[Shorewall-users] All interfaces

Jeffrey Karrels jkarrels.ctr at san.osd.mil
Mon Mar 22 14:33:47 PST 2004


I did a fresh recompile of both the kernel and iptables-1.2.9.  Then
installed Shorewall_2.0.0a from source.  There is something that I am
missing!  The H323 patch im installing is from the patch-o-matic.  That is
the only thing that I patch from patch-o-matic.  Could there be something
from pom that im not patching that I should be?

-j

-----Original Message-----
From: shorewall-users-bounces at lists.shorewall.net
[mailto:shorewall-users-bounces at lists.shorewall.net] On Behalf Of Tom Eastep
Sent: Monday, March 22, 2004 11:55 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] All interfaces

Jeffrey J. Karrels wrote:
> Hello,
> 
> I was recompiling my kernel to add support for H323.  This caused problems
> with NAT.  I have tracked it down to the all interfaces column in the nat
> file...?  When I have All interfaces on "Yes", Shorewall will not start
due
> to a invalid argument in iptables.  I am running Shorewall 2.0.0a.  Anyone
> have any thoughts?  Did i miss something in the kernel when compiling?
> 

Trace?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
-------------- next part --------------
+ shift
+ nolock=
+ '[' 1 -gt 1 ']'
+ trap 'my_mutex_off; exit 2' 1 2 3 4 5 6 9
+ COMMAND=start
+ '[' 1 -ne 1 ']'
+ do_initialize
+ export LC_ALL=C
+ LC_ALL=C
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+ terminator=startup_error
+ version=
+ FW=
+ SUBSYSLOCK=
+ STATEDIR=
+ ALLOWRELATED=Yes
+ LOGRATE=
+ LOGBURST=
+ LOGPARMS=
+ LOGLIMIT=
+ ADD_IP_ALIASES=
+ ADD_SNAT_ALIASES=
+ TC_ENABLED=
+ BLACKLIST_DISPOSITION=
+ BLACKLIST_LOGLEVEL=
+ CLAMPMSS=
+ ROUTE_FILTER=
+ DETECT_DNAT_IPADDRS=
+ MUTEX_TIMEOUT=
+ NEWNOTSYN=
+ LOGNEWNOTSYN=
+ FORWARDPING=
+ MACLIST_DISPOSITION=
+ MACLIST_LOG_LEVEL=
+ TCP_FLAGS_DISPOSITION=
+ TCP_FLAGS_LOG_LEVEL=
+ RFC1918_LOG_LEVEL=
+ MARK_IN_FORWARD_CHAIN=
+ SHARED_DIR=/usr/share/shorewall
+ FUNCTIONS=
+ VERSION_FILE=
+ LOGFORMAT=
+ LOGRULENUMBERS=
+ ADMINISABSENTMINDED=
+ BLACKLISTNEWONLY=
+ MODULE_SUFFIX=
+ ACTIONS=
+ USEDACTIONS=
+ SMURF_LOG_LEVEL=
+ DISABLE_IPV6=
+ stopping=
+ have_mutex=
+ masq_seq=1
+ nonat_seq=1
+ aliases_to_add=
+ TMP_DIR=/tmp/shorewall-13463
+ rm -rf /tmp/shorewall-13463
+ mkdir -p /tmp/shorewall-13463
+ chmod 700 /tmp/shorewall-13463
+ trap 'rm -rf /tmp/shorewall-13463; my_mutex_off; exit 2' 1 2 3 4 5 6 9
+ FUNCTIONS=/usr/share/shorewall/functions
+ '[' -f /usr/share/shorewall/functions ']'
+ echo 'Loading /usr/share/shorewall/functions...'
+ . /usr/share/shorewall/functions
++ LEFTSHIFT=<<
+ VERSION_FILE=/usr/share/shorewall/version
+ '[' -f /usr/share/shorewall/version ']'
++ cat /usr/share/shorewall/version
+ version=2.0.0a
+ run_user_exit params
++ find_file params
++ '[' -n '' -a -f /params ']'
++ '[' -f /etc/shorewall/params ']'
++ echo /etc/shorewall/params
+ local user_exit=/etc/shorewall/params
+ '[' -f /etc/shorewall/params ']'
+ echo 'Processing /etc/shorewall/params ...'
+ . /etc/shorewall/params
++ find_file shorewall.conf
++ '[' -n '' -a -f /shorewall.conf ']'
++ '[' -f /etc/shorewall/shorewall.conf ']'
++ echo /etc/shorewall/shorewall.conf
+ config=/etc/shorewall/shorewall.conf
+ '[' -f /etc/shorewall/shorewall.conf ']'
+ echo 'Processing /etc/shorewall/shorewall.conf...'
+ . /etc/shorewall/shorewall.conf
++ LOGFILE=/var/log/messages
++ LOGFORMAT=Shorewall:%s:%s:
++ LOGRATE=
++ LOGBURST=
++ BLACKLIST_LOGLEVEL=
++ LOGNEWNOTSYN=info
++ MACLIST_LOG_LEVEL=info
++ TCP_FLAGS_LOG_LEVEL=info
++ RFC1918_LOG_LEVEL=info
++ SMURF_LOG_LEVEL=info
++ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
++ SHOREWALL_SHELL=/bin/sh
++ SUBSYSLOCK=/var/lock/subsys/shorewall
++ STATEDIR=/var/lib/shorewall
++ MODULESDIR=
++ FW=fw
++ IP_FORWARDING=On
++ ADD_IP_ALIASES=Yes
++ ADD_SNAT_ALIASES=No
++ TC_ENABLED=No
++ CLEAR_TC=Yes
++ MARK_IN_FORWARD_CHAIN=No
++ CLAMPMSS=No
++ ROUTE_FILTER=No
++ DETECT_DNAT_IPADDRS=No
++ MUTEX_TIMEOUT=60
++ NEWNOTSYN=Yes
++ ADMINISABSENTMINDED=Yes
++ BLACKLISTNEWONLY=Yes
++ MODULE_SUFFIX=
++ DISABLE_IPV6=no
++ BLACKLIST_DISPOSITION=DROP
++ MACLIST_DISPOSITION=REJECT
++ TCP_FLAGS_DISPOSITION=DROP
+ determine_capabilities
+ qt iptables -t nat -L -n
+ iptables -t nat -L -n
+ NAT_ENABLED=Yes
+ qt iptables -t mangle -L -n
+ iptables -t mangle -L -n
+ MANGLE_ENABLED=Yes
+ CONNTRACK_MATCH=
+ MULTIPORT=
+ qt iptables -N fooX1234
+ iptables -N fooX1234
+ qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ CONNTRACK_MATCH=Yes
+ qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ MULTIPORT=Yes
+ qt iptables -F fooX1234
+ iptables -F fooX1234
+ qt iptables -X fooX1234
+ iptables -X fooX1234
+ '[' -z /var/lib/shorewall ']'
+ '[' -d /var/lib/shorewall ']'
+ '[' -z fw ']'
++ added_param_value_yes ALLOWRELATED Yes
++ local val=Yes
++ '[' -z Yes ']'
++ echo Yes
+ ALLOWRELATED=Yes
+ '[' -n Yes ']'
++ added_param_value_yes ADD_IP_ALIASES Yes
++ local val=Yes
++ '[' -z Yes ']'
++ echo Yes
+ ADD_IP_ALIASES=Yes
++ added_param_value_yes TC_ENABLED No
++ local val=No
++ '[' -z No ']'
++ echo ''
+ TC_ENABLED=
+ '[' -n '' ']'
+ '[' -n On ']'
+ '[' -n '' -a -z Yes ']'
+ '[' -z DROP ']'
++ added_param_value_no CLAMPMSS No
++ local val=No
++ '[' -z No ']'
++ echo ''
+ CLAMPMSS=
++ added_param_value_no ADD_SNAT_ALIASES No
++ local val=No
++ '[' -z No ']'
++ echo ''
+ ADD_SNAT_ALIASES=
++ added_param_value_no ROUTE_FILTER No
++ local val=No
++ '[' -z No ']'
++ echo ''
+ ROUTE_FILTER=
++ added_param_value_no DETECT_DNAT_IPADDRS No
++ local val=No
++ '[' -z No ']'
++ echo ''
+ DETECT_DNAT_IPADDRS=
++ added_param_value_no FORWARDPING
++ local val=
++ '[' -z '' ']'
++ echo ''
+ FORWARDPING=
+ '[' -n '' ']'
++ added_param_value_yes NEWNOTSYN Yes
++ local val=Yes
++ '[' -z Yes ']'
++ echo Yes
+ NEWNOTSYN=Yes
+ maclist_target=reject
+ '[' -n REJECT ']'
+ '[' -n DROP ']'
+ '[' -z info ']'
++ added_param_value_no MARK_IN_FORWARD_CHAIN No
++ local val=No
++ '[' -z No ']'
++ echo ''
+ MARK_IN_FORWARD_CHAIN=
+ '[' -n '' ']'
+ marking_chain=tcpre
+ '[' -n '' ']'
+ CLEAR_TC=
+ '[' -n Shorewall:%s:%s: ']'
++ echo Shorewall:%s:%s:
++ grep %d
+ '[' -n '' ']'
++ printf Shorewall:%s:%s: fooxx barxx
+ temp=Shorewall:fooxx:barxx:
+ '[' 0 -ne 0 ']'
+ '[' 22 -gt 29 ']'
++ added_param_value_no ADMINISABSENTMINDED Yes
++ local val=Yes
++ '[' -z Yes ']'
++ echo Yes
+ ADMINISABSENTMINDED=Yes
++ added_param_value_no BLACKLISTNEWONLY Yes
++ local val=Yes
++ '[' -z Yes ']'
++ echo Yes
+ BLACKLISTNEWONLY=Yes
++ added_param_value_no DISABLE_IPV6 no
++ local val=no
++ '[' -z no ']'
++ echo ''
+ DISABLE_IPV6=
+ '[' -n '' ']'
+ MODULE_SUFFIX=o gz ko o.gz
+ strip_file interfaces
+ local fname
+ '[' 1 = 1 ']'
++ find_file interfaces
++ '[' -n '' -a -f /interfaces ']'
++ '[' -f /etc/shorewall/interfaces ']'
++ echo /etc/shorewall/interfaces
+ fname=/etc/shorewall/interfaces
+ '[' -f /etc/shorewall/interfaces ']'
+ read_file /etc/shorewall/interfaces 0
+ local first rest
+ '[' -f /etc/shorewall/interfaces ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0 -- Interfaces File'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/interfaces'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# You must add an entry in this file for each network interface on your'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# firewall system.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ZONE		Zone for this interface. Must match the short name'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# of a zone defined in /etc/shorewall/zones.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If the interface serves multiple zones that will be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# defined in the /etc/shorewall/hosts file, you should'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# place "-" in this column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERFACE	Name of interface. Each interface may be listed only'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# once in this file. You may NOT specify the name of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# an alias (e.g., eth0:0) here; see'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# http://www.shorewall.net/FAQ.htm#faq18'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# You may specify wildcards here. For example, if you'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# want to make an entry that applies to all PPP'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interfaces, use '\''ppp+'\''.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# There is no need to define the loopback	interface (lo)'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in this file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# BROADCAST	The broadcast address for the subnetwork to which the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface belongs. For P-T-P interfaces, this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# column is left black.If the interface has multiple'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# addresses on multiple subnets then list the broadcast'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# addresses as a comma-separated list.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If you use the special value "detect", the firewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# will detect the broadcast address for you. If you'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# select this option, the interface must be up before'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ cut -d# -f1
+ echo '# the firewall is started, you must have iproute'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# installed.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If you don'\''t want to give a value for this column but'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# you want to enter a value in the OPTIONS column, enter'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "-" in this column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# OPTIONS		A comma-separated list of options including the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# following:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# dhcp	     - interface is managed by DHCP or used by'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a DHCP server running on the firewall or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# you have a static IP but are on a LAN'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# segment with lots of Laptop DHCP clients.'
