diff --git a/network/shorewall/README b/network/shorewall/README new file mode 100644 index 0000000000..cd3f147bcb --- /dev/null +++ b/network/shorewall/README @@ -0,0 +1,11 @@ +Shorewall (Iptables Made Easy) + +The Shoreline Firewall, more commonly known as "Shorewall", is a +Netfilter (iptables) based firewall that can be used on a dedicated +firewall system, a multi-function gateway/router/server or on a +standalone GNU/Linux system. + +This is the replacement for shorewall-common and shorewall-perl. +Shorewall-shell support has been dropped from 4.4. If you are upgrading +from versions 4.2 and below make sure you read the documentation, as a +lot has changed. diff --git a/network/shorewall/doinst.sh b/network/shorewall/doinst.sh new file mode 100644 index 0000000000..c56e81cd2c --- /dev/null +++ b/network/shorewall/doinst.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# vim: et ts=2 sw=2 + +config() { + NEW="$1" + OLD="${NEW%*.new}" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.firewall.new +preserve_perms etc/rc.d/rc.shorewall.new + diff --git a/network/shorewall/patch-4.4.7.1 b/network/shorewall/patch-4.4.7.1 new file mode 100644 index 0000000000..966e83c3cf --- /dev/null +++ b/network/shorewall/patch-4.4.7.1 @@ -0,0 +1,167 @@ +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/changelog.txt shorewall-4.4.7.1/changelog.txt +--- shorewall-4.4.7/changelog.txt 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/changelog.txt 2010-02-13 07:28:22.000000000 -0800 +@@ -1,3 +1,7 @@ ++Changes in Shorewall 4.4.7-1 ++ ++1) Don't apply rate limiting twice in NAT rules. ++ + Changes in Shorewall 4.4.7 + + 1) Backport optimization changes from 4.5. +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/install.sh shorewall-4.4.7.1/install.sh +--- shorewall-4.4.7/install.sh 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/install.sh 2010-02-13 07:28:22.000000000 -0800 +@@ -22,7 +22,7 @@ + # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + # + +-VERSION=4.4.7 ++VERSION=4.4.7.1 + + usage() # $1 = exit status + { +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/known_problems.txt shorewall-4.4.7.1/known_problems.txt +--- shorewall-4.4.7/known_problems.txt 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/known_problems.txt 2010-02-13 07:28:22.000000000 -0800 +@@ -1 +1,5 @@ +-There are no known problems in Shorewall 4.4.7. ++1) All versions of Shorewall-perl mishandle per-IP rate limiting in ++ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of ++ the values given in the rule. ++ ++ Corrected in 4.4.7.1 +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Config.pm shorewall-4.4.7.1/Perl/Shorewall/Config.pm +--- shorewall-4.4.7/Perl/Shorewall/Config.pm 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/Perl/Shorewall/Config.pm 2010-02-13 07:28:22.000000000 -0800 +@@ -337,7 +337,7 @@ + TC_SCRIPT => '', + EXPORT => 0, + UNTRACKED => 0, +- VERSION => "4.4.7", ++ VERSION => "4.4.7.1", + CAPVERSION => 40407 , + ); + +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Rules.pm shorewall-4.4.7.1/Perl/Shorewall/Rules.pm +--- shorewall-4.4.7/Perl/Shorewall/Rules.pm 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/Perl/Shorewall/Rules.pm 2010-02-13 07:28:22.000000000 -0800 +@@ -1182,13 +1182,25 @@ + # + # Generate Fixed part of the rule + # +- $rule = join( '', +- do_proto($proto, $ports, $sports), +- do_ratelimit( $ratelimit, $basictarget ) , +- do_user( $user ) , +- do_test( $mark , $globals{TC_MASK} ) , +- do_connlimit( $connlimit ), +- do_time( $time ) ); ++ if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) { ++ # ++ # Don't apply rate limiting twice ++ # ++ $rule = join( '', ++ do_proto($proto, $ports, $sports), ++ do_user( $user ) , ++ do_test( $mark , $globals{TC_MASK} ) , ++ do_connlimit( $connlimit ), ++ do_time( $time ) ); ++ } else { ++ $rule = join( '', ++ do_proto($proto, $ports, $sports), ++ do_ratelimit( $ratelimit, $basictarget ) , ++ do_user( $user ) , ++ do_test( $mark , $globals{TC_MASK} ) , ++ do_connlimit( $connlimit ), ++ do_time( $time ) ); ++ } + + unless ( $section eq 'NEW' ) { + fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/releasenotes.txt shorewall-4.4.7.1/releasenotes.txt +--- shorewall-4.4.7/releasenotes.txt 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/releasenotes.txt 2010-02-13 07:28:22.000000000 -0800 +@@ -1,4 +1,4 @@ +-Shorewall 4.4.7 ++Shorewall 4.4.7 Patch Release 1. + + ---------------------------------------------------------------------------- + R E L E A S E 4 . 4 H I G H L I G H T S +@@ -184,7 +184,15 @@ + one from the release (not recommended). + + ---------------------------------------------------------------------------- +- P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 ++ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 . 1 ++---------------------------------------------------------------------------- ++ ++1) All versions of Shorewall-perl mishandle per-IP rate limiting in ++ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of ++ the values given in the rule. ++ ++---------------------------------------------------------------------------- ++ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 + ---------------------------------------------------------------------------- + + 1) The tcinterfaces and tcpri files are now installed by the +@@ -211,12 +219,19 @@ + + 5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would + cause start/restart to fail on systems lacking 'flow' classifier +- support. While we currently know of no safe way to test for that +- support, in Shorewall 4.4.7 we use other hints to surmise that the +- installed toolset is likely to be too old to support 'flow' and +- simply ignore the TYPE setting. In particular, RHEL5 and +- derivatives no lonter experience a startup failure when TYPE is +- specified. ++ support. In Shorewall 4.4.7, we detect the ability of the 'tc' ++ utility to support that classifier. ++ ++ There are two caveats: ++ ++ - 'tc' may support 'flow' but the kernel does not. In that case, ++ start/restart will still fail. ++ ++ - If you use a capabilities file, you will need to regenerate the ++ file using shorewall-lite 4.4.7 in order for 'flow' to be ++ accurately detected. If you do not regenerate the file, the ++ compiler will use other hints to try to determine if 'flow' is ++ available. + + ---------------------------------------------------------------------------- + K N O W N P R O B L E M S R E M A I N I N G +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/shorewall.spec shorewall-4.4.7.1/shorewall.spec +--- shorewall-4.4.7/shorewall.spec 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/shorewall.spec 2010-02-13 07:28:22.000000000 -0800 +@@ -1,6 +1,6 @@ + %define name shorewall + %define version 4.4.7 +-%define release 0base ++%define release 1 + + Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. + Name: %{name} +@@ -107,6 +107,10 @@ + %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples + + %changelog ++* Sat Feb 13 2010 Tom Eastep tom@shorewall.net ++- Updated to 4.4.7-1 ++* Thu Feb 11 2010 Tom Eastep tom@shorewall.net ++- Updated to 4.4.7-0base + * Fri Feb 05 2010 Tom Eastep tom@shorewall.net + - Updated to 4.4.7-0base + * Tue Feb 02 2010 Tom Eastep tom@shorewall.net +diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/uninstall.sh shorewall-4.4.7.1/uninstall.sh +--- shorewall-4.4.7/uninstall.sh 2010-02-11 07:29:41.000000000 -0800 ++++ shorewall-4.4.7.1/uninstall.sh 2010-02-13 07:28:22.000000000 -0800 +@@ -26,7 +26,7 @@ + # You may only use this script to uninstall the version + # shown below. Simply run this script to remove Shorewall Firewall + +-VERSION=4.4.7 ++VERSION=4.4.7.1 + + usage() # $1 = exit status + { diff --git a/network/shorewall/shorewall.SlackBuild b/network/shorewall/shorewall.SlackBuild new file mode 100644 index 0000000000..1c3434a847 --- /dev/null +++ b/network/shorewall/shorewall.SlackBuild @@ -0,0 +1,101 @@ +#!