7 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 36.0.0.0/7 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 36.0.0.0/7 -j logdrop'' = ''x-t mangle -Aman1918 -d 36.0.0.0/7 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 36.0.0.0/7 -j logdrop > + iptables -t mangle -A man1918 -d 36.0.0.0/7 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 39.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 39.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s39.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 39.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 39.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 39.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 39.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 39.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 39.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 39.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 41.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 41.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s41.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 41.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 41.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 41.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 41.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 41.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 41.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 41.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 42.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 42.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s42.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 42.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 42.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 42.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 42.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 42.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 42.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 42.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 49.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 49.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s49.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 49.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 49.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 49.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 49.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 49.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 49.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 49.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 50.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 50.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s50.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 50.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 50.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 50.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 50.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 50.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 50.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 50.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 58.0.0.0/7 -j logdrop > + ''['' ''x-A rfc1918 -s 58.0.0.0/7 -j logdrop'' = ''x-A rfc1918 -s58.0.0.0/7 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 58.0.0.0/7 -j logdrop > + iptables -A rfc1918 -s 58.0.0.0/7 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 58.0.0.0/7 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 58.0.0.0/7 -j logdrop'' = ''x-t mangle -Aman1918 -d 58.0.0.0/7 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 58.0.0.0/7 -j logdrop > + iptables -t mangle -A man1918 -d 58.0.0.0/7 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 60.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 60.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s60.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 60.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 60.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 60.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 60.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 60.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 60.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 60.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 70.0.0.0/7 -j logdrop > + ''['' ''x-A rfc1918 -s 70.0.0.0/7 -j logdrop'' = ''x-A rfc1918 -s70.0.0.0/7 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 70.0.0.0/7 -j logdrop > + iptables -A rfc1918 -s 70.0.0.0/7 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 70.0.0.0/7 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 70.0.0.0/7 -j logdrop'' = ''x-t mangle -Aman1918 -d 70.0.0.0/7 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 70.0.0.0/7 -j logdrop > + iptables -t mangle -A man1918 -d 70.0.0.0/7 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 72.0.0.0/5 -j logdrop > + ''['' ''x-A rfc1918 -s 72.0.0.0/5 -j logdrop'' = ''x-A rfc1918 -s72.0.0.0/5 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 72.0.0.0/5 -j logdrop > + iptables -A rfc1918 -s 72.0.0.0/5 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 72.0.0.0/5 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 72.0.0.0/5 -j logdrop'' = ''x-t mangle -Aman1918 -d 72.0.0.0/5 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 72.0.0.0/5 -j logdrop > + iptables -t mangle -A man1918 -d 72.0.0.0/5 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 83.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 83.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s83.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 83.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 83.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 83.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 83.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 83.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 83.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 83.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 84.0.0.0/6 -j logdrop > + ''['' ''x-A rfc1918 -s 84.0.0.0/6 -j logdrop'' = ''x-A rfc1918 -s84.0.0.0/6 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 84.0.0.0/6 -j logdrop > + iptables -A rfc1918 -s 84.0.0.0/6 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 84.0.0.0/6 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 84.0.0.0/6 -j logdrop'' = ''x-t mangle -Aman1918 -d 84.0.0.0/6 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 84.0.0.0/6 -j logdrop > + iptables -t mangle -A man1918 -d 84.0.0.0/6 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 88.0.0.0/5 -j logdrop > + ''['' ''x-A rfc1918 -s 88.0.0.0/5 -j logdrop'' = ''x-A rfc1918 -s88.0.0.0/5 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 88.0.0.0/5 -j logdrop > + iptables -A rfc1918 -s 88.0.0.0/5 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 88.0.0.0/5 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 88.0.0.0/5 -j logdrop'' = ''x-t mangle -Aman1918 -d 88.0.0.0/5 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 88.0.0.0/5 -j logdrop > + iptables -t mangle -A man1918 -d 88.0.0.0/5 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 96.0.0.0/3 -j logdrop > + ''['' ''x-A rfc1918 -s 96.0.0.0/3 -j logdrop'' = ''x-A rfc1918 -s96.0.0.0/3 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 96.0.0.0/3 -j logdrop > + iptables -A rfc1918 -s 96.0.0.0/3 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 96.0.0.0/3 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 96.0.0.0/3 -j logdrop'' = ''x-t mangle -Aman1918 -d 96.0.0.0/3 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 96.0.0.0/3 -j logdrop > + iptables -t mangle -A man1918 -d 96.0.0.0/3 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 127.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 127.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s127.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 127.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 127.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 127.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 127.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 127.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 127.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 127.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 197.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 197.