+ grep -v '^[[:space:]]*$'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# norfc1918    - This interface should not receive'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# any packets whose source is in one'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# of the ranges reserved by RFC 1918'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (i.e., private or "non-routable"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# addresses. If packet mangling is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# enabled in shorewall.conf, packets'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# whose destination addresses are'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# reserved by RFC 1918 are also rejected.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# routefilter  - turn on kernel route filtering for this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface (anti-spoofing measure). This'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# option can also be enabled globally in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the /etc/shorewall/shorewall.conf file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# .	.	blacklist    - Check packets arriving on this interface'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# against the /etc/shorewall/blacklist'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# maclist	     - Connection requests from this interface'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# are compared against the contents of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/maclist. If this option'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# is specified, the interface must be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# an ethernet NIC and must be up before'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall is started.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# tcpflags     - Packets arriving on this interface are'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# checked for certain illegal combinations'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# of TCP flags. Packets found to have'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# such a combination of flags are handled'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# according to the setting of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# TCP_FLAGS_DISPOSITION after having been'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# logged according to the setting of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# TCP_FLAGS_LOG_LEVEL.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# proxyarp     -'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Sets'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Do NOT use this option if you are'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# employing Proxy ARP through entries in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/proxyarp. This option is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# intended soley for use with Proxy ARP'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# sub-networking as described at:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# newnotsyn    - TCP packets that don'\''t have the SYN'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# flag set and which are not part of an'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# established connection will be accepted'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# from this interface, even if'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# NEWNOTSYN=No has been specified in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/shorewall.conf.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This option has no effect if'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# NEWNOTSYN=Yes.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# routeback    - If specified, indicates that Shorewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# should include rules that allow filtering'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# traffic arriving on this interface back'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# out that same interface.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# arp_filter   - If specified, this interface will only'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# respond to ARP who-has requests for IP'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# addresses configured on the interface.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If not specified, the interface can'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# respond to ARP who-has requests for'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# IP addresses on any of the firewall'\''s'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface. The interface must be up'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# when Shorewall is started.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# nosmurfs     - Filter packets for smurfs'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (packets with a broadcast'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address as the source).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Smurfs will be optionally logged based'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# on the setting of SMURF_LOG_LEVEL in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# shorewall.conf. After logging, the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# packets are dropped.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# detectnets   - Automatically taylors the zone named'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in the ZONE column to include only those'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# hosts routed through the interface.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# WARNING: DO NOT SET THE detectnets OPTION ON YOUR'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERNET INTERFACE!'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The order in which you list the options is not'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# significant but the list should have no embedded white'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# space.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example 1:	Suppose you have eth0 connected to a DSL modem and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# eth1 connected to your local network and that your'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# local subnet is 192.168.1.0/24. The interface gets'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# it'\''s IP address via DHCP from subnet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 206.191.149.192/27. You have a DMZ with subnet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 192.168.2.0/24 using eth2.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Your entries for this setup would look like:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# net	eth0	206.191.149.223	dhcp'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# local	eth1	192.168.1.255'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# dmz	eth2	192.168.2.255'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example 2:	The same configuration without specifying broadcast'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# addresses is:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# net	eth0	detect		dhcp'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# loc	eth1	detect'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# dmz	eth2	detect'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example 3:	You have a simple dial-in system with no ethernet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# connections.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# net	ppp0	-'
+ read first rest
+ '[' x############################################################################## = xINCLUDE ']'
+ echo '############################################################################## '
+ read first rest
+ '[' x#ZONE = xINCLUDE ']'
+ echo '#ZONE INTERFACE	BROADCAST	OPTIONS'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' xnet = xINCLUDE ']'
+ echo 'net eth1		129.246.226.255'
+ read first rest
+ '[' xloc = xINCLUDE ']'
+ echo 'loc eth0		192.168.0.255'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'
+ read first rest
+ strip_file hosts
+ local fname
+ '[' 1 = 1 ']'
++ find_file hosts
++ '[' -n '' -a -f /hosts ']'
++ '[' -f /etc/shorewall/hosts ']'
++ echo /etc/shorewall/hosts
+ fname=/etc/shorewall/hosts
+ '[' -f /etc/shorewall/hosts ']'
+ read_file /etc/shorewall/hosts 0
+ local first rest
+ '[' -f /etc/shorewall/hosts ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0 - /etc/shorewall/hosts'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# IF YOU DON'\''T HAVE THAT SITUATION THEN DON'\''T TOUCH THIS FILE.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This file is used to define zones in terms of subnets and/or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# individual IP addresses. Most simple setups don'\''t need to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (should not) place anything in this file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ZONE	- The name of a zone defined in /etc/shorewall/zones'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# HOST(S)	- The name of an interface followed by a colon (":") and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a comma-separated list whose elements are either:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a) The IP address of a host'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# b) A subnetwork in the form'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# <subnet-address>/<mask width>'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The interface must be defined in the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/interfaces file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Examples:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# eth1:192.168.1.3'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# eth2:192.168.2.0/24'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# eth3:192.168.2.0/24,192.168.3.1'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# OPTIONS - A comma-separated list of options. Currently-defined'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# options are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# maclist	     - Connection requests from these hosts'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# are compared against the contents of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/maclist. If this option'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# is specified, the interface must be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# an ethernet NIC and must be up before'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall is started.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# routeback    - Shorewall show set up the infrastructure'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to pass packets from this/these'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address(es) back to themselves. This is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# necessary of hosts in this group use the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# services of a transparent proxy that is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a member of the group or if DNAT is used'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to send requests originating from this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# group to a server in the group.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x#ZONE = xINCLUDE ']'
+ echo '#ZONE HOST(S)				OPTIONS'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ '[' -n /bin/sh ']'
++ decodeaddr 192.168.1.1
++ local x
++ local temp=0
++ local 'ifs= 	
'
++ IFS=.
++ temp=192
++ temp=49320
++ temp=12625921
++ temp=3232235777
++ echo 3232235777
++ IFS= 	

+ temp=3232235777
++ encodeaddr 3232235777
++ addr=3232235777
++ local x
++ local y=1
++ addr=12625921
++ y=1.1
++ addr=49320
++ y=168.1.1
++ addr=192
++ y=192.168.1.1
++ echo 192.168.1.1
+ '[' 192.168.1.1 '!=' 192.168.1.1 ']'
+ my_mutex_on
+ '[' -n '' ']'
+ mutex_on
+ local try=0
+ local lockf=/var/lib/shorewall/lock
+ MUTEX_TIMEOUT=60
+ '[' 60 -gt 0 ']'
+ '[' -d /var/lib/shorewall ']'
+ qt which lockfile
+ which lockfile
+ lockfile -60 -r1 /var/lib/shorewall/lock
+ have_mutex=Yes
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ define_firewall Start
+ check_disabled_startup
+ '[' -f /etc/shorewall/startup_disabled ']'
+ echo 'Starting Shorewall...'
+ verify_os_version
++ uname -r
+ osversion=2.4.20-30.9jKarrels
++ lsmod
++ grep '^ipchains'
+ '[' start = start -a -n '' ']'
+ verify_ip
+ qt ip link ls
+ ip link ls
+ load_kernel_modules
+ '[' -z '' ']'
+ MODULESDIR=/lib/modules/2.4.20-30.9jKarrels/kernel/net/ipv4/netfilter
++ find_file modules
++ '[' -n '' -a -f /modules ']'
++ '[' -f /etc/shorewall/modules ']'
++ echo /etc/shorewall/modules
+ modules=/etc/shorewall/modules
+ '[' -f /etc/shorewall/modules -a -d /lib/modules/2.4.20-30.9jKarrels/kernel/net/ipv4/netfilter ']'
+ echo 'Loading Modules...'
+ . /etc/shorewall/modules
++ loadmodule ip_tables
++ local modulename=ip_tables
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_tables
++ '[' -z 'ip_tables              14360  13  [ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_pkttype ipt_LOG ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]' ']'
++ loadmodule iptable_filter
++ local modulename=iptable_filter
++ local modulefile
++ local suffix
+++ lsmod
+++ grep iptable_filter
++ '[' -z 'iptable_filter          2316   1  (autoclean)
ip_tables              14360  13  [ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_pkttype ipt_LOG ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]' ']'
++ loadmodule ip_conntrack
++ local modulename=ip_conntrack
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack
++ '[' -z 'ip_conntrack_h323       3648   0  (unused)
ip_conntrack_irc        4048   1  [ip_nat_irc]
ip_conntrack_tftp       2512   1 
ip_conntrack_ftp        5072   1  [ip_nat_ftp]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule ip_conntrack_h323
++ local modulename=ip_conntrack_h323
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_h323
++ '[' -z 'ip_conntrack_h323       3648   0  (unused)
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule ip_conntrack_ftp
++ local modulename=ip_conntrack_ftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_ftp
++ '[' -z 'ip_conntrack_ftp        5072   1  [ip_nat_ftp]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule ip_conntrack_tftp
++ local modulename=ip_conntrack_tftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_tftp
++ '[' -z 'ip_conntrack_tftp       2512   1 
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule ip_conntrack_irc
++ local modulename=ip_conntrack_irc
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_conntrack_irc
++ '[' -z 'ip_conntrack_irc        4048   1  [ip_nat_irc]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule iptable_nat
++ local modulename=iptable_nat
++ local modulefile
++ local suffix
+++ lsmod
+++ grep iptable_nat
++ '[' -z 'iptable_nat            20216   3  (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]
ip_tables              14360  13  [ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_pkttype ipt_LOG ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]' ']'
++ loadmodule ip_nat_ftp
++ local modulename=ip_nat_ftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_nat_ftp
++ '[' -z 'ip_nat_ftp              3920   0  (unused)
ip_conntrack_ftp        5072   1  [ip_nat_ftp]
iptable_nat            20216   3  (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule ip_nat_tftp
++ local modulename=ip_nat_tftp
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_nat_tftp
++ '[' -z 'ip_nat_tftp             2544   0  (unused)
iptable_nat            20216   3  (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
++ loadmodule ip_nat_irc
++ local modulename=ip_nat_irc
++ local modulefile
++ local suffix
+++ lsmod
+++ grep ip_nat_irc
++ '[' -z 'ip_nat_irc              3216   0  (unused)
ip_conntrack_irc        4048   1  [ip_nat_irc]
iptable_nat            20216   3  (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack           27848   7  (autoclean) [ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack iptable_nat]' ']'
+ echo Initializing...
+ initialize_netfilter
+ report_capabilities
+ echo 'Shorewall has detected the following iptables/netfilter capabilities:'
+ report_capability Yes NAT
+ local setting=
+ '[' xYes = xYes ']'
+ setting=Available
+ shift
+ echo '  ' NAT: Available
+ report_capability Yes 'Packet Mangling'
+ local setting=
+ '[' xYes = xYes ']'
+ setting=Available
+ shift
+ echo '  ' Packet Mangling: Available
+ report_capability Yes 'Multi-port Match'
+ local setting=
+ '[' xYes = xYes ']'
+ setting=Available
+ shift
+ echo '  ' Multi-port Match: Available
+ report_capability Yes 'Connection Tracking Match'
+ local setting=
+ '[' xYes = xYes ']'
+ setting=Available
+ shift
+ echo '  ' Connection Tracking Match: Available
+ echo 'Determining Zones...'
+ determine_zones
++ find_file zones
++ '[' -n '' -a -f /zones ']'
++ '[' -f /etc/shorewall/zones ']'
++ echo /etc/shorewall/zones
+ local zonefile=/etc/shorewall/zones
+ multi_display=Multi-zone
+ strip_file zones /etc/shorewall/zones
+ local fname
+ '[' 2 = 1 ']'
+ fname=/etc/shorewall/zones
+ '[' -f /etc/shorewall/zones ']'
+ read_file /etc/shorewall/zones 0
+ local first rest
+ '[' -f /etc/shorewall/zones ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0 /etc/shorewall/zones'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This file determines your network zones. Columns are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ZONE		Short name of the zone (5 Characters or less in length).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DISPLAY		Display name of the zone'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# COMMENTS	Comments about the zone'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# See http://www.shorewall.net/Documentation.htm#Nested'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x#ZONE = xINCLUDE ']'
+ echo '#ZONE DISPLAY		COMMENTS'
+ read first rest
+ '[' xnet = xINCLUDE ']'
+ echo 'net Net		Internet'
+ read first rest
+ '[' xloc = xINCLUDE ']'
+ echo 'loc Local		Local networks'
+ read first rest
+ '[' x#dmz = xINCLUDE ']'
+ echo '#dmz DMZ		Demilitarized zone'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
++ find_zones /tmp/shorewall-13463/zones
++ read zone display comments
++ '[' -n net ']'
++ echo net
++ read zone display comments
++ '[' -n loc ']'
++ echo loc
++ read zone display comments
+ zones=net
loc
++ echo net loc
+ zones=net loc
++ find_display net /tmp/shorewall-13463/zones
++ grep '^net' /tmp/shorewall-13463/zones
++ read z display comments
++ '[' xnet = xnet ']'
++ echo Net
++ read z display comments
+ dsply=Net
+ eval 'net_display=$dsply'
++ net_display=Net
++ find_display loc /tmp/shorewall-13463/zones
++ grep '^loc' /tmp/shorewall-13463/zones
++ read z display comments
++ '[' xloc = xloc ']'
++ echo Local
++ read z display comments
+ dsply=Local
+ eval 'loc_display=$dsply'
++ loc_display=Local
+ '[' -z 'net loc' ']'
+ display_list Zones: net loc
+ '[' 3 -gt 1 ']'
+ echo '   Zones: net loc'
+ echo 'Validating interfaces file...'
+ validate_interfaces_file
+ local wildcard
+ local found_obsolete_option=
+ local z interface subnet options r iface option
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ '[' 4 -gt 0 ']'
+ eval 'varval=$z'
++ varval=net
+ eval 'z="net"'
++ z=net
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$interface'
++ varval=eth1
+ eval 'interface="eth1"'
++ interface=eth1
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$subnet'
++ varval=129.246.226.255
+ eval 'subnet="129.246.226.255"'
++ subnet=129.246.226.255
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$options'
++ varval=
+ eval 'options=""'
++ options=
+ shift
+ '[' 0 -gt 0 ']'
+ r=net eth1 129.246.226.255 
+ '[' xnet = x- ']'
+ '[' -n net ']'
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xnet = xnet ']'
+ return 0
+ list_search eth1
+ local e=eth1
+ '[' 1 -gt 1 ']'
+ return 1
+ wildcard=
+ all_interfaces= eth1
++ separate_list
++ local list
++ local part
++ local newlist
++ list=
++ part=
++ newlist=
++ '[' x '!=' x ']'
++ echo ''
+ options=
++ chain_base eth1
++ local c=eth1
++ true
++ echo eth1
++ return
+ iface=eth1
+ eval eth1_broadcast=129.246.226.255
++ eth1_broadcast=129.246.226.255
+ eval eth1_zone=net
++ eth1_zone=net
+ eval 'eth1_options=""'
++ eth1_options=
+ '[' -z ' eth1' ']'
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ '[' 4 -gt 0 ']'
+ eval 'varval=$z'
++ varval=loc
+ eval 'z="loc"'
++ z=loc
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$interface'
++ varval=eth0
+ eval 'interface="eth0"'
++ interface=eth0
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$subnet'
++ varval=192.168.0.255
+ eval 'subnet="192.168.0.255"'
++ subnet=192.168.0.255
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$options'
++ varval=
+ eval 'options=""'
++ options=
+ shift
+ '[' 0 -gt 0 ']'
+ r=loc eth0 192.168.0.255 
+ '[' xloc = x- ']'
+ '[' -n loc ']'
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xloc = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xloc = xloc ']'
+ return 0
+ list_search eth0 eth1
+ local e=eth0
+ '[' 2 -gt 1 ']'
+ shift
+ '[' xeth0 = xeth1 ']'
+ '[' 1 -gt 1 ']'
+ return 1
+ wildcard=
+ all_interfaces= eth1 eth0
++ separate_list
++ local list
++ local part
++ local newlist
++ list=
++ part=
++ newlist=
++ '[' x '!=' x ']'
++ echo ''
+ options=
++ chain_base eth0
++ local c=eth0
++ true
++ echo eth0
++ return
+ iface=eth0
+ eval eth0_broadcast=192.168.0.255
++ eth0_broadcast=192.168.0.255
+ eval eth0_zone=loc
++ eth0_zone=loc
+ eval 'eth0_options=""'
++ eth0_options=
+ '[' -z ' eth1 eth0' ']'
+ read z interface subnet options
+ echo 'Validating hosts file...'
+ validate_hosts_file
+ local z hosts options r interface host option
+ read z hosts options
+ echo 'Validating Policy file...'
+ validate_policy
+ local clientwild
+ local serverwild
+ local zone
+ local zone1
+ local pc
+ local chain
+ local policy
+ local loglevel
+ local synparams
+ all_policy_chains=
+ strip_file policy
+ local fname
+ '[' 1 = 1 ']'
++ find_file policy
++ '[' -n '' -a -f /policy ']'
++ '[' -f /etc/shorewall/policy ']'
++ echo /etc/shorewall/policy
+ fname=/etc/shorewall/policy
+ '[' -f /etc/shorewall/policy ']'
+ read_file /etc/shorewall/policy 0
+ local first rest
+ '[' -f /etc/shorewall/policy ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0 -- Policy File'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/policy'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This file determines what to do with a new connection request if we'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# don'\''t get a match from the /etc/shorewall/rules file . For each'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# source/destination pair, the file is processed in order until a'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# match is found ("all" will match any client or server).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# SOURCE		Source zone. Must be the name of a zone defined'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in /etc/shorewall/zones, $FW or "all".'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DEST		Destination zone. Must be the name of a zone defined'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in /etc/shorewall/zones, $FW or "all"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# POLICY		Policy if no match from the rules file is found. Must'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ACCEPT		- Accept the connection'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DROP		- Ignore the connection request'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REJECT		- For TCP, send RST. For all other, send'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "port unreachable" ICMP.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# CONTINUE	- Pass the connection request past'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# any other rules that it might also'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# match (where the source or destination'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# zone in those rules is a superset of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the SOURCE or DEST in this policy).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# NONE		- Assume that there will never be any'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# packets from this SOURCE'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to this DEST. Shorewall will not set up'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# any infrastructure to handle such'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# packets and you may not have any rules'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# with this SOURCE and DEST in the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/rules file. If such a'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# packet _is_ received, the result is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# undefined. NONE may not be used if the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# SOURCE or DEST columns contain the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# firewall zone ($FW) or "all".'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If this column contains ACCEPT, DROP or REJECT and a'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# corresponding common action is defined in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# then that action will be invoked before the policy named in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# this column is inforced.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# LOG LEVEL	If supplied, each connection handled under the default'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# POLICY is logged at that level. If not supplied, no'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# log message is generated. See syslog.conf(5) for a'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# description of log levels.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Beginning with Shorewall version 1.3.12, you may'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# also specify ULOG (must be in upper case). This will'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# log to the ULOG target and sent to a separate log'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# through use of ulogd'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (http://www.gnumonks.org/projects/ulogd).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If you don'\''t want to log but need to specify the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# following column, place "-" here.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# LIMIT:BURST	If passed, specifies the maximum TCP connection rate'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# and the size of an acceptable burst. If not specified,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# TCP connections are not limited.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# As shipped, the default policies are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a) All connections from the local network to the internet are allowed'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# b) All connections from the internet are ignored but logged at syslog'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# level KERNEL.INFO.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# d) All other connection requests are rejected and logged at level'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# KERNEL.INFO.'
+ read first rest
+ '[' x############################################################################### = xINCLUDE ']'
+ echo '############################################################################### '
+ read first rest
+ '[' x#SOURCE = xINCLUDE ']'
+ echo '#SOURCE DEST		POLICY		LOG		LIMIT:BURST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# LEVEL'
+ read first rest
+ '[' xfw = xINCLUDE ']'
+ echo 'fw loc		ACCEPT		info'
+ read first rest
+ '[' xfw = xINCLUDE ']'
+ echo 'fw net		ACCEPT		info'
+ read first rest
+ '[' xloc = xINCLUDE ']'
+ echo 'loc loc		ACCEPT		info'
+ read first rest
+ '[' xloc = xINCLUDE ']'
+ echo 'loc net		ACCEPT'
+ read first rest
+ '[' xnet = xINCLUDE ']'
+ echo 'net all		DROP		info'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# THE FOLLOWING POLICY MUST BE LAST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' xall = xINCLUDE ']'
+ echo 'all all		REJECT		info'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- DO NOT REMOVE'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$client'
++ varval=fw
+ eval 'client="fw"'
++ client=fw
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$server'
++ varval=loc
+ eval 'server="loc"'
++ server=loc
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$policy'
++ varval=ACCEPT
+ eval 'policy="ACCEPT"'
++ policy=ACCEPT
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$loglevel'
++ varval=info
+ eval 'loglevel="info"'
++ loglevel=info
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$synparams'
++ varval=
+ eval 'synparams=""'
++ synparams=
+ shift
+ '[' 0 -gt 0 ']'
+ clientwild=
+ serverwild=
+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xfw = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xfw = xloc ']'
+ '[' 2 -gt 1 ']'
+ shift
+ '[' xfw = xfw ']'
+ return 0
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xloc = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xloc = xloc ']'
+ return 0
+ chain=fw2loc
+ is_policy_chain fw2loc
+ eval test '"$fw2loc_is_policy"' = Yes
++ test '' = Yes
+ '[' xinfo = x- ']'
+ '[' ACCEPT = NONE ']'
+ all_policy_chains= fw2loc
+ eval fw2loc_is_policy=Yes
++ fw2loc_is_policy=Yes
+ eval fw2loc_policy=ACCEPT
++ fw2loc_policy=ACCEPT
+ eval fw2loc_loglevel=info
++ fw2loc_loglevel=info
+ eval fw2loc_synparams=
++ fw2loc_synparams=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ eval fw2loc_policychain=fw2loc
++ fw2loc_policychain=fw2loc
+ print_policy fw loc
+ '[' start '!=' check ']'
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$client'
++ varval=fw
+ eval 'client="fw"'
++ client=fw
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$server'
++ varval=net
+ eval 'server="net"'
++ server=net
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$policy'
++ varval=ACCEPT
+ eval 'policy="ACCEPT"'
++ policy=ACCEPT
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$loglevel'
++ varval=info
+ eval 'loglevel="info"'
++ loglevel=info
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$synparams'
++ varval=
+ eval 'synparams=""'
++ synparams=
+ shift
+ '[' 0 -gt 0 ']'
+ clientwild=
+ serverwild=
+ validate_zone fw
+ list_search fw net loc fw
+ local e=fw
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xfw = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xfw = xloc ']'
+ '[' 2 -gt 1 ']'
+ shift
+ '[' xfw = xfw ']'
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xnet = xnet ']'
+ return 0
+ chain=fw2net
+ is_policy_chain fw2net
+ eval test '"$fw2net_is_policy"' = Yes
++ test '' = Yes
+ '[' xinfo = x- ']'
+ '[' ACCEPT = NONE ']'
+ all_policy_chains= fw2loc fw2net
+ eval fw2net_is_policy=Yes
++ fw2net_is_policy=Yes
+ eval fw2net_policy=ACCEPT
++ fw2net_policy=ACCEPT
+ eval fw2net_loglevel=info
++ fw2net_loglevel=info
+ eval fw2net_synparams=
++ fw2net_synparams=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ eval fw2net_policychain=fw2net
++ fw2net_policychain=fw2net
+ print_policy fw net
+ '[' start '!=' check ']'
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$client'
++ varval=loc
+ eval 'client="loc"'
++ client=loc
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$server'
++ varval=loc
+ eval 'server="loc"'
++ server=loc
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$policy'
++ varval=ACCEPT
+ eval 'policy="ACCEPT"'
++ policy=ACCEPT
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$loglevel'
++ varval=info
+ eval 'loglevel="info"'
++ loglevel=info
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$synparams'
++ varval=
+ eval 'synparams=""'
++ synparams=
+ shift
+ '[' 0 -gt 0 ']'
+ clientwild=
+ serverwild=
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xloc = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xloc = xloc ']'
+ return 0
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xloc = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xloc = xloc ']'
+ return 0
+ chain=loc2loc
+ is_policy_chain loc2loc
+ eval test '"$loc2loc_is_policy"' = Yes
++ test '' = Yes
+ '[' xinfo = x- ']'
+ '[' ACCEPT = NONE ']'
+ all_policy_chains= fw2loc fw2net loc2loc
+ eval loc2loc_is_policy=Yes
++ loc2loc_is_policy=Yes
+ eval loc2loc_policy=ACCEPT
++ loc2loc_policy=ACCEPT
+ eval loc2loc_loglevel=info
++ loc2loc_loglevel=info
+ eval loc2loc_synparams=
++ loc2loc_synparams=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ eval loc2loc_policychain=loc2loc
++ loc2loc_policychain=loc2loc
+ print_policy loc loc
+ '[' start '!=' check ']'
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$client'
++ varval=loc
+ eval 'client="loc"'
++ client=loc
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$server'
++ varval=net
+ eval 'server="net"'
++ server=net
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$policy'
++ varval=ACCEPT
+ eval 'policy="ACCEPT"'
++ policy=ACCEPT
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$loglevel'
++ varval=
+ eval 'loglevel=""'
++ loglevel=
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$synparams'
++ varval=
+ eval 'synparams=""'
++ synparams=
+ shift
+ '[' 0 -gt 0 ']'
+ clientwild=
+ serverwild=
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xloc = xnet ']'
+ '[' 3 -gt 1 ']'
+ shift
+ '[' xloc = xloc ']'
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xnet = xnet ']'
+ return 0
+ chain=loc2net
+ is_policy_chain loc2net
+ eval test '"$loc2net_is_policy"' = Yes
++ test '' = Yes
+ '[' x = x- ']'
+ '[' ACCEPT = NONE ']'
+ all_policy_chains= fw2loc fw2net loc2loc loc2net
+ eval loc2net_is_policy=Yes
++ loc2net_is_policy=Yes
+ eval loc2net_policy=ACCEPT
++ loc2net_policy=ACCEPT
+ eval loc2net_loglevel=
++ loc2net_loglevel=
+ eval loc2net_synparams=
++ loc2net_synparams=
+ '[' -n '' ']'
+ '[' -n '' ']'
+ eval loc2net_policychain=loc2net
++ loc2net_policychain=loc2net
+ print_policy loc net
+ '[' start '!=' check ']'
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$client'
++ varval=net
+ eval 'client="net"'
++ client=net
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$server'
++ varval=all
+ eval 'server="all"'
++ server=all
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$policy'
++ varval=DROP
+ eval 'policy="DROP"'
++ policy=DROP
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$loglevel'
++ varval=info
+ eval 'loglevel="info"'
++ loglevel=info
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$synparams'
++ varval=
+ eval 'synparams=""'
++ synparams=
+ shift
+ '[' 0 -gt 0 ']'
+ clientwild=
+ serverwild=
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ '[' 4 -gt 1 ']'
+ shift
+ '[' xnet = xnet ']'
+ return 0
+ serverwild=Yes
+ chain=net2all
+ is_policy_chain net2all
+ eval test '"$net2all_is_policy"' = Yes
++ test '' = Yes
+ '[' xinfo = x- ']'
+ '[' DROP = NONE ']'
+ all_policy_chains= fw2loc fw2net loc2loc loc2net net2all
+ eval net2all_is_policy=Yes
++ net2all_is_policy=Yes
+ eval net2all_policy=DROP
++ net2all_policy=DROP
+ eval net2all_loglevel=info
++ net2all_loglevel=info
+ eval net2all_synparams=
++ net2all_synparams=
+ '[' -n '' ']'
+ '[' -n Yes ']'
+ eval 'pc=$net2net_policychain'
++ pc=
+ '[' -z '' ']'
+ eval net2net_policychain=net2all
++ net2net_policychain=net2all
+ eval net2net_policy=DROP
++ net2net_policy=DROP
+ print_policy net net
+ '[' start '!=' check ']'
+ eval 'pc=$net2loc_policychain'
++ pc=
+ '[' -z '' ']'
+ eval net2loc_policychain=net2all
++ net2loc_policychain=net2all
+ eval net2loc_policy=DROP
++ net2loc_policy=DROP
+ print_policy net loc
+ '[' start '!=' check ']'
+ eval 'pc=$net2fw_policychain'
++ pc=
+ '[' -z '' ']'
+ eval net2fw_policychain=net2all
++ net2fw_policychain=net2all
+ eval net2fw_policy=DROP
++ net2fw_policy=DROP
+ print_policy net fw
+ '[' start '!=' check ']'
+ eval 'pc=$net2all_policychain'
++ pc=
+ '[' -z '' ']'
+ eval net2all_policychain=net2all
++ net2all_policychain=net2all
+ eval net2all_policy=DROP
++ net2all_policy=DROP
+ print_policy net all
+ '[' start '!=' check ']'
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$client'
++ varval=all
+ eval 'client="all"'
++ client=all
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$server'
++ varval=all
+ eval 'server="all"'
++ server=all
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$policy'
++ varval=REJECT
+ eval 'policy="REJECT"'
++ policy=REJECT
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$loglevel'
++ varval=info
+ eval 'loglevel="info"'
++ loglevel=info
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$synparams'
++ varval=
+ eval 'synparams=""'
++ synparams=
+ shift
+ '[' 0 -gt 0 ']'
+ clientwild=
+ serverwild=
+ clientwild=Yes
+ serverwild=Yes
+ chain=all2all
+ is_policy_chain all2all
+ eval test '"$all2all_is_policy"' = Yes
++ test '' = Yes
+ '[' xinfo = x- ']'
+ '[' REJECT = NONE ']'
+ all_policy_chains= fw2loc fw2net loc2loc loc2net net2all all2all
+ eval all2all_is_policy=Yes
++ all2all_is_policy=Yes
+ eval all2all_policy=REJECT
++ all2all_policy=REJECT
+ eval all2all_loglevel=info
++ all2all_loglevel=info
+ eval all2all_synparams=
++ all2all_synparams=
+ '[' -n Yes ']'
+ '[' -n Yes ']'
+ eval 'pc=$net2net_policychain'
++ pc=net2all
+ '[' -z net2all ']'
+ eval 'pc=$net2loc_policychain'
++ pc=net2all
+ '[' -z net2all ']'
+ eval 'pc=$net2fw_policychain'
++ pc=net2all
+ '[' -z net2all ']'
+ eval 'pc=$net2all_policychain'
++ pc=net2all
+ '[' -z net2all ']'
+ eval 'pc=$loc2net_policychain'
++ pc=loc2net
+ '[' -z loc2net ']'
+ eval 'pc=$loc2loc_policychain'
++ pc=loc2loc
+ '[' -z loc2loc ']'
+ eval 'pc=$loc2fw_policychain'
++ pc=
+ '[' -z '' ']'
+ eval loc2fw_policychain=all2all
++ loc2fw_policychain=all2all
+ eval loc2fw_policy=REJECT
++ loc2fw_policy=REJECT
+ print_policy loc fw
+ '[' start '!=' check ']'
+ eval 'pc=$loc2all_policychain'
++ pc=
+ '[' -z '' ']'
+ eval loc2all_policychain=all2all
++ loc2all_policychain=all2all
+ eval loc2all_policy=REJECT
++ loc2all_policy=REJECT
+ print_policy loc all
+ '[' start '!=' check ']'
+ eval 'pc=$fw2net_policychain'
++ pc=fw2net
+ '[' -z fw2net ']'
+ eval 'pc=$fw2loc_policychain'
++ pc=fw2loc
+ '[' -z fw2loc ']'
+ eval 'pc=$fw2fw_policychain'
++ pc=
+ '[' -z '' ']'
+ eval fw2fw_policychain=all2all
++ fw2fw_policychain=all2all
+ eval fw2fw_policy=REJECT
++ fw2fw_policy=REJECT
+ print_policy fw fw
+ '[' start '!=' check ']'
+ eval 'pc=$fw2all_policychain'
++ pc=
+ '[' -z '' ']'
+ eval fw2all_policychain=all2all
++ fw2all_policychain=all2all
+ eval fw2all_policy=REJECT
++ fw2all_policy=REJECT
+ print_policy fw all
+ '[' start '!=' check ']'
+ eval 'pc=$all2net_policychain'
++ pc=
+ '[' -z '' ']'
+ eval all2net_policychain=all2all
++ all2net_policychain=all2all
+ eval all2net_policy=REJECT
++ all2net_policy=REJECT
+ print_policy all net
+ '[' start '!=' check ']'
+ eval 'pc=$all2loc_policychain'
++ pc=
+ '[' -z '' ']'
+ eval all2loc_policychain=all2all
++ all2loc_policychain=all2all
+ eval all2loc_policy=REJECT
++ all2loc_policy=REJECT
+ print_policy all loc
+ '[' start '!=' check ']'
+ eval 'pc=$all2fw_policychain'
++ pc=
+ '[' -z '' ']'
+ eval all2fw_policychain=all2all
++ all2fw_policychain=all2all
+ eval all2fw_policy=REJECT
++ all2fw_policy=REJECT
+ print_policy all fw
+ '[' start '!=' check ']'
+ eval 'pc=$all2all_policychain'
++ pc=
+ '[' -z '' ']'
+ eval all2all_policychain=all2all
++ all2all_policychain=all2all
+ eval all2all_policy=REJECT
++ all2all_policy=REJECT
+ print_policy all all
+ '[' start '!=' check ']'
+ read client server policy loglevel synparams
+ echo 'Determining Hosts in Zones...'
+ determine_interfaces
++ find_interfaces net
++ local zne=net
++ local z
++ local interface
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ eval 'z=$eth1_zone'
+++ z=net
++ '[' xnet = xnet ']'
++ echo eth1
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ eval 'z=$eth0_zone'
+++ z=loc
++ '[' xloc = xnet ']'
+ interfaces=eth1
++ echo eth1
+ interfaces=eth1
+ eval 'net_interfaces="$interfaces"'
++ net_interfaces=eth1
++ find_interfaces loc
++ local zne=loc
++ local z
++ local interface
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ eval 'z=$eth1_zone'
+++ z=net
++ '[' xnet = xloc ']'
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ eval 'z=$eth0_zone'
+++ z=loc
++ '[' xloc = xloc ']'
++ echo eth0
+ interfaces=eth0
++ echo eth0
+ interfaces=eth0
+ eval 'loc_interfaces="$interfaces"'
++ loc_interfaces=eth0
+ determine_hosts
++ find_hosts net
++ local hosts interface address addresses
++ read z hosts options
+ hosts=
++ echo
+ hosts=
+ eval 'interfaces=$net_interfaces'
++ interfaces=eth1
++ chain_base eth1
++ local c=eth1
++ true
++ echo eth1
++ return
+ eval 'options=$eth1_options'
++ options=
+ list_search detectnets
+ local e=detectnets
+ '[' 1 -gt 1 ']'
+ return 1
+ subnets=0.0.0.0/0
+ '[' -z '' ']'
+ hosts=eth1:0.0.0.0/0
+ list_search routeback
+ local e=routeback
+ '[' 1 -gt 1 ']'
+ return 1
+ interfaces=
+ interface=eth1
+ list_search eth1
+ local e=eth1
+ '[' 1 -gt 1 ']'
+ return 1
+ '[' -z '' ']'
+ interfaces=eth1
+ eval 'net_interfaces=$interfaces'
++ net_interfaces=eth1
+ eval 'net_hosts=$hosts'
++ net_hosts=eth1:0.0.0.0/0
+ '[' -n eth1:0.0.0.0/0 ']'
+ eval 'display=$net_display'
++ display=Net
+ display_list 'Net Zone:' eth1:0.0.0.0/0
+ '[' 2 -gt 1 ']'
+ echo '   Net Zone: eth1:0.0.0.0/0'
++ find_hosts loc
++ local hosts interface address addresses
++ read z hosts options
+ hosts=
++ echo
+ hosts=
+ eval 'interfaces=$loc_interfaces'
++ interfaces=eth0
++ chain_base eth0
++ local c=eth0
++ true
++ echo eth0
++ return
+ eval 'options=$eth0_options'
++ options=
+ list_search detectnets
+ local e=detectnets
+ '[' 1 -gt 1 ']'
+ return 1
+ subnets=0.0.0.0/0
+ '[' -z '' ']'
+ hosts=eth0:0.0.0.0/0
+ list_search routeback
+ local e=routeback
+ '[' 1 -gt 1 ']'
+ return 1
+ interfaces=
+ interface=eth0
+ list_search eth0
+ local e=eth0
+ '[' 1 -gt 1 ']'
+ return 1
+ '[' -z '' ']'
+ interfaces=eth0
+ eval 'loc_interfaces=$interfaces'
++ loc_interfaces=eth0
+ eval 'loc_hosts=$hosts'
++ loc_hosts=eth0:0.0.0.0/0
+ '[' -n eth0:0.0.0.0/0 ']'
+ eval 'display=$loc_display'
++ display=Local
+ display_list 'Local Zone:' eth0:0.0.0.0/0
+ '[' 2 -gt 1 ']'
+ echo '   Local Zone: eth0:0.0.0.0/0'
+ run_user_exit init
++ find_file init
++ '[' -n '' -a -f /init ']'
++ '[' -f /etc/shorewall/init ']'
++ echo /etc/shorewall/init
+ local user_exit=/etc/shorewall/init
+ '[' -f /etc/shorewall/init ']'
+ echo 'Processing /etc/shorewall/init ...'
+ . /etc/shorewall/init
+ strip_file rules
+ local fname
+ '[' 1 = 1 ']'
++ find_file rules
++ '[' -n '' -a -f /rules ']'
++ '[' -f /etc/shorewall/rules ']'
++ echo /etc/shorewall/rules
+ fname=/etc/shorewall/rules
+ '[' -f /etc/shorewall/rules ']'
+ read_file /etc/shorewall/rules 0
+ local first rest
+ '[' -f /etc/shorewall/rules ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall version 2.0 - Rules File'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/rules'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Rules in this file govern connection establishment. Requests and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# responses are automatically allowed using connection tracking. For any'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# particular (source,dest) pair of zones, the rules are evaluated in the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# order in which they appear in this file and the first match is the one'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# that determines the disposition of the request.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# In most places where an IP address or subnet is allowed, you'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# indicate that the rule matches all addresses except the address/subnet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# given. Notice that no white space is permitted between "!" and the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address/subnet.'
+ read first rest
+ '[' x#------------------------------------------------------------------------------ = xINCLUDE ']'
+ echo '#------------------------------------------------------------------------------ '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# WARNING: If you masquerade or use SNAT from a local system to the internet,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# you cannot use an ACCEPT rule to allow traffic from the internet to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# that system. You *must* use a DNAT rule instead.'
+ read first rest
+ '[' x#-------------------------------------------------------------------------------# = xINCLUDE ']'
+ echo '#-------------------------------------------------------------------------------# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# LOG, QUEUE or an <action>.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ACCEPT   -- allow the connection request'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DROP     -- ignore the request'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REJECT   -- disallow the request and return an'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# icmp-unreachable or an RST packet.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT     -- Forward the request to another'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# system (and optionally another'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# port).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT-    -- Advanced users only.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Like DNAT but only generates the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT iptables rule and not'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the companion ACCEPT rule.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REDIRECT -- Redirect the request to a local'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# port on the firewall.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REDIRECT-'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# -- Advanced users only.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Like REDIRET but only generates the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REDIRECT iptables rule and not'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the companion ACCEPT rule.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# CONTINUE -- (For experts only). Do not process'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# any of the following rules for this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (source zone,destination zone). If'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The source and/or destination IP'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address falls into a zone defined'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# later in /etc/shorewall/zones, this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# connection request will be passed'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to the rules defined for that'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (those) zone(s).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# LOG      -- Simply log the packet and continue.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# QUEUE	 -- Queue the packet to a user-space'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# application such as ftwall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (http://p2pwall.sf.net).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# <action> -- The name of an action defined in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/actions or in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /usr/share/shorewall/actions.std.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The ACTION may optionally be followed'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# by ":" and a syslog log level (e.g, REJECT:info or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT:debug). This causes the packet to be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# logged at the specified level.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# You may also specify ULOG (must be in upper case) as a'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# log level.This will log to the ULOG target for routing'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to a separate log through use of ulogd'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (http://www.gnumonks.org/projects/ulogd).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# SOURCE		Source hosts to which the rule applies. May be a zone'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# defined in /etc/shorewall/zones, $FW to indicate the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# firewall itself, or "all" If the ACTION is DNAT or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REDIRECT, sub-zones of the specified zone may be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# excluded from the rule by following the zone name with'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "!'\'' and a comma-separated list of sub-zone names.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Except when "all" is specified, clients may be further'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# restricted to a list of subnets and/or hosts by'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# appending ":" and a comma-separated list of subnets'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# and/or hosts. Hosts may be specified by IP or MAC'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address; mac addresses must begin with "~" and must use'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "-" as a separator.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# dmz:192.168.2.2		Host 192.168.2.2 in the DMZ'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# net:155.186.235.0/24	Subnet 155.186.235.0/24 on the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Internet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# loc:192.168.1.1,192.168.1.2'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Hosts 192.168.1.1 and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 192.168.1.2 in the local zone.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# loc:~00-A0-C9-15-39-78  Host in the local zone with'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# MAC address 00:A0:C9:15:39:78.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Alternatively, clients may be specified by interface'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# by appending ":" to the zone name followed by the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface name. For example, loc:eth1 specifies a'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# client that communicates with the firewall system'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# through eth1. This may be optionally followed by'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# another colon (":") and an IP/MAC/subnet address'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# as described above (e.g., loc:eth1:192.168.1.5).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DEST		Location of Server. May be a zone defined in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/zones, $FW to indicate the firewall'
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# itself or "all"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Except when "all" is specified, the server may be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# further restricted to a particular subnet, host or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface by appending ":" and the subnet, host or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface. See above.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Restrictions:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 1. MAC addresses are not allowed.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 2. In DNAT rules, only IP addresses are'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# allowed; no FQDNs or subnet addresses'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# are permitted.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 3. You may not specify both an interface and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# an address.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Unlike in the SOURCE column, you may specify a range of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# up to 256 IP addresses using the syntax'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the connections will be assigned to addresses in the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# range in a round-robin fashion.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The port that the server is listening on may be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# included and separated from the server'\''s IP address by'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ":". If omitted, the firewall will not modifiy the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# destination port. A destination port may only be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# included if the ACTION is DNAT or REDIRECT.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: loc:192.168.1.3:3128 specifies a local'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# server at IP address 192.168.1.3 and listening on port'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 3128. The port number MUST be specified as an integer'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# and not as a name from /etc/services.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# if the ACTION is REDIRECT, this column needs only to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# contain the port number on the firewall that the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# request should be redirected to.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "all".'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DEST PORT(S)    Destination Ports. A comma-separated list of Port'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# names (from /etc/services), port numbers or port'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ranges; if the protocol is "icmp", this column is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interpreted as the destination icmp-type(s).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# A port range is expressed as <low port>:<high port>.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This column is ignored if PROTOCOL = all but must be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# entered if any of the following ields are supplied.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# In that case, it is suggested that this field contain'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "-"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If your kernel contains multi-port match support, then'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# only a single Netfilter rule will be generated if in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# this list and the CLIENT PORT(S) list below:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 1. There are 15 or less ports listed.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 2. No port ranges are included.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Otherwise, a separate rule will be generated for each'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# port.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# any source port is acceptable. Specified as a comma-'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# separated list of port names, port numbers or port'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ranges.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If you don'\''t want to restrict client ports but need to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# specify an ADDRESS in the next column, then place "-"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in this column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If your kernel contains multi-port match support, then'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# only a single Netfilter rule will be generated if in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# this list and the DEST PORT(S) list above:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 1. There are 15 or less ports listed.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 2. No port ranges are included.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Otherwise, a separate rule will be generated for each'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# port.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REDIRECT[-]) If included and different from the IP'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address given in the SERVER column, this is an address'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# on some interface on the firewall and connections to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# that address will be forwarded to the IP and port'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# specified in the DEST column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# A comma-separated list of addresses may also be used.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This is usually most useful with the REDIRECT target'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# where you want to redirect traffic destined for'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# particular set of hosts.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Finally, if the list of addresses begins with "!" then'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the rule will be followed only if the original'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# destination address in the connection request does not'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# match any of the addresses listed.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The address (list) may optionally be followed by'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a colon (":") and a second IP address. This causes'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall to use the second IP address as the source'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address in forwarded packets. See the Shorewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# documentation for restrictions concerning this feature.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If no source IP address is given, the original source'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# address is not altered.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# RATE LIMIT	You may rate-limit the rule by placing a value in'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# this colume:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# <rate>/<interval>[:<burst>]'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# where <rate> is the number of connections per'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# <interval> ("sec" or "min") and <burst> is the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# largest burst permitted. If no <burst> is given,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a value of 5 is assumed. There may be no'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# no whitespace embedded in the specification.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: 10/sec:20'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# USER/GROUP	This column may only be non-empty if the SOURCE is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the firewall itself.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The column may contain:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# [!][<user name or number>][:<group name or number>]'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# When this column is non-empty, the rule applies only'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# if the program generating the output is running under'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the effective <user> and/or <group> specified (or is'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# NOT running under that id if "!" is given).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Examples:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# joe	#program must be run by joe'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# :kids	#program must be run by a member of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #the '\''kids'\'' group'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# !:kids  #program must not be run by a member'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #of the '\''kids'\'' group'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: Accept SMTP requests from the DMZ to the internet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #                               PORT    PORT(S) DEST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ACCEPT	dmz	net	  tcp	smtp'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: Forward all ssh and http connection requests from the internet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to local system 192.168.1.3'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #                                       PORT    PORT(S) DEST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT	net	loc:192.168.1.3 tcp	ssh,http'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: Forward all http connection requests from the internet'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to local system 192.168.1.3 with a limit of 3 per second and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a maximum burst of 10'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #                                       	PORT    PORT(S) DEST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT<3/sec:10>	net	loc:192.168.1.3 tcp	http'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: Redirect all locally-originating www connection requests to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# port 3128 on the firewall (Squid running on the firewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# system) except when the destination address is 192.168.2.2'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #                               PORT    PORT(S) DEST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# REDIRECT loc	3128      tcp	www	 -	!192.168.2.2'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: All http requests from the internet to address'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 130.252.100.69 are to be forwarded to 192.168.1.3'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #                               	PORT    PORT(S) DEST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: You want to accept SSH connections to your firewall only'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# from internet IP addresses 130.252.100.69 and 130.252.100.70'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #                               	PORT    PORT(S) DEST'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ACCEPT	 net:130.252.100.69,130.252.100.70 fw #					tcp	22'
+ read first rest
+ '[' x#################################################################################################### = xINCLUDE ']'
+ echo '#################################################################################################### '
+ read first rest
+ '[' x#ACTION = xINCLUDE ']'
+ echo '#ACTION SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE		USER/'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# PORT    PORT(S)    DEST		LIMIT		GROUP'
+ read first rest
+ '[' x#FIREWALL = xINCLUDE ']'
+ echo '#FIREWALL '
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net	loc:129.246.226.135	tcp	domain,ssh'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net	loc:129.246.226.135	udp	domain'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT loc:129.246.226.135	net	tcp	domain'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT loc:129.246.226.135	net	udp	domain'
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x#MAIL = xINCLUDE ']'
+ echo '#MAIL '
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net	loc:192.168.0.136	tcp	http,smtp,pop3,imap,domain'
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x#ASSETS = xINCLUDE ']'
+ echo '#ASSETS '
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net 	loc:192.168.0.98  	tcp 	www,http,https,ftp,smtp'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT fw	loc:192.168.0.98	tcp	http,https,ftp,smtp'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net	loc:192.168.0.98	tcp	389,522,1503,1720,1731'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net 	loc:192.168.0.12  	tcp 	www,http,https'
+ read first rest
+ '[' xACCEPT = xINCLUDE ']'
+ echo 'ACCEPT net 	loc:192.168.0.14  	tcp 	www,http,https'
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x#GENERAL = xINCLUDE ']'
+ echo '#GENERAL '
+ read first rest
+ '[' x#DNAT = xINCLUDE ']'
+ echo '#DNAT loc	loc:192.168.0.98	tcp	www,http,https	-'
+ read first rest
+ '[' x#129.246.226.135 = xINCLUDE ']'
+ echo '#129.246.226.135 '
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'
+ read first rest
+ strip_file proxyarp
+ local fname
+ '[' 1 = 1 ']'
++ find_file proxyarp
++ '[' -n '' -a -f /proxyarp ']'
++ '[' -f /etc/shorewall/proxyarp ']'
++ echo /etc/shorewall/proxyarp
+ fname=/etc/shorewall/proxyarp
+ '[' -f /etc/shorewall/proxyarp ']'
+ read_file /etc/shorewall/proxyarp 0
+ local first rest
+ '[' -f /etc/shorewall/proxyarp ']'
+ read first rest
+ '[' x############################################################################## = xINCLUDE ']'
+ echo '############################################################################## '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0 -- Proxy ARP'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/proxyarp'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This file is used to define Proxy ARP.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns must be separated by white space and are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ADDRESS		IP Address'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERFACE	Local interface where system is connected. If the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# local interface is obvious from the subnetting,'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# you may enter "-" in this column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# EXTERNAL	External Interface to be used to access this system'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# HAVEROUTE	If there is already a route from the firewall to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the host whose address is given, enter "Yes" or "yes"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in this column. Otherwise, entry "no", "No" or leave'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the column empty and Shorewall will add the route for'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# you. If Shorewall adds the route,the route will be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# persistent if the PERSISTENT column contains Yes;'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# otherwise, "shorewall stop" or "shorewall clear" will'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# delete the route.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# PERSISTENT	If HAVEROUTE is No or "no", then the value of this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# column determines if the route added by Shorewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# persists after a "shorewall stop" or a "shorewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# clear". If this column contains "Yes" or "yes" then'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the route persists; If the column is empty or contains'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "No"or "no" then the route is deleted at "shorewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# stop" or "shorewall clear".'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Example: Host with IP 155.186.235.6 is connected to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# interface eth1 and we want hosts attached via eth0'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to be able to access it using that address.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# #ADDRESS	INTERFACE	EXTERNAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# 155.186.235.6	eth1		eth0'
+ read first rest
+ '[' x############################################################################## = xINCLUDE ']'
+ echo '############################################################################## '
+ read first rest
+ '[' x#ADDRESS = xINCLUDE ']'
+ echo '#ADDRESS INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ strip_file maclist
+ local fname
+ '[' 1 = 1 ']'
++ find_file maclist
++ '[' -n '' -a -f /maclist ']'
++ '[' -f /etc/shorewall/maclist ']'
++ echo /etc/shorewall/maclist
+ fname=/etc/shorewall/maclist
+ '[' -f /etc/shorewall/maclist ']'
+ read_file /etc/shorewall/maclist 0
+ local first rest
+ '[' -f /etc/shorewall/maclist ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0 - MAC list file'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/maclist'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERFACE	Network interface to a host'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# MAC		MAC address of the host -- you do not need to use'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the Shorewall format for MAC addresses here'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# IP ADDRESSES	Optional -- if specified, both the MAC and IP address'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# must match. This column can contain a comma-separated'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# list of host and/or subnet addresses.'
+ read first rest
+ '[' x############################################################################## = xINCLUDE ']'
+ echo '############################################################################## '
+ read first rest
+ '[' x#INTERFACE = xINCLUDE ']'
+ echo '#INTERFACE MAC			IP ADDRESSES (Optional)'
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ strip_file nat
+ local fname
+ '[' 1 = 1 ']'
++ find_file nat
++ '[' -n '' -a -f /nat ']'
++ '[' -f /etc/shorewall/nat ']'
++ echo /etc/shorewall/nat
+ fname=/etc/shorewall/nat
+ '[' -f /etc/shorewall/nat ']'
+ read_file /etc/shorewall/nat 0
+ local first rest
+ '[' -f /etc/shorewall/nat ']'
+ read first rest
+ '[' x############################################################################## = xINCLUDE ']'
+ echo '############################################################################## '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall 2.0  -- Network Address Translation Table'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/nat'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# This file is used to define one-to-one Network Address Translation'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# (NAT).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# WARNING: If all you want to do is simple port forwarding, do NOT use this'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# cases, Proxy ARP is a better solution that one-to-one NAT.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns must be separated by white space and are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# EXTERNAL	External IP Address - this should NOT be the primary'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# IP address of the interface named in the next'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# column and must not be a DNS Name.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERFACE	Interface that you want to EXTERNAL address to appear'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# follow the interface name with ":" and a digit to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# indicate that you want Shorewall to add the alias'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# with this name (e.g., "eth0:0"). That allows you to'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# see the alias with ifconfig. THAT IS THE ONLY THING'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERNAL	Internal Address (must not be a DNS Name).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# If No or no (or left empty) then NAT will be effective'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# only through the interface named in the INTERFACE'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# column'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# LOCAL           If Yes or yes and the ALL INTERFACES column contains'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Yes or yes, NAT will be effective from the firewall'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# system'
+ read first rest
+ '[' x############################################################################## = xINCLUDE ']'
+ echo '############################################################################## '
+ read first rest
+ '[' x#EXTERNAL = xINCLUDE ']'
+ echo '#EXTERNAL INTERFACE	INTERNAL	ALL	 		LOCAL'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# INTERFACES'
+ read first rest
+ '[' x129.246.226.136 = xINCLUDE ']'
+ echo '129.246.226.136 eth1:136	192.168.0.136	yes			yes'
+ read first rest
+ '[' x129.246.226.98 = xINCLUDE ']'
+ echo '129.246.226.98 eth1:98		192.168.0.98	yes			yes'
+ read first rest
+ '[' x129.246.226.12 = xINCLUDE ']'
+ echo '129.246.226.12 eth1:12		192.168.0.12	yes			yes'
+ read first rest
+ '[' x129.246.226.14 = xINCLUDE ']'
+ echo '129.246.226.14 eth1:14		192.168.0.14	yes			yes'
+ read first rest
+ '[' x = xINCLUDE ']'
+ echo ' '
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ terminator=fatal_error
+ deletechain shorewall
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ '[' -n Yes ']'
+ delete_nat
+ run_iptables -t nat -F
+ iptables -t nat -F
+ run_iptables -t nat -X
+ iptables -t nat -X
+ '[' -f /var/lib/shorewall/nat ']'
+ read external interface
+ rm -f '{/var/lib/shorewall}/nat'
+ '[' -d /var/lib/shorewall ']'
+ touch /var/lib/shorewall/nat
+ delete_proxy_arp
+ '[' -f /var/lib/shorewall/proxyarp ']'
+ read address interface external haveroute
+ rm -f /var/lib/shorewall/proxyarp
+ '[' -d