/bin/sh +# vim: et ts=2 sw=2 + +# Slackware build script for shorewall-common + +# Copyright (c) 2008-2009 Gregory J.L. Tourte (artourter@gmail.com) +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=shorewall +VERSION=${VERSION:-4.4.7.1} +ARCH=noarch +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +BASEVERS=4.4.7 + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +set -e # Exit on most errors + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$BASEVERS +tar xvf $CWD/$PRGNAM-$BASEVERS.tar.bz2 +cd $TMP/$PRGNAM-$BASEVERS +chown -R root:root . + +# Patch the base against all the patchlevel patches in order if present +if [ $(ls $CWD/patch-$BASEVERS.* 2>/dev/null | wc -l) -gt 0 ]; then + for PATCH in $CWD/patch-$BASEVERS.* ; do + patch -p1 < $PATCH + done +fi + +PREFIX=$PKG \ + OWNER='root' \ + GROUP='root' \ + DEST=/etc/rc.d \ + MANDIR=/usr/man \ + SLACKWARE=yes \ + ./install.sh + +# Don't clobber config files +( cd $PKG/etc/shorewall + for i in $(ls|grep -v Makefile) ; do + mv $i $i.new; + done +) +( cd $PKG/etc/rc.d/ + mv rc.firewall rc.firewall.new + mv rc.shorewall rc.shorewall.new +) + +mkdir -p $PKG/var/lock/subsys +chmod 0755 $PKG/{etc,usr/share,var/lib}/shorewall $PKG/var/lock/subsys +chmod 0644 $PKG/etc/shorewall/* $PKG/etc/rc.d/* + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + COPYING INSTALL changelog.txt releasenotes.txt README.txt known_problems.txt Samples \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +for NEW in $PKG/etc/shorewall/*.new; +do + echo $NEW | sed 's/.*etc/config etc/' >> $PKG/install/doinst.sh +done + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} + +# Clean up the extra stuff: +if [ "$1" = "--cleanup" ]; then + rm -rf $TMP/$PRGNAM-$BASEVERS + rm -rf $PKG +fi diff --git a/network/shorewall/shorewall.info b/network/shorewall/shorewall.info new file mode 100644 index 0000000000..5bf8425023 --- /dev/null +++ b/network/shorewall/shorewall.info @@ -0,0 +1,12 @@ +PRGNAM="shorewall" +VERSION="4.4.7.1" +HOMEPAGE="http://www.shorewall.net" +DOWNLOAD="http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.7/base/shorewall-4.4.7.tar.bz2 \ + http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.7/patch-4.4.7.1" +MD5SUM="bbf0ad51faae6c079485f171ce585844 \ + d392606277e325a8bcb7fd04519700da" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="ArTourter" +EMAIL="artourter@gmail.com" +APPROVED="dsomero" diff --git a/network/shorewall/slack-desc b/network/shorewall/slack-desc new file mode 100644 index 0000000000..a670f8d892 --- /dev/null +++ b/network/shorewall/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler---------------------------------------------| +shorewall: Shorewall (Iptables Made Easy) +shorewall: +shorewall: The Shoreline Firewall, more commonly known as "Shorewall", +shorewall: is a Netfilter (iptables) based firewall that can be used on +shorewall: a dedicated firewall system, a multi-function gateway / +shorewall: router / server, or on a standalone GNU/Linux system. +shorewall: This package contains common files required by both the +shorewall: shorewall-perl and shorewall-shell compilers for Shoreline. +shorewall: +shorewall: http://www.shorewall.net/ +shorewall: