From 8552753d9e3ab7662e618c54875e626a2b6926e9 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:08:12 -0800 Subject: remove deprecated blacklist the blacklist file was deprecated by upstream in 4.5.7, remove all references to them. Debian wheezy shipped with 4.5.5.3-3 (but could use a backport) and jessie has 4.6.4.3-2 currently. --- README.md | 2 +- files/boilerplate/blacklist.footer | 1 - files/boilerplate/blacklist.header | 10 ---------- files/boilerplate/started.header | 22 ++++++++++------------ manifests/blacklist.pp | 9 --------- manifests/blrules.pp | 4 ++-- manifests/host.pp | 2 +- manifests/init.pp | 5 ----- manifests/interface.pp | 2 +- 9 files changed, 15 insertions(+), 42 deletions(-) delete mode 100644 files/boilerplate/blacklist.footer delete mode 100644 files/boilerplate/blacklist.header delete mode 100644 manifests/blacklist.pp diff --git a/README.md b/README.md index e7e2985..82c0ab3 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,7 @@ Example from node.pp: shorewall::interface { 'eth0': zone => 'net', rfc1918 => true, - options => 'tcpflags,blacklist,nosmurfs'; + options => 'tcpflags,nosmurfs'; } shorewall::policy { diff --git a/files/boilerplate/blacklist.footer b/files/boilerplate/blacklist.footer deleted file mode 100644 index 5e12d1d..0000000 --- a/files/boilerplate/blacklist.footer +++ /dev/null @@ -1 +0,0 @@ -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/blacklist.header b/files/boilerplate/blacklist.header deleted file mode 100644 index 2392e17..0000000 --- a/files/boilerplate/blacklist.header +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 3.4 - Blacklist File -# -# For information about entries in this file, type "man shorewall-blacklist" -# -# Please see http://shorewall.net/blacklisting_support.htm for additional -# information. -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT diff --git a/files/boilerplate/started.header b/files/boilerplate/started.header index b7704db..4adc4b9 100644 --- a/files/boilerplate/started.header +++ b/files/boilerplate/started.header @@ -1,20 +1,18 @@ # -# Shorewall version 4 - Started File +# Shorewall -- /etc/shorewall/started # -# /etc/shorewall/started +# Add commands below that you want to be executed after shorewall has +# been completely started, reloaded or restarted. The difference between +# this extension script and /etc/shorewall/start is that this one is +# invoked after the 'shorewall' chain has been created (thus +# signaling that the firewall is completely up). # -# Add commands below that you want to be executed after shorewall has -# been completely started or restarted. The difference between this -# extension script and /etc/shorewall/start is that this one is invoked -# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and -# after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up). -# -# This script should not change the firewall configuration directly but -# may do so indirectly by running /sbin/shorewall with the 'nolock' -# option. +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### + diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp deleted file mode 100644 index afbe216..0000000 --- a/manifests/blacklist.pp +++ /dev/null @@ -1,9 +0,0 @@ -define shorewall::blacklist( - $proto = '-', - $port = '-', - $order='100' -){ - shorewall::entry{"blacklist-${order}-${name}": - line => "${name} ${proto} ${port}", - } -} diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..d6b5550 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -5,11 +5,11 @@ # shorewall::interface { 'br0': # zone => 'net', # rfc1918 => true, -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# options => 'tcpflags,nosmurfs,routeback,bridge'; # } # # class { 'shorewall::blrules': -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# options => 'tcpflags,nosmurfs,routeback,bridge', # whitelists => [ # "net:10.0.0.1,192.168.0.1 all", # ], diff --git a/manifests/host.pp b/manifests/host.pp index f400223..370be03 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,6 +1,6 @@ define shorewall::host( $zone, - $options = 'tcpflags,blacklist,norfc1918', + $options = 'tcpflags,norfc1918', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..5e2da52 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,8 +27,6 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $blacklist = {}, - $blacklist_defaults = {}, $rfc1918 = {}, $rfc1918_defaults = {}, $routestopped = {}, @@ -76,8 +74,6 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - 'blacklist', # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 'rfc1918', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped @@ -110,7 +106,6 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..b3d66c6 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,7 +1,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3 From 47f1ee74666fa00314546d01982461fa79d9da0a Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:24:59 -0800 Subject: remove deprecated norfc1918 option It was deprecated in 4.2.0 http://www.shorewall.net/upgrade_issues.htm --- files/boilerplate/params.header | 4 ++-- manifests/host.pp | 2 +- manifests/interface.pp | 8 +------- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/files/boilerplate/params.header b/files/boilerplate/params.header index b258b0d..c4dd504 100644 --- a/files/boilerplate/params.header +++ b/files/boilerplate/params.header @@ -13,7 +13,7 @@ # # NET_IF=eth0 # NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 +# NET_OPTIONS=routefilter # # Example (/etc/shorewall/interfaces record): # @@ -21,6 +21,6 @@ # # The result will be the same as if the record had been written # -# net eth0 130.252.100.255 routefilter,norfc1918 +# net eth0 130.252.100.255 routefilter # ############################################################################### diff --git a/manifests/host.pp b/manifests/host.pp index 370be03..fe12247 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,6 +1,6 @@ define shorewall::host( $zone, - $options = 'tcpflags,norfc1918', + $options = 'tcpflags', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/interface.pp b/manifests/interface.pp index b3d66c6..670e477 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,6 @@ define shorewall::interface( $broadcast = 'detect', $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', - $rfc1918 = false, $dhcp = false, $order = 100 ){ @@ -17,13 +16,8 @@ define shorewall::interface( default => ',dhcp', } - $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', - } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}", } } -- cgit v1.2.3 From 4b3f8eac5f343b5ecd2354d16e83256b8413e807 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:33:05 -0800 Subject: remove deprecated rfc1918 file this hasn't been supported since 3.x days --- README.md | 1 - manifests/blrules.pp | 1 - manifests/init.pp | 5 ----- manifests/rfc1918.pp | 8 -------- 4 files changed, 15 deletions(-) delete mode 100644 manifests/rfc1918.pp diff --git a/README.md b/README.md index 82c0ab3..e6fb027 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,6 @@ Example from node.pp: shorewall::interface { 'eth0': zone => 'net', - rfc1918 => true, options => 'tcpflags,nosmurfs'; } diff --git a/manifests/blrules.pp b/manifests/blrules.pp index d6b5550..abf7508 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -4,7 +4,6 @@ # # shorewall::interface { 'br0': # zone => 'net', -# rfc1918 => true, # options => 'tcpflags,nosmurfs,routeback,bridge'; # } # diff --git a/manifests/init.pp b/manifests/init.pp index 5e2da52..fa2641d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,8 +27,6 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $rfc1918 = {}, - $rfc1918_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, $params = {}, @@ -74,8 +72,6 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - 'rfc1918', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped 'routestopped', # See http://www.shorewall.net/3.0/Documentation.htm#Variables @@ -106,7 +102,6 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp deleted file mode 100644 index 31dce5d..0000000 --- a/manifests/rfc1918.pp +++ /dev/null @@ -1,8 +0,0 @@ -define shorewall::rfc1918( - $action = 'logdrop', - $order='100' -){ - shorewall::entry{"rfc1918-${order}-${name}": - line => "${name} ${action}" - } -} -- cgit v1.2.3 From 9205eb4a039680b39c3802fd0f39e79eaf47a123 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Tue, 14 Feb 2017 09:48:23 +0000 Subject: Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already. --- manifests/base.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 6599759..dddfcaa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,9 +1,7 @@ # base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + ensure_packages({ 'shorewall' => { ensure => $shorewall::ensure_version }}) # This file has to be managed in place, so shorewall can find it file { -- cgit v1.2.3 From 70bba04533e2b01584775448a3d04a76e0a1c12c Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 14:25:11 -0800 Subject: new shorewall_version fact, switch shorewall_major_version to use it from https://0xacab.org/riseup-puppet-recipes/shorewall/commit/0cd2a305f7fd9ba830a1fa3de25428ffa71d39f7#note_92590 --- lib/facter/shorewall_major_version.rb | 3 ++- lib/facter/shorewall_version.rb | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 lib/facter/shorewall_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index 0068b48..9b4c9a2 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,6 @@ Facter.add("shorewall_major_version") do + confine :shorewall_version => /\d/ setcode do - Facter::Util::Resolution.exec('shorewall version').split('.').first || nil + Facter.value(:shorewall_version).split('.').first end end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb new file mode 100644 index 0000000..3c1cc67 --- /dev/null +++ b/lib/facter/shorewall_version.rb @@ -0,0 +1,3 @@ +Facter.add("shorewall_version") do + setcode 'shorewall version' +end -- cgit v1.2.3 From 725b5bdc4c3e278ed34aee408a54a5453a04a41b Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 15:06:16 -0800 Subject: add some notes about deprecated features --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index e6fb027..4cb1a8a 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,23 @@ module will not work: CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" +Warnings +-------- +There are some features that have been deprecated upstream that may still be +supported by this module on certain shorewall major version. Please note +the following: + +* the blacklist file and option is deprecated and replaced by blrules +* the rfc1918 file and norfc1918 option are deprecated +* the tcrules file is deprecated, replaced by mangled +* the routestopped file is deprecated and replaced by stoppedrules +* as of shorewall 4.6.0, SECTION headers need a leading '?' + +You should migrate your own calls to this module to move to the currently +supported methods, we will be dropping support for deprecated features as +the available distribution version permit it. +For more details see http://www.shorewall.net/upgrade_issues.htm + Documentation ------------- -- cgit v1.2.3 From eb4720e57cddbe1d26fde10429de5e413321a5d3 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 15:53:28 -0800 Subject: new stoppedrules, replaces routestopped --- files/boilerplate/stoppedrules.footer | 1 + files/boilerplate/stoppedrules.header | 13 +++++++++++++ manifests/init.pp | 6 ++++++ manifests/stoppedrules.pp | 13 +++++++++++++ 4 files changed, 33 insertions(+) create mode 100644 files/boilerplate/stoppedrules.footer create mode 100644 files/boilerplate/stoppedrules.header create mode 100644 manifests/stoppedrules.pp diff --git a/files/boilerplate/stoppedrules.footer b/files/boilerplate/stoppedrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/stoppedrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/stoppedrules.header b/files/boilerplate/stoppedrules.header new file mode 100644 index 0000000..94f4d0c --- /dev/null +++ b/files/boilerplate/stoppedrules.header @@ -0,0 +1,13 @@ +# +# Shorewall -- /etc/shorewall/stoppedrules +# +# For information about entries in this file, type "man shorewall-stoppedrules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-stoppedrules.html +# +# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT diff --git a/manifests/init.pp b/manifests/init.pp index fa2641d..7dc7855 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -29,6 +29,8 @@ class shorewall( $nat_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, + $stoppedrules = {}, + $stoppedrules_defaults = {}, $params = {}, $params_defaults = {}, $tcdevices = {}, @@ -72,6 +74,8 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', + # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html + 'stoppedrules', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped 'routestopped', # See http://www.shorewall.net/3.0/Documentation.htm#Variables @@ -102,6 +106,8 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::stoppedrules',$stoppedrules, + $stoppedrules_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/stoppedrules.pp b/manifests/stoppedrules.pp new file mode 100644 index 0000000..2dff218 --- /dev/null +++ b/manifests/stoppedrules.pp @@ -0,0 +1,13 @@ +define shorewall::stoppedrules( + $action = 'ACCEPT', + $source = '-', + $destination = '-', + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $order = '100' +){ + shorewall::entry{"stoppedrules-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}" + } +} -- cgit v1.2.3 From 30c6790b2ee38fc225f41a74a7380a0d7ea0a5fb Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 16:43:25 -0800 Subject: update URLs to new working upstream locations --- manifests/init.pp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7dc7855..51f7c4d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -58,39 +58,39 @@ class shorewall( shorewall::managed_file{ [ - # See http://www.shorewall.net/3.0/Documentation.htm#Zones + # See http://www.shorewall.net/manpages/shorewall-zones.html 'zones', - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + # See http://www.shorewall.net/manpages/shorewall-interfaces.html 'interfaces', - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + # See http://www.shorewall.net/manpages/shorewall-hosts.html 'hosts', - # See http://www.shorewall.net/3.0/Documentation.htm#Policy + # See http://www.shorewall.net/manpages/shorewall-policy.html 'policy', - # See http://www.shorewall.net/3.0/Documentation.htm#Rules + # See http://www.shorewall.net/manpages/shorewall-rules.html 'rules', - # See http://www.shorewall.net/3.0/Documentation.htm#Masq + # See http://www.shorewall.net/manpages/shorewall-masq.html 'masq', - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + # See http://www.shorewall.net/manpages/shorewall-proxyarp.html 'proxyarp', - # See http://www.shorewall.net/3.0/Documentation.htm#NAT + # See http://www.shorewall.net/manpages/shorewall-nat.html 'nat', # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html 'stoppedrules', - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + # Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html 'routestopped', - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/manpages/shorewall-params.html 'params', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcdevices.html 'tcdevices', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle 'tcrules', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcclasses.html 'tcclasses', - # http://www.shorewall.net/manpages/shorewall-providers.html + # See http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html 'tunnel', - # See http://www.shorewall.net/MultiISP.html + # See http://www.shorewall.net/manpages/shorewall-rtrules.html 'rtrules', # See http://www.shorewall.net/manpages/shorewall-mangle.html 'mangle', -- cgit v1.2.3 From b131814ed976c2034521a460b6790f78703d8f2f Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 17:30:28 -0800 Subject: update config file headers to current upstream versions --- files/boilerplate/clear.header | 9 +++------ files/boilerplate/hosts.header | 7 ++++--- files/boilerplate/init.header | 9 +++------ files/boilerplate/initdone.header | 12 +++++------- files/boilerplate/interfaces.header | 8 +++++--- files/boilerplate/mangle.header | 15 +++++++++++---- files/boilerplate/masq.header | 9 +++++---- files/boilerplate/nat.header | 4 ++-- files/boilerplate/params.header | 28 +++++++++++++--------------- files/boilerplate/policy.header | 5 ++--- files/boilerplate/providers.header | 2 +- files/boilerplate/proxyarp.header | 4 ++-- files/boilerplate/rtrules.header | 5 +++-- files/boilerplate/rules.header | 11 ++++++----- files/boilerplate/start.header | 8 +++----- files/boilerplate/stop.header | 9 +++------ files/boilerplate/stopped.header | 9 +++------ files/boilerplate/tcclasses.header | 4 ++-- files/boilerplate/tcdevices.header | 5 ++--- files/boilerplate/tunnel.header | 5 ++--- files/boilerplate/zones.header | 8 ++++---- 21 files changed, 84 insertions(+), 92 deletions(-) diff --git a/files/boilerplate/clear.header b/files/boilerplate/clear.header index 6a39b0b..8bf025c 100644 --- a/files/boilerplate/clear.header +++ b/files/boilerplate/clear.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Clear +# Shorewall -- /etc/shorewall/clear # -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Add commands below that you want to be executed after Shorewall has +# processed the 'clear' command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/hosts.header b/files/boilerplate/hosts.header index e39d614..99bfa02 100644 --- a/files/boilerplate/hosts.header +++ b/files/boilerplate/hosts.header @@ -1,9 +1,10 @@ # -# Shorewall version 3.4 - Hosts file +# Shorewall -- /etc/shorewall/hosts # # For information about entries in this file, type "man shorewall-hosts" # -# For additional information, see http://shorewall.net/Documentation.htm#Hosts +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-hosts.html # ############################################################################### -#ZONE HOST(S) OPTIONS +#ZONE HOSTS OPTIONS diff --git a/files/boilerplate/init.header b/files/boilerplate/init.header index cbb0393..417c3f2 100644 --- a/files/boilerplate/init.header +++ b/files/boilerplate/init.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Init File +# Shorewall -- /etc/shorewall/init # -# /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. +# Add commands below that you want to be executed at the beginning of +# a "shorewall start", "shorewall-reload" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### - diff --git a/files/boilerplate/initdone.header b/files/boilerplate/initdone.header index 9252a3b..5ad859a 100644 --- a/files/boilerplate/initdone.header +++ b/files/boilerplate/initdone.header @@ -1,14 +1,12 @@ # -# Shorewall version 4 - Initdone File +# Shorewall -- /etc/shorewall/initdone # -# /etc/shorewall/initdone -# -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. +# Add commands below that you want to be executed during +# "shorewall start", "shorewall reload" or "shorewall restart" commands +# at the point where Shorewall has not yet added any permanent rules to +# the builtin chains. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### - diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header index 663e436..12855c7 100644 --- a/files/boilerplate/interfaces.header +++ b/files/boilerplate/interfaces.header @@ -1,10 +1,12 @@ # -# Shorewall version 4 - Interfaces File +# Shorewall -- /etc/shorewall/interfaces # # For information about entries in this file, type "man shorewall-interfaces" # -# For additional information, see +# The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # +# FIXME: need to switch to format 2 +#?FORMAT 2 ############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE OPTIONS diff --git a/files/boilerplate/mangle.header b/files/boilerplate/mangle.header index 7a7b12a..496e3f5 100644 --- a/files/boilerplate/mangle.header +++ b/files/boilerplate/mangle.header @@ -1,7 +1,14 @@ # -# Shorewall - Mangle File +# Shorewall -- /etc/shorewall/mangle # -# For additional information, see http://shorewall.net/manpages/shorewall-mangle.html +# For information about entries in this file, type "man shorewall-mangle" # -####################################################################################### -#ACTION SOURCE DESTINATION PROTO DSTPORT SRCPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +# +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH diff --git a/files/boilerplate/masq.header b/files/boilerplate/masq.header index f823321..2f7c22e 100644 --- a/files/boilerplate/masq.header +++ b/files/boilerplate/masq.header @@ -1,9 +1,10 @@ # -# Shorewall version 3.4 - Masq file +# Shorewall -- /etc/shorewall/masq # # For information about entries in this file, type "man shorewall-masq" # -# For additional information, see http://shorewall.net/Documentation.htm#Masq +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-masq.html # -############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK +################################################################################################################################### +#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY diff --git a/files/boilerplate/nat.header b/files/boilerplate/nat.header index c2e0d92..5d0871f 100644 --- a/files/boilerplate/nat.header +++ b/files/boilerplate/nat.header @@ -1,9 +1,9 @@ # -# Shorewall version 3.4 - Nat File +# Shorewall -- /etc/shorewall/nat # # For information about entries in this file, type "man shorewall-nat" # # For additional information, see http://shorewall.net/NAT.htm # ############################################################################### -#EXTERNAL INTERFACE INTERNAL ALL LOCAL +#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL diff --git a/files/boilerplate/params.header b/files/boilerplate/params.header index c4dd504..f07a916 100644 --- a/files/boilerplate/params.header +++ b/files/boilerplate/params.header @@ -1,26 +1,24 @@ # -# Shorewall version 3.4 - Params File +# Shorewall -- /etc/shorewall/params # -# /etc/shorewall/params +# Assign any variables that you need here. # -# Assign any variables that you need here. +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs # -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs +# Example: # -# Example: +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter # -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter +# Example (/etc/shorewall/interfaces record): # -# Example (/etc/shorewall/interfaces record): +# net $NET_IF $NET_BCAST $NET_OPTIONS # -# net $NET_IF $NET_BCAST $NET_OPTIONS +# The result will be the same as if the record had been written # -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter +# net eth0 130.252.100.255 routefilter # ############################################################################### diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header index cc9781f..8e9d032 100644 --- a/files/boilerplate/policy.header +++ b/files/boilerplate/policy.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Policy File +# Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # @@ -7,5 +7,4 @@ # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: -# LEVEL BURST MASK +#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header index b4a5990..0dfb950 100644 --- a/files/boilerplate/providers.header +++ b/files/boilerplate/providers.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Providers File +# Shorewall -- /etc/shorewall/providers # # For information about entries in this file, type "man shorewall-providers" # diff --git a/files/boilerplate/proxyarp.header b/files/boilerplate/proxyarp.header index 1e16853..4249e03 100644 --- a/files/boilerplate/proxyarp.header +++ b/files/boilerplate/proxyarp.header @@ -1,9 +1,9 @@ # -# Shorewall version 3.4 - Proxyarp File +# Shorewall -- /etc/shorewall/proxyarp # # For information about entries in this file, type "man shorewall-proxyarp" # # See http://shorewall.net/ProxyARP.htm for additional information. # ############################################################################### -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT diff --git a/files/boilerplate/rtrules.header b/files/boilerplate/rtrules.header index fd9b2f4..7700816 100644 --- a/files/boilerplate/rtrules.header +++ b/files/boilerplate/rtrules.header @@ -1,8 +1,9 @@ # -# Shorewall version 4 - route rules File +# Shorewall -- /etc/shorewall/rtrules # # For information about entries in this file, type "man shorewall-rtrules" # # For additional information, see http://www.shorewall.net/MultiISP.html +# #################################################################################### -# SOURCE DEST PROVIDER PRIORITY MASK +#SOURCE DEST PROVIDER PRIORITY MASK diff --git a/files/boilerplate/rules.header b/files/boilerplate/rules.header index 764358a..1ebf187 100644 --- a/files/boilerplate/rules.header +++ b/files/boilerplate/rules.header @@ -1,10 +1,11 @@ # -# Shorewall version 3.4 - Rules File +# Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # -# See http://shorewall.net/Documentation.htm#Rules for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-rules.html # -############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT PORT(S) DEST LIMIT GROUP +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + diff --git a/files/boilerplate/start.header b/files/boilerplate/start.header index 689dff1..881cdfd 100644 --- a/files/boilerplate/start.header +++ b/files/boilerplate/start.header @@ -1,10 +1,8 @@ # -# Shorewall version 4 - Start File +# Shorewall -- /etc/shorewall/start # -# /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. +# Add commands below that you want to be executed after shorewall has +# been started, reloaded or restarted. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. diff --git a/files/boilerplate/stop.header b/files/boilerplate/stop.header index 0088abe..27a993b 100644 --- a/files/boilerplate/stop.header +++ b/files/boilerplate/stop.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Stop File +# Shorewall -- /etc/shorewall/stop # -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/stopped.header b/files/boilerplate/stopped.header index 438e5e0..8cc6bc6 100644 --- a/files/boilerplate/stopped.header +++ b/files/boilerplate/stopped.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Stopped File +# Shorewall -- /etc/shorewall/stopped # -# /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header index 025415b..b31b684 100644 --- a/files/boilerplate/tcclasses.header +++ b/files/boilerplate/tcclasses.header @@ -1,9 +1,9 @@ # -# Shorewall version 4 - Tcclasses File +# Shorewall -- /etc/shorewall/tcclasses # # For information about entries in this file, type "man shorewall-tcclasses" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### -#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS +#INTERFACE MARK RATE CEIL PRIO OPTIONS diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header index fe7c3d1..226192e 100644 --- a/files/boilerplate/tcdevices.header +++ b/files/boilerplate/tcdevices.header @@ -1,10 +1,9 @@ # -# Shorewall version 4 - Tcdevices File +# Shorewall -- /etc/shorewall/tcdevices # # For information about entries in this file, type "man shorewall-tcdevices" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### -#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED -#INTERFACE INTERFACES +#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header index 638fd56..7bfd966 100644 --- a/files/boilerplate/tunnel.header +++ b/files/boilerplate/tunnel.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Tunnels File +# Shorewall -- /etc/shorewall/tunnels # # For information about entries in this file, type "man shorewall-tunnels" # @@ -7,5 +7,4 @@ # http://www.shorewall.net/manpages/shorewall-tunnels.html # ############################################################################### -#TYPE ZONE GATEWAY GATEWAY -# ZONE +#TYPE ZONE GATEWAY GATEWAY_ZONE diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header index 5dada52..d4b8cbc 100644 --- a/files/boilerplate/zones.header +++ b/files/boilerplate/zones.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Zones File +# Shorewall -- /etc/shorewall/zones # # For information about this file, type "man shorewall-zones" # @@ -7,6 +7,6 @@ # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall +#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS + +fw firewall -- cgit v1.2.3