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s197.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 197.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 197.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 197.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 197.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 197.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 197.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 197.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 198.18.0.0/15 -j logdrop > + ''['' ''x-A rfc1918 -s 198.18.0.0/15 -j logdrop'' = ''x-A rfc1918 -s198.18.0.0/15 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 198.18.0.0/15 -j logdrop > + iptables -A rfc1918 -s 198.18.0.0/15 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 198.18.0.0/15 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 198.18.0.0/15 -j logdrop'' = ''x-t mangle -Aman1918 -d 198.18.0.0/15 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 198.18.0.0/15 -j logdrop > + iptables -t mangle -A man1918 -d 198.18.0.0/15 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 201.0.0.0/8 -j logdrop > + ''['' ''x-A rfc1918 -s 201.0.0.0/8 -j logdrop'' = ''x-A rfc1918 -s201.0.0.0/8 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 201.0.0.0/8 -j logdrop > + iptables -A rfc1918 -s 201.0.0.0/8 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 201.0.0.0/8 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 201.0.0.0/8 -j logdrop'' = ''x-t mangle -Aman1918 -d 201.0.0.0/8 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 201.0.0.0/8 -j logdrop > + iptables -t mangle -A man1918 -d 201.0.0.0/8 -j logdrop > + return > + read subnet target > + run_iptables2 -A rfc1918 -s 240.0.0.0/4 -j logdrop > + ''['' ''x-A rfc1918 -s 240.0.0.0/4 -j logdrop'' = ''x-A rfc1918 -s240.0.0.0/4 -j logdrop'' '']''> + run_iptables -A rfc1918 -s 240.0.0.0/4 -j logdrop > + iptables -A rfc1918 -s 240.0.0.0/4 -j logdrop > + return > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + run_iptables2 -t mangle -A man1918 -d 240.0.0.0/4 -j logdrop > + ''['' ''x-t mangle -A man1918 -d 240.0.0.0/4 -j logdrop'' = ''x-t mangle -Aman1918 -d 240.0.0.0/4 -j logdrop'' '']''> + run_iptables -t mangle -A man1918 -d 240.0.0.0/4 -j logdrop > + iptables -t mangle -A man1918 -d 240.0.0.0/4 -j logdrop > + return > + read subnet target > ++ first_chains ppp0 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ local c=ppp0 > ++ echo ppp0_fwd ppp0_in > + run_iptables -A ppp0_fwd -m state --state NEW -j rfc1918 > + iptables -A ppp0_fwd -m state --state NEW -j rfc1918 > + run_iptables -A ppp0_in -m state --state NEW -j rfc1918 > + iptables -A ppp0_in -m state --state NEW -j rfc1918 > + ''['' -n Yes -a -z '''' '']'' > + run_iptables -t mangle -A PREROUTING -m state --state NEW -i ppp0 -jman1918> + iptables -t mangle -A PREROUTING -m state --state NEW -i ppp0 -j man1918 > ++ find_interfaces_by_option tcpflags > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search tcpflags routefilter norfc1918 > ++ local e=tcpflags > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xtcpflags = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xtcpflags = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search tcpflags > ++ local e=tcpflags > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search tcpflags > ++ local e=tcpflags > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search tcpflags > ++ local e=tcpflags > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + interfaces> + ''['' -n '''' '']'' > + setup_blacklist > ++ find_interfaces_by_option blacklist > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search blacklist routefilter norfc1918 > ++ local e=blacklist > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xblacklist = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xblacklist = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search blacklist > ++ local e=blacklist > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search blacklist > ++ local e=blacklist > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search blacklist > ++ local e=blacklist > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + local interfaces> ++ find_file blacklist > ++ ''['' -n '''' -a -f /blacklist '']'' > ++ echo /etc/shorewall/blacklist > + local f=/etc/shorewall/blacklist > + local disposition=DROP > + ''['' -n '''' -a -f /etc/shorewall/blacklist '']'' > + echo 0 > + echo 0 > + echo 0 > + echo 0 > + echo 0 > ++ find_interfaces_by_option routefilter > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search routefilter routefilter norfc1918 > ++ local e=routefilter > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xroutefilter = xroutefilter '']'' > ++ return 0 > ++ echo ppp0 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search routefilter > ++ local e=routefilter > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search routefilter > ++ local e=routefilter > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search routefilter > ++ local e=routefilter > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + interfaces=ppp0 > + ''['' -n ppp0 -o -n '''' '']'' > + echo ''Setting up Kernel Route Filtering...'' > + ''['' -n '''' '']'' > + echo 0 > + file=/proc/sys/net/ipv4/conf/ppp0/rp_filter > + ''['' -f /proc/sys/net/ipv4/conf/ppp0/rp_filter '']'' > + echo 1 > + echo 1 > + echo ''IP Forwarding Enabled'' > ++ find_file tunnels > ++ ''['' -n '''' -a -f /tunnels '']'' > ++ echo /etc/shorewall/tunnels > + tunnels=/etc/shorewall/tunnels > + ''['' -f /etc/shorewall/tunnels '']'' > + echo ''Processing /etc/shorewall/tunnels...'' > + setup_tunnels /etc/shorewall/tunnels > + local inchain > + local outchain > + strip_file tunnels /etc/shorewall/tunnels > + local fname > + ''['' 2 = 1 '']'' > + fname=/etc/shorewall/tunnels > + ''['' -f /etc/shorewall/tunnels '']'' > + read_file /etc/shorewall/tunnels 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 - /etc/shorewall/tunnels'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# IPIP, GRE and OPENVPN tunnels must be configured on the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# firewall/gateway itself. IPSEC endpoints may be defined'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# on the firewall/gateway or on an internal system.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# The columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# TYPE -- must start in column 1 and be "ipsec","ipsecnat","ip"''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# "gre", "6to4", "pptpclient", "pptpserver" or "openvpn".'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# If type is "openvpn", it may optionally be followed'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# by ":" and the port number used by the tunnel. if no'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ":" and port number are included, then the default port'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# of 5000 will be used'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ZONE -- The zone of the physical interface through which'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# tunnel traffic passes. This is normally your internet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# zone.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# GATEWAY -- The IP address of the remote tunnel gateway. Ifthe''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# remote getway has no fixed address (Road Warrior)'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# then specify the gateway as 0.0.0.0/0.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# GATEWAY'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ZONES -- Optional. If the gateway system specified in the third'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# column is a standalone host then this column should'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# contain a comma-separated list of the names of the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# zones that the host might be in. This column only'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# applies to IPSEC tunnels.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 1:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# IPSec tunnel. The remote gateway is 4.33.99.124 and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# the remote subnet is 192.168.9.0/24'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ipsec net 4.33.99.124'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 2:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Road Warrior (LapTop that may connect from anywhere)'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# where the "gw" zone is used to represent the remote'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# LapTop.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ipsec net 0.0.0.0/0 gw'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 3:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Host 4.33.99.124 is a standalone system connected'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# via an ipsec tunnel to the firewall system. The host'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# is in zone gw.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ipsec net 4.33.99.124 gw'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 4:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Road Warriors that may belong to zones vpn1, vpn2 or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# vpn3. The FreeS/Wan _updown script will add the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# host to the appropriate zone using the "shorewall add"'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# command on connect and will remove the host from the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# zone at disconnect time.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 5:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You run the Linux PPTP client on your firewall and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# connect to server 192.0.2.221.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# pptpclient net 192.0.2.221'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 6:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You run a PPTP server on your firewall.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# pptpserver net'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 7:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# OPENVPN tunnel. The remote gateway is 4.33.99.124 and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# openvpn uses port 7777.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# openvpn:7777 net 4.33.99.124'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + ''['' x# = xINCLUDE '']'' > + echo ''# TYPE ZONE GATEWAY GATEWAY ZONE PORT'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'' > + read first rest > + read kind z gateway z1 > ++ find_hosts_by_option maclist > ++ local ignore hosts interface address addresses options > ++ read ignore hosts options > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ eval ''options=$ppp0_options'' > +++ options=routefilter norfc1918 > ++ list_search maclist routefilter norfc1918 > ++ local e=maclist > ++ ''['' 3 -gt 1 '']'' > ++ shift > ++ ''['' xmaclist = xroutefilter '']'' > ++ ''['' 2 -gt 1 '']'' > ++ shift > ++ ''['' xmaclist = xnorfc1918 '']'' > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base eth0 > +++ local c=eth0 > +++ echo eth0 > ++ eval ''options=$eth0_options'' > +++ options> ++ list_search maclist > ++ local e=maclist > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet1 > +++ local c=vmnet1 > +++ echo vmnet1 > ++ eval ''options=$vmnet1_options'' > +++ options> ++ list_search maclist > ++ local e=maclist > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > +++ chain_base vmnet8 > +++ local c=vmnet8 > +++ echo vmnet8 > ++ eval ''options=$vmnet8_options'' > +++ options> ++ list_search maclist > ++ local e=maclist > ++ ''['' 1 -gt 1 '']'' > ++ return 1 > + maclist_hosts> + ''['' -n '''' '']'' > ++ find_file rules > ++ ''['' -n '''' -a -f /rules '']'' > ++ echo /etc/shorewall/rules > + rules=/etc/shorewall/rules > + echo ''Processing /etc/shorewall/rules...'' > + process_rules /etc/shorewall/rules > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=fw > + eval ''xclients="fw"'' > ++ xclients=fw > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=net > + eval ''xservers="net"'' > ++ xservers=net > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=tcp > + eval ''xprotocol="tcp"'' > ++ xprotocol=tcp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=53 > + eval ''xports="53"'' > ++ xports=53 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xfw = xall '']'' > + ''['' xnet = xall '']'' > + process_rule ACCEPT fw net tcp 53 > + local target=ACCEPT > + local clients=fw > + local servers=net > + local protocol=tcp > + local ports=53 > + local cports> + local address> ++ echo ACCEPT fw net tcp 53 > + local ''rule=ACCEPT fw net tcp 53'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' fw = fw '']'' > + clientzone=fw > + clients> + ''['' fw = fw '']'' > + excludezones> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + source=fw > + ''['' fw = fw '']'' > + source_hosts> + ''['' net = net '']'' > + serverzone=net > + servers> + serverport> + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + dest=net > + chain=fw2net > + eval ''policy=$fw2net_policy'' > ++ policy=ACCEPT > + ''['' ACCEPT = NONE '']'' > + ''['' xfw2net = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain fw2net > + havechain fw2net > + eval test ''"$fw2net_exists"'' = Yes > ++ test '''' = Yes > + createchain fw2net yes > + run_iptables -N fw2net > + iptables -N fw2net > + ''['' yes = yes '']'' > + run_iptables -A fw2net -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A fw2net -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A fw2net -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A fw2net -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval fw2net_exists=Yes > ++ fw2net_exists=Yes > ++ list_count 53 > +++ separate_list 53 > +++ local list > +++ local part > +++ local newlist > +++ list=53 > +++ part=53 > +++ newlist=53 > +++ ''['' x53 ''!='' x53 '']'' > +++ echo 53 > ++ arg_count 53 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 53 = 53 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=53 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=tcp > + addr> + servport> + multiport> + ''['' x53 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 53 '']'' > + dports=--dport > + ''['' -n ''-m multiport'' -a 53 ''!='' 53 '']'' > + dports=--dport 53 > + ''['' -n '''' '']'' > + proto=-p tcp > + ''['' -z ''-p tcp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT > + ''['' ''x-A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT'' = ''x-Afw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT'' '']''> + run_iptables -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT > + iptables -A fw2net -p tcp -m state --state NEW --dport 53 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT fw net tcp 53" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=fw > + eval ''xclients="fw"'' > ++ xclients=fw > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=net > + eval ''xservers="net"'' > ++ xservers=net > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=udp > + eval ''xprotocol="udp"'' > ++ xprotocol=udp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=53 > + eval ''xports="53"'' > ++ xports=53 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xfw = xall '']'' > + ''['' xnet = xall '']'' > + process_rule ACCEPT fw net udp 53 > + local target=ACCEPT > + local clients=fw > + local servers=net > + local protocol=udp > + local ports=53 > + local cports> + local address> ++ echo ACCEPT fw net udp 53 > + local ''rule=ACCEPT fw net udp 53'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' fw = fw '']'' > + clientzone=fw > + clients> + ''['' fw = fw '']'' > + excludezones> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + source=fw > + ''['' fw = fw '']'' > + source_hosts> + ''['' net = net '']'' > + serverzone=net > + servers> + serverport> + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + dest=net > + chain=fw2net > + eval ''policy=$fw2net_policy'' > ++ policy=ACCEPT > + ''['' ACCEPT = NONE '']'' > + ''['' xfw2net = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain fw2net > + havechain fw2net > + eval test ''"$fw2net_exists"'' = Yes > ++ test Yes = Yes > ++ list_count 53 > +++ separate_list 53 > +++ local list > +++ local part > +++ local newlist > +++ list=53 > +++ part=53 > +++ newlist=53 > +++ ''['' x53 ''!='' x53 '']'' > +++ echo 53 > ++ arg_count 53 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 53 = 53 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=53 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=udp > + addr> + servport> + multiport> + ''['' x53 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 53 '']'' > + dports=--dport > + ''['' -n ''-m multiport'' -a 53 ''!='' 53 '']'' > + dports=--dport 53 > + ''['' -n '''' '']'' > + proto=-p udp > + ''['' -z ''-p udp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT > + ''['' ''x-A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT'' = ''x-Afw2net -p udp -m state --state NEW --dport 53 -j ACCEPT'' '']''> + run_iptables -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT > + iptables -A fw2net -p udp -m state --state NEW --dport 53 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT fw net udp 53" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=loc > + eval ''xclients="loc"'' > ++ xclients=loc > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=fw > + eval ''xservers="fw"'' > ++ xservers=fw > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=tcp > + eval ''xprotocol="tcp"'' > ++ xprotocol=tcp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=22 > + eval ''xports="22"'' > ++ xports=22 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xloc = xall '']'' > + ''['' xfw = xall '']'' > + process_rule ACCEPT loc fw tcp 22 > + local target=ACCEPT > + local clients=loc > + local servers=fw > + local protocol=tcp > + local ports=22 > + local cports> + local address> ++ echo ACCEPT loc fw tcp 22 > + local ''rule=ACCEPT loc fw tcp 22'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' loc = loc '']'' > + clientzone=loc > + clients> + ''['' loc = loc '']'' > + excludezones> + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > + source=loc > + ''['' loc = fw '']'' > + eval ''source_hosts="$loc_hosts"'' > ++ source_hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0 > + ''['' fw = fw '']'' > + serverzone=fw > + servers> + serverport> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + dest=fw > + chain=loc2fw > + eval ''policy=$loc2fw_policy'' > ++ policy=ACCEPT > + ''['' ACCEPT = NONE '']'' > + ''['' xloc2fw = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain loc2fw > + havechain loc2fw > + eval test ''"$loc2fw_exists"'' = Yes > ++ test '''' = Yes > + createchain loc2fw yes > + run_iptables -N loc2fw > + iptables -N loc2fw > + ''['' yes = yes '']'' > + run_iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A loc2fw -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A loc2fw -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A loc2fw -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval loc2fw_exists=Yes > ++ loc2fw_exists=Yes > ++ list_count 22 > +++ separate_list 22 > +++ local list > +++ local part > +++ local newlist > +++ list=22 > +++ part=22 > +++ newlist=22 > +++ ''['' x22 ''!='' x22 '']'' > +++ echo 22 > ++ arg_count 22 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 22 = 22 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=22 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=tcp > + addr> + servport> + multiport> + ''['' x22 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 22 '']'' > + dports=--dport > + ''['' -n ''-m multiport'' -a 22 ''!='' 22 '']'' > + dports=--dport 22 > + ''['' -n '''' '']'' > + proto=-p tcp > + ''['' -z ''-p tcp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT > + ''['' ''x-A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT'' = ''x-Aloc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT'' '']''> + run_iptables -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT > + iptables -A loc2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT loc fw tcp 22" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=loc > + eval ''xclients="loc"'' > ++ xclients=loc > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=fw > + eval ''xservers="fw"'' > ++ xservers=fw > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=icmp > + eval ''xprotocol="icmp"'' > ++ xprotocol=icmp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=8 > + eval ''xports="8"'' > ++ xports=8 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xloc = xall '']'' > + ''['' xfw = xall '']'' > + process_rule ACCEPT loc fw icmp 8 > + local target=ACCEPT > + local clients=loc > + local servers=fw > + local protocol=icmp > + local ports=8 > + local cports> + local address> ++ echo ACCEPT loc fw icmp 8 > + local ''rule=ACCEPT loc fw icmp 8'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' loc = loc '']'' > + clientzone=loc > + clients> + ''['' loc = loc '']'' > + excludezones> + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > + source=loc > + ''['' loc = fw '']'' > + eval ''source_hosts="$loc_hosts"'' > ++ source_hosts=eth0:0.0.0.0/0 vmnet1:0.0.0.0/0 vmnet8:0.0.0.0/0 > + ''['' fw = fw '']'' > + serverzone=fw > + servers> + serverport> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + dest=fw > + chain=loc2fw > + eval ''policy=$loc2fw_policy'' > ++ policy=ACCEPT > + ''['' ACCEPT = NONE '']'' > + ''['' xloc2fw = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain loc2fw > + havechain loc2fw > + eval test ''"$loc2fw_exists"'' = Yes > ++ test Yes = Yes > ++ list_count 8 > +++ separate_list 8 > +++ local list > +++ local part > +++ local newlist > +++ list=8 > +++ part=8 > +++ newlist=8 > +++ ''['' x8 ''!='' x8 '']'' > +++ echo 8 > ++ arg_count 8 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 8 = 8 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=8 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=icmp > + addr> + servport> + multiport> + ''['' x8 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 8 '']'' > + dports=--icmp-type 8 > + state> + proto=-p icmp > + ''['' -z ''-p icmp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A loc2fw -p icmp --icmp-type 8 -j ACCEPT > + ''['' ''x-A loc2fw -p icmp --icmp-type 8 -j ACCEPT'' = ''x-A loc2fw -picmp --icmp-type 8 -j ACCEPT'' '']''> + run_iptables -A loc2fw -p icmp --icmp-type 8 -j ACCEPT > + iptables -A loc2fw -p icmp --icmp-type 8 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT loc fw icmp 8" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=net > + eval ''xclients="net"'' > ++ xclients=net > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=fw > + eval ''xservers="fw"'' > ++ xservers=fw > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=icmp > + eval ''xprotocol="icmp"'' > ++ xprotocol=icmp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=8 > + eval ''xports="8"'' > ++ xports=8 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xnet = xall '']'' > + ''['' xfw = xall '']'' > + process_rule ACCEPT net fw icmp 8 > + local target=ACCEPT > + local clients=net > + local servers=fw > + local protocol=icmp > + local ports=8 > + local cports> + local address> ++ echo ACCEPT net fw icmp 8 > + local ''rule=ACCEPT net fw icmp 8'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' net = net '']'' > + clientzone=net > + clients> + ''['' net = net '']'' > + excludezones> + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + source=net > + ''['' net = fw '']'' > + eval ''source_hosts="$net_hosts"'' > ++ source_hosts=ppp0:0.0.0.0/0 > + ''['' fw = fw '']'' > + serverzone=fw > + servers> + serverport> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + dest=fw > + chain=net2fw > + eval ''policy=$net2fw_policy'' > ++ policy=DROP > + ''['' DROP = NONE '']'' > + ''['' xnet2fw = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain net2fw > + havechain net2fw > + eval test ''"$net2fw_exists"'' = Yes > ++ test '''' = Yes > + createchain net2fw yes > + run_iptables -N net2fw > + iptables -N net2fw > + ''['' yes = yes '']'' > + run_iptables -A net2fw -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A net2fw -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A net2fw -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A net2fw -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval net2fw_exists=Yes > ++ net2fw_exists=Yes > ++ list_count 8 > +++ separate_list 8 > +++ local list > +++ local part > +++ local newlist > +++ list=8 > +++ part=8 > +++ newlist=8 > +++ ''['' x8 ''!='' x8 '']'' > +++ echo 8 > ++ arg_count 8 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 8 = 8 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=8 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=icmp > + addr> + servport> + multiport> + ''['' x8 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 8 '']'' > + dports=--icmp-type 8 > + state> + proto=-p icmp > + ''['' -z ''-p icmp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A net2fw -p icmp --icmp-type 8 -j ACCEPT > + ''['' ''x-A net2fw -p icmp --icmp-type 8 -j ACCEPT'' = ''x-A net2fw -picmp --icmp-type 8 -j ACCEPT'' '']''> + run_iptables -A net2fw -p icmp --icmp-type 8 -j ACCEPT > + iptables -A net2fw -p icmp --icmp-type 8 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT net fw icmp 8" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=fw > + eval ''xclients="fw"'' > ++ xclients=fw > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=loc > + eval ''xservers="loc"'' > ++ xservers=loc > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=icmp > + eval ''xprotocol="icmp"'' > ++ xprotocol=icmp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=8 > + eval ''xports="8"'' > ++ xports=8 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xfw = xall '']'' > + ''['' xloc = xall '']'' > + process_rule ACCEPT fw loc icmp 8 > + local target=ACCEPT > + local clients=fw > + local servers=loc > + local protocol=icmp > + local ports=8 > + local cports> + local address> ++ echo ACCEPT fw loc icmp 8 > + local ''rule=ACCEPT fw loc icmp 8'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' fw = fw '']'' > + clientzone=fw > + clients> + ''['' fw = fw '']'' > + excludezones> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + source=fw > + ''['' fw = fw '']'' > + source_hosts> + ''['' loc = loc '']'' > + serverzone=loc > + servers> + serverport> + validate_zone loc > + list_search loc net loc fw > + local e=loc > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xloc = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xloc = xloc '']'' > + return 0 > + dest=loc > + chain=fw2loc > + eval ''policy=$fw2loc_policy'' > ++ policy=ACCEPT > + ''['' ACCEPT = NONE '']'' > + ''['' xfw2loc = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain fw2loc > + havechain fw2loc > + eval test ''"$fw2loc_exists"'' = Yes > ++ test '''' = Yes > + createchain fw2loc yes > + run_iptables -N fw2loc > + iptables -N fw2loc > + ''['' yes = yes '']'' > + run_iptables -A fw2loc -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A fw2loc -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A fw2loc -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A fw2loc -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval fw2loc_exists=Yes > ++ fw2loc_exists=Yes > ++ list_count 8 > +++ separate_list 8 > +++ local list > +++ local part > +++ local newlist > +++ list=8 > +++ part=8 > +++ newlist=8 > +++ ''['' x8 ''!='' x8 '']'' > +++ echo 8 > ++ arg_count 8 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 8 = 8 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=8 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=icmp > + addr> + servport> + multiport> + ''['' x8 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 8 '']'' > + dports=--icmp-type 8 > + state> + proto=-p icmp > + ''['' -z ''-p icmp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A fw2loc -p icmp --icmp-type 8 -j ACCEPT > + ''['' ''x-A fw2loc -p icmp --icmp-type 8 -j ACCEPT'' = ''x-A fw2loc -picmp --icmp-type 8 -j ACCEPT'' '']''> + run_iptables -A fw2loc -p icmp --icmp-type 8 -j ACCEPT > + iptables -A fw2loc -p icmp --icmp-type 8 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT fw loc icmp 8" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=fw > + eval ''xclients="fw"'' > ++ xclients=fw > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=net > + eval ''xservers="net"'' > ++ xservers=net > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=icmp > + eval ''xprotocol="icmp"'' > ++ xprotocol=icmp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=8 > + eval ''xports="8"'' > ++ xports=8 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xfw = xall '']'' > + ''['' xnet = xall '']'' > + process_rule ACCEPT fw net icmp 8 > + local target=ACCEPT > + local clients=fw > + local servers=net > + local protocol=icmp > + local ports=8 > + local cports> + local address> ++ echo ACCEPT fw net icmp 8 > + local ''rule=ACCEPT fw net icmp 8'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' fw = fw '']'' > + clientzone=fw > + clients> + ''['' fw = fw '']'' > + excludezones> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + source=fw > + ''['' fw = fw '']'' > + source_hosts> + ''['' net = net '']'' > + serverzone=net > + servers> + serverport> + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + dest=net > + chain=fw2net > + eval ''policy=$fw2net_policy'' > ++ policy=ACCEPT > + ''['' ACCEPT = NONE '']'' > + ''['' xfw2net = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain fw2net > + havechain fw2net > + eval test ''"$fw2net_exists"'' = Yes > ++ test Yes = Yes > ++ list_count 8 > +++ separate_list 8 > +++ local list > +++ local part > +++ local newlist > +++ list=8 > +++ part=8 > +++ newlist=8 > +++ ''['' x8 ''!='' x8 '']'' > +++ echo 8 > ++ arg_count 8 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 8 = 8 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=8 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=icmp > + addr> + servport> + multiport> + ''['' x8 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 8 '']'' > + dports=--icmp-type 8 > + state> + proto=-p icmp > + ''['' -z ''-p icmp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A fw2net -p icmp --icmp-type 8 -j ACCEPT > + ''['' ''x-A fw2net -p icmp --icmp-type 8 -j ACCEPT'' = ''x-A fw2net -picmp --icmp-type 8 -j ACCEPT'' '']''> + run_iptables -A fw2net -p icmp --icmp-type 8 -j ACCEPT > + iptables -A fw2net -p icmp --icmp-type 8 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT fw net icmp 8" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > + expandv xclients xservers xprotocol xports xcports xaddress > + local varval > + ''['' 6 -gt 0 '']'' > + eval ''varval=$xclients'' > ++ varval=net > + eval ''xclients="net"'' > ++ xclients=net > + shift > + ''['' 5 -gt 0 '']'' > + eval ''varval=$xservers'' > ++ varval=fw > + eval ''xservers="fw"'' > ++ xservers=fw > + shift > + ''['' 4 -gt 0 '']'' > + eval ''varval=$xprotocol'' > ++ varval=tcp > + eval ''xprotocol="tcp"'' > ++ xprotocol=tcp > + shift > + ''['' 3 -gt 0 '']'' > + eval ''varval=$xports'' > ++ varval=22 > + eval ''xports="22"'' > ++ xports=22 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$xcports'' > ++ varval> + eval ''xcports=""'' > ++ xcports> + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$xaddress'' > ++ varval> + eval ''xaddress=""'' > ++ xaddress> + shift > + ''['' 0 -gt 0 '']'' > + ''['' xnet = xall '']'' > + ''['' xfw = xall '']'' > + process_rule ACCEPT net fw tcp 22 > + local target=ACCEPT > + local clients=net > + local servers=fw > + local protocol=tcp > + local ports=22 > + local cports> + local address> ++ echo ACCEPT net fw tcp 22 > + local ''rule=ACCEPT net fw tcp 22'' > + ''['' ACCEPT = ACCEPT '']'' > + loglevel> + logtarget=ACCEPT > + dnat_only> + ''['' x = x- '']'' > + ''['' net = net '']'' > + clientzone=net > + clients> + ''['' net = net '']'' > + excludezones> + validate_zone net > + list_search net net loc fw > + local e=net > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xnet = xnet '']'' > + return 0 > + source=net > + ''['' net = fw '']'' > + eval ''source_hosts="$net_hosts"'' > ++ source_hosts=ppp0:0.0.0.0/0 > + ''['' fw = fw '']'' > + serverzone=fw > + servers> + serverport> + validate_zone fw > + list_search fw net loc fw > + local e=fw > + ''['' 4 -gt 1 '']'' > + shift > + ''['' xfw = xnet '']'' > + ''['' 3 -gt 1 '']'' > + shift > + ''['' xfw = xloc '']'' > + ''['' 2 -gt 1 '']'' > + shift > + ''['' xfw = xfw '']'' > + return 0 > + dest=fw > + chain=net2fw > + eval ''policy=$net2fw_policy'' > ++ policy=DROP > + ''['' DROP = NONE '']'' > + ''['' xnet2fw = xfw2fw '']'' > + ''['' start = check '']'' > + ensurechain net2fw > + havechain net2fw > + eval test ''"$net2fw_exists"'' = Yes > ++ test Yes = Yes > ++ list_count 22 > +++ separate_list 22 > +++ local list > +++ local part > +++ local newlist > +++ list=22 > +++ part=22 > +++ newlist=22 > +++ ''['' x22 ''!='' x22 '']'' > +++ echo 22 > ++ arg_count 22 > ++ echo 1 > ++ list_count > +++ separate_list > +++ local list > +++ local part > +++ local newlist > +++ list> +++ part> +++ newlist> +++ ''['' x ''!='' x '']'' > +++ echo '''' > ++ arg_count > ++ echo 0 > + ''['' -n Yes -a 22 = 22 -a '''' = '''' -a 1 -le 15 -a 0 -le 15 '']'' > + multioption=-m multiport > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > ++ separate_list - > ++ local list > ++ local part > ++ local newlist > ++ list=- > ++ part=- > ++ newlist=- > ++ ''['' x- ''!='' x- '']'' > ++ echo - > + port=22 > + cport=- > + add_a_rule > + local natrule> + cli> + dest_interface> + serv> + sports> + dports> + state=-m state --state NEW > + proto=tcp > + addr> + servport> + multiport> + ''['' x22 = x- '']'' > + ''['' x- = x- '']'' > + cport> + ''['' -n 22 '']'' > + dports=--dport > + ''['' -n ''-m multiport'' -a 22 ''!='' 22 '']'' > + dports=--dport 22 > + ''['' -n '''' '']'' > + proto=-p tcp > + ''['' -z ''-p tcp'' -a -z '''' -a -z '''' -a -z '''' -a ACCEPT ''!='' LOG '']'' > + ''['' -n '''' '']'' > + ''['' -n '''' '']'' > + ''['' start ''!='' check '']'' > + ''['' -n '''' '']'' > + ''['' ACCEPT ''!='' LOG '']'' > + run_iptables2 -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT > + ''['' ''x-A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT'' = ''x-Anet2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT'' '']''> + run_iptables -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT > + iptables -A net2fw -p tcp -m state --state NEW --dport 22 -j ACCEPT > + return > + ''['' start = check '']'' > + echo '' Rule "ACCEPT net fw tcp 22" added.'' > + read xtarget xclients xservers xprotocol xports xcports xaddress > ++ find_file policy > ++ ''['' -n '''' -a -f /policy '']'' > ++ echo /etc/shorewall/policy > + policy=/etc/shorewall/policy > + echo ''Processing /etc/shorewall/policy...'' > + apply_policy_rules > + eval ''policy=$loc2net_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$loc2net_loglevel'' > ++ loglevel> + eval ''synparams=$loc2net_synparams'' > ++ synparams> + ''['' -n '''' '']'' > + havechain loc2net > + eval test ''"$loc2net_exists"'' = Yes > ++ test '''' = Yes > + createchain loc2net yes > + run_iptables -N loc2net > + iptables -N loc2net > + ''['' yes = yes '']'' > + run_iptables -A loc2net -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A loc2net -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A loc2net -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A loc2net -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval loc2net_exists=Yes > ++ loc2net_exists=Yes > + ''['' -n '''' '']'' > + eval ''policy=$loc2fw_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$loc2fw_loglevel'' > ++ loglevel> + eval ''synparams=$loc2fw_synparams'' > ++ synparams> + ''['' -n '''' '']'' > + havechain loc2fw > + eval test ''"$loc2fw_exists"'' = Yes > ++ test Yes = Yes > + ''['' -n '''' '']'' > + eval ''policy=$fw2net_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$fw2net_loglevel'' > ++ loglevel> + eval ''synparams=$fw2net_synparams'' > ++ synparams> + ''['' -n '''' '']'' > + havechain fw2net > + eval test ''"$fw2net_exists"'' = Yes > ++ test Yes = Yes > + ''['' -n '''' '']'' > + eval ''policy=$fw2loc_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$fw2loc_loglevel'' > ++ loglevel> + eval ''synparams=$fw2loc_synparams'' > ++ synparams> + ''['' -n '''' '']'' > + havechain fw2loc > + eval test ''"$fw2loc_exists"'' = Yes > ++ test Yes = Yes > + ''['' -n '''' '']'' > + eval ''policy=$net2all_policy'' > ++ policy=DROP > + eval ''loglevel=$net2all_loglevel'' > ++ loglevel=info > + eval ''synparams=$net2all_synparams'' > ++ synparams> + ''['' -n '''' '']'' > + havechain net2all > + eval test ''"$net2all_exists"'' = Yes > ++ test '''' = Yes > + createchain net2all yes > + run_iptables -N net2all > + iptables -N net2all > + ''['' yes = yes '']'' > + run_iptables -A net2all -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A net2all -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A net2all -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A net2all -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval net2all_exists=Yes > ++ net2all_exists=Yes > + policy_rules net2all DROP info > + local target=DROP > + run_iptables -A net2all -j common > + iptables -A net2all -j common > + ''['' 3 -eq 3 -a xinfo ''!='' x- '']'' > + log_rule info net2all DROP > + local level=info > + local chain=net2all > + local disposition=DROP > + local rulenum> + shift > + shift > + shift > + ''['' -n '''' '']'' > + eval iptables -A net2all -j LOG --log-level info --log-prefix ''"`printf"$LOGFORMAT" $chain $disposition`"''> +++ printf Shorewall:%s:%s: net2all DROP > ++ iptables -A net2all -j LOG --log-level info --log-prefixShorewall:net2all:DROP:> + ''['' 0 -ne 0 '']'' > + ''['' -n DROP '']'' > + run_iptables -A net2all -j DROP > + iptables -A net2all -j DROP > + ''['' -n '''' '']'' > + eval ''policy=$all2all_policy'' > ++ policy=REJECT > + eval ''loglevel=$all2all_loglevel'' > ++ loglevel=info > + eval ''synparams=$all2all_synparams'' > ++ synparams> + ''['' -n '''' '']'' > + havechain all2all > + eval test ''"$all2all_exists"'' = Yes > ++ test '''' = Yes > + createchain all2all yes > + run_iptables -N all2all > + iptables -N all2all > + ''['' yes = yes '']'' > + run_iptables -A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT > + iptables -A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -z '''' '']'' > + run_iptables -A all2all -m state --state NEW -p tcp ''!'' --syn -jnewnotsyn> + iptables -A all2all -m state --state NEW -p tcp ''!'' --syn -j newnotsyn > + eval all2all_exists=Yes > ++ all2all_exists=Yes > + policy_rules all2all REJECT info > + local target=REJECT > + run_iptables -A all2all -j common > + iptables -A all2all -j common > + target=reject > + ''['' 3 -eq 3 -a xinfo ''!='' x- '']'' > + log_rule info all2all REJECT > + local level=info > + local chain=all2all > + local disposition=REJECT > + local rulenum> + shift > + shift > + shift > + ''['' -n '''' '']'' > + eval iptables -A all2all -j LOG --log-level info --log-prefix ''"`printf"$LOGFORMAT" $chain $disposition`"''> +++ printf Shorewall:%s:%s: all2all REJECT > ++ iptables -A all2all -j LOG --log-level info --log-prefixShorewall:all2all:REJECT:> + ''['' 0 -ne 0 '']'' > + ''['' -n reject '']'' > + run_iptables -A all2all -j reject > + iptables -A all2all -j reject > + ''['' -n '''' '']'' > + chain=fw2fw > + havechain fw2fw > + eval test ''"$fw2fw_exists"'' = Yes > ++ test '''' = Yes > + chain=fw2net > + havechain fw2net > + eval test ''"$fw2net_exists"'' = Yes > ++ test Yes = Yes > + run_user_exit fw2net > ++ find_file fw2net > ++ ''['' -n '''' -a -f /fw2net '']'' > ++ echo /etc/shorewall/fw2net > + local user_exit=/etc/shorewall/fw2net > + ''['' -f /etc/shorewall/fw2net '']'' > + default_policy fw net > + local chain=fw2net > + local policy> + local loglevel> + local chain1 > + eval ''chain1=$fw2net_policychain'' > ++ chain1=fw2net > + ''['' -n fw2net '']'' > + apply_default fw net > + eval ''policy=$fw2net_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$fw2net_loglevel'' > ++ loglevel> + eval ''synparams=$fw2net_synparams'' > ++ synparams> + ''['' fw2net = fw2net '']'' > + policy_rules fw2net ACCEPT > + local target=ACCEPT > + ''['' 2 -eq 3 -a x ''!='' x- '']'' > + ''['' -n ACCEPT '']'' > + run_iptables -A fw2net -j ACCEPT > + iptables -A fw2net -j ACCEPT > + echo '' Policy ACCEPT for fw to net using chain fw2net'' > + chain=fw2loc > + havechain fw2loc > + eval test ''"$fw2loc_exists"'' = Yes > ++ test Yes = Yes > + run_user_exit fw2loc > ++ find_file fw2loc > ++ ''['' -n '''' -a -f /fw2loc '']'' > ++ echo /etc/shorewall/fw2loc > + local user_exit=/etc/shorewall/fw2loc > + ''['' -f /etc/shorewall/fw2loc '']'' > + default_policy fw loc > + local chain=fw2loc > + local policy> + local loglevel> + local chain1 > + eval ''chain1=$fw2loc_policychain'' > ++ chain1=fw2loc > + ''['' -n fw2loc '']'' > + apply_default fw loc > + eval ''policy=$fw2loc_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$fw2loc_loglevel'' > ++ loglevel> + eval ''synparams=$fw2loc_synparams'' > ++ synparams> + ''['' fw2loc = fw2loc '']'' > + policy_rules fw2loc ACCEPT > + local target=ACCEPT > + ''['' 2 -eq 3 -a x ''!='' x- '']'' > + ''['' -n ACCEPT '']'' > + run_iptables -A fw2loc -j ACCEPT > + iptables -A fw2loc -j ACCEPT > + echo '' Policy ACCEPT for fw to loc using chain fw2loc'' > + chain=net2fw > + havechain net2fw > + eval test ''"$net2fw_exists"'' = Yes > ++ test Yes = Yes > + run_user_exit net2fw > ++ find_file net2fw > ++ ''['' -n '''' -a -f /net2fw '']'' > ++ echo /etc/shorewall/net2fw > + local user_exit=/etc/shorewall/net2fw > + ''['' -f /etc/shorewall/net2fw '']'' > + default_policy net fw > + local chain=net2fw > + local policy> + local loglevel> + local chain1 > + eval ''chain1=$net2fw_policychain'' > ++ chain1=net2all > + ''['' -n net2all '']'' > + apply_default net fw > + eval ''policy=$net2all_policy'' > ++ policy=DROP > + eval ''loglevel=$net2all_loglevel'' > ++ loglevel=info > + eval ''synparams=$net2all_synparams'' > ++ synparams> + ''['' net2fw = net2all '']'' > + ''['' -n '''' '']'' > + jump_to_policy_chain > + run_iptables -A net2fw -j net2all > + iptables -A net2fw -j net2all > + chain=net2all > + echo '' Policy DROP for net to fw using chain net2all'' > + chain=net2net > + havechain net2net > + eval test ''"$net2net_exists"'' = Yes > ++ test '''' = Yes > + chain=net2loc > + havechain net2loc > + eval test ''"$net2loc_exists"'' = Yes > ++ test '''' = Yes > + chain=loc2fw > + havechain loc2fw > + eval test ''"$loc2fw_exists"'' = Yes > ++ test Yes = Yes > + run_user_exit loc2fw > ++ find_file loc2fw > ++ ''['' -n '''' -a -f /loc2fw '']'' > ++ echo /etc/shorewall/loc2fw > + local user_exit=/etc/shorewall/loc2fw > + ''['' -f /etc/shorewall/loc2fw '']'' > + default_policy loc fw > + local chain=loc2fw > + local policy> + local loglevel> + local chain1 > + eval ''chain1=$loc2fw_policychain'' > ++ chain1=loc2fw > + ''['' -n loc2fw '']'' > + apply_default loc fw > + eval ''policy=$loc2fw_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$loc2fw_loglevel'' > ++ loglevel> + eval ''synparams=$loc2fw_synparams'' > ++ synparams> + ''['' loc2fw = loc2fw '']'' > + policy_rules loc2fw ACCEPT > + local target=ACCEPT > + ''['' 2 -eq 3 -a x ''!='' x- '']'' > + ''['' -n ACCEPT '']'' > + run_iptables -A loc2fw -j ACCEPT > + iptables -A loc2fw -j ACCEPT > + echo '' Policy ACCEPT for loc to fw using chain loc2fw'' > + chain=loc2net > + havechain loc2net > + eval test ''"$loc2net_exists"'' = Yes > ++ test Yes = Yes > + run_user_exit loc2net > ++ find_file loc2net > ++ ''['' -n '''' -a -f /loc2net '']'' > ++ echo /etc/shorewall/loc2net > + local user_exit=/etc/shorewall/loc2net > + ''['' -f /etc/shorewall/loc2net '']'' > + default_policy loc net > + local chain=loc2net > + local policy> + local loglevel> + local chain1 > + eval ''chain1=$loc2net_policychain'' > ++ chain1=loc2net > + ''['' -n loc2net '']'' > + apply_default loc net > + eval ''policy=$loc2net_policy'' > ++ policy=ACCEPT > + eval ''loglevel=$loc2net_loglevel'' > ++ loglevel> + eval ''synparams=$loc2net_synparams'' > ++ synparams> + ''['' loc2net = loc2net '']'' > + policy_rules loc2net ACCEPT > + local target=ACCEPT > + ''['' 2 -eq 3 -a x ''!='' x- '']'' > + ''['' -n ACCEPT '']'' > + run_iptables -A loc2net -j ACCEPT > + iptables -A loc2net -j ACCEPT > + echo '' Policy ACCEPT for loc to net using chain loc2net'' > + chain=loc2loc > + havechain loc2loc > + eval test ''"$loc2loc_exists"'' = Yes > ++ test '''' = Yes > ++ find_file masq > ++ ''['' -n '''' -a -f /masq '']'' > ++ echo /etc/shorewall/masq > + masq=/etc/shorewall/masq > + ''['' -f /etc/shorewall/masq '']'' > + setup_masq /etc/shorewall/masq > + strip_file masq /etc/shorewall/masq > + local fname > + ''['' 2 = 1 '']'' > + fname=/etc/shorewall/masq > + ''['' -f /etc/shorewall/masq '']'' > + read_file /etc/shorewall/masq 0 > + local first rest > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Shorewall 1.4 - Masquerade file'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/masq'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Use this file to define dynamic NAT (Masquerading) and to defineSource NAT''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# (SNAT).'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Columns are:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE -- Outgoing interface. This is usually your internet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface. If ADD_SNAT_ALIASES=Yes in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/shorewall.conf, you may add ":" and'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a digit to indicate that you want the alias added with'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# that name (e.g., eth0:0). This will allow the alias to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# be displayed with ifconfig. THAT IS THE ONLY USE FOR'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# PLACE IN YOUR SHOREWALL CONFIGURATION.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This may be qualified by adding the character'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ":" followed by a destination host or subnet.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# SUBNET -- Subnet that you wish to masquerade. You can specifythis as''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a subnet or as an interface. If you give the name of an'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# interface, you must have iproute installed and the interface'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# must be up before you start the firewall.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# In order to exclude a subset of the specified SUBNET, you'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# may append "!" and a comma-separated list of IP addresses'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# and/or subnets that you wish to exclude.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: eth1!192.168.1.4,192.168.32.0/27'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# In that example traffic from eth1 would be masqueraded unless'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# it came from 192.168.1.4 or 196.168.32.0/27'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ADDRESS -- (Optional). If you specify an address here, SNATwill be''> + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# used and this will be the source address. If'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ADD_SNAT_ALIASES is set to Yes or yes in'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# /etc/shorewall/shorewall.conf then Shorewall'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# will automatically add this address to the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# INTERFACE named in the first column.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You may also specify a range of up to 256'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# IP addresses if you want the SNAT address to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# be assigned from that range in a round-robin'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# range by connection. The range is specified by'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# <first ip in range>-<last ip in range>.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example: 206.124.146.177-206.124.146.180'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# This column may not contain DNS Names.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 1:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You have a simple masquerading setup where eth0 connects to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# a DSL or cable modem and eth1 connects to your local network'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# with subnet 192.168.0.0/24.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Your entry in the file can be either:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth0 eth1'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# or'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth0 192.168.0.0/24'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 2:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You add a router to your local network to connect subnet'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# 192.168.1.0/24 which you also want to masquerade. You then'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# add a second entry for eth0 to this file:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth0 192.168.1.0/24'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 3:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You have an IPSEC tunnel through ipsec0 and you want to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# masquerade packets coming from 192.168.1.0/24 but only if'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# these packets are destined for hosts in 10.1.1.0/24:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# ipsec0:10.1.1.0/24 196.168.1.0/24'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# Example 4:'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# You want all outgoing traffic from 192.168.1.0/24 through'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth0 to use source address 206.124.146.176 which is NOT the'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# primary address of eth0. You want 206.124.146.176 added to'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# be added to eth0 with name eth0:0.'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# eth0:0 192.168.1.0/24 206.124.146.176'' > + read first rest > + ''['' x# = xINCLUDE '']'' > + echo ''# '' > + read first rest > + ''[''x########################################################################### ### = xINCLUDE '']''> + echo''########################################################################### ### ''> + read first rest > + ''['' x#INTERFACE = xINCLUDE '']'' > + echo ''#INTERFACE SUBNET ADDRESS'' > + read first rest > + ''['' xppp0 = xINCLUDE '']'' > + echo ''ppp0 eth0'' > + read first rest > + ''['' xppp0 = xINCLUDE '']'' > + echo ''ppp0 192.168.58.0/24'' > + read first rest > + ''['' x#LAST = xINCLUDE '']'' > + echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'' > + read first rest > + cut -d# -f1 > + grep -v ''^[[:space:]]*$'' > + ''['' -n Yes '']'' > + echo ''Masqueraded Subnets and Hosts:'' > + read fullinterface subnet address > + expandv fullinterface subnet address > + local varval > + ''['' 3 -gt 0 '']'' > + eval ''varval=$fullinterface'' > ++ varval=ppp0 > + eval ''fullinterface="ppp0"'' > ++ fullinterface=ppp0 > + shift > + ''['' 2 -gt 0 '']'' > + eval ''varval=$subnet'' > ++ varval=eth0 > + eval ''subnet="eth0"'' > ++ subnet=eth0 > + shift > + ''['' 1 -gt 0 '']'' > + eval ''varval=$address'' > ++ varval> + eval ''address=""'' > ++ address> + shift > + ''['' 0 -gt 0 '']'' > + ''['' -n Yes '']'' > + setup_one > + local using > + destnet=0.0.0.0/0 > + interface=ppp0 > + list_search ppp0 ppp0 eth0 vmnet1 vmnet8 > + local e=ppp0 > + ''['' 5 -gt 1 '']'' > + shift > + ''['' xppp0 = xppp0 '']'' > + return 0 > + ''['' eth0 = eth0 '']'' > + nomasq> ++ masq_chain ppp0 > +++ chain_base ppp0 > +++ local c=ppp0 > +++ echo ppp0 > ++ echo ppp0_masq > + chain=ppp0_masq > + iface> + source=eth0 > ++ get_routed_subnets eth0 > ++ local address > ++ local rest > ++ ip route show dev eth0 > ++ read address rest > ++ ''['' x192.168.0.0/24 = xdefault '']'' > ++ ''['' 192.168.0.0/24 = 192.168.0.0 '']'' > ++ echo 192.168.0.0/24 > ++ read address rest > + subnets=192.168.0.0/24 > + ''['' -z 192.168.0.0/24 '']'' > + subnet=192.168.0.0/24 > + ''['' -n '''' -a -n '''' '']'' > + destination=0.0.0.0/0 > + ''['' -n '''' '']'' > + destnet=-d 0.0.0.0/0 > + ''['' -n 192.168.0.0/24 '']'' > + ''['' -n '''' '']'' > + addnatrule ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > + ensurenatchain ppp0_masq > + havenatchain ppp0_masq > + eval test ''"$ppp0_masq_nat_exists"'' = Yes > ++ test '''' = Yes > + createnatchain ppp0_masq > + run_iptables -t nat -N ppp0_masq > + iptables -t nat -N ppp0_masq > + eval ppp0_masq_nat_exists=Yes > ++ ppp0_masq_nat_exists=Yes > + run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> + ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE''= ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']''> + run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> + iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -jMASQUERADE> iptables: Invalid argument > + ''['' -z '''' '']'' > + stop_firewall > + set +x > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Duncan Sands
2003-Sep-24 03:46 UTC
[Shorewall-users] Re: Masquerading failure due to 2.6test kernel strictness
Hi Tom, thanks for your reply. I''m sorry I''ve taken so long to write back.> On Wed, 10 Sep 2003, Duncan Sands wrote: > > > In the iptables (v1.2.8) man page it states: > > > > MASQUERADE > > This target is only valid in the nat table, in the > > POSTROUTING chain. > > > > However shorewall does the following: > > > > + iptables -t nat -N ppp0_masq > > + eval ppp0_masq_nat_exists=Yes > > ++ ppp0_masq_nat_exists=Yes > > + run_iptables2 -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > > + ''['' ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']'' > > + run_iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > > + iptables -t nat -A ppp0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE > > > > Note the -j MASQUERADE with the ppp0_masq chain. This is invalid according to the above man page > > snippet. > > > > NO IT IS NOT -- Note the "-t nat" which specifies that the > Shorewall-generated rule applies to the NAT table. You probably have a > kernel/iptables mismatch.I wasn''t referring to the "only valid in the nat table" part, I was referring to the "in the POSTROUTING chain" bit. The same command line that fails with -A ppp0_masq succeeds with -A POSTROUTING. This behaviour has now been backported to 2.4: the latest 2.4.23-pre kernels exhibit it. I expect you will soon be enjoying much email about this :) Since v1.2.8 is the latest release of iptables, I doubt it is due to a kernel/iptables mismatch, though of course this is possible. I will try the CVS version of iptables. All the best, Duncan.
Tom Eastep
2003-Sep-24 06:50 UTC
[Shorewall-users] Re: Masquerading failure due to 2.6test kernel strictness
On Wed, 2003-09-24 at 03:47, Duncan Sands wrote:> This behaviour has now been backported to 2.4: the latest 2.4.23-pre kernels exhibit it. > I expect you will soon be enjoying much email about this :)And I hope you are pestering the Netfilter team about this regression also. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Duncan Sands
2003-Sep-24 09:09 UTC
[Shorewall-users] Re: Masquerading failure due to 2.6test kernel strictness
On Wednesday 24 September 2003 15:50, Tom Eastep wrote:> On Wed, 2003-09-24 at 03:47, Duncan Sands wrote: > > This behaviour has now been backported to 2.4: the latest 2.4.23-pre > > kernels exhibit it. I expect you will soon be enjoying much email about > > this :) > > And I hope you are pestering the Netfilter team about this regression > also.Hi Tom, I didn''t consider it a regression because it seems to be enforcing the documented behaviour. However I am happy to pester the netfilter team and will now do so. All the best, Duncan.
Tom Eastep
2003-Sep-24 09:21 UTC
[Shorewall-users] Re: Masquerading failure due to 2.6test kernel strictness
On Wed, 2003-09-24 at 09:11, Duncan Sands wrote:> > Hi Tom, I didn''t consider it a regression because it seems to be enforcing the > documented behaviour. However I am happy to pester the netfilter team and > will now do so. > > All the best,Thanks Duncan. It might be worth pointing out that by taking this strict interpretation of the documented behavior, user chains in the nat table are rendered useless. If the SNAT, DNAT and MASQUERADE targets can only be placed in the appropriate netfilter-define chains then there is no conceivable use for user-defined chains in that table. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Sep-24 11:58 UTC
[Shorewall-users] Re: Masquerading failure due to 2.6test kernel strictness
On Wed, 2003-09-24 at 03:47, Duncan Sands wrote:> > This behaviour has now been backported to 2.4: the latest 2.4.23-pre kernels exhibit it. > I expect you will soon be enjoying much email about this :)I just booted up 2.4.23-pre5 on my firewall and I''m not seeing the behavior that you are reporting. Which -pre release to you feel includes this brokenness? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Feb-19 22:08 UTC
Re: Re: Masquerading failure due to 2.6test kernel strictness
On Wednesday 24 September 2003 06:50 am, Tom Eastep wrote:> On Wed, 2003-09-24 at 03:47, Duncan Sands wrote: > > This behaviour has now been backported to 2.4: the latest 2.4.23-pre > > kernels exhibit it. I expect you will soon be enjoying much email about > > this :) > > And I hope you are pestering the Netfilter team about this regression > also.Since this mail thread came up again recently, I thought I would add an addendum to give you the final solution. Duncan eventually found an incompatability between his iptables and kernel that was producing this rather bizarre set of symptoms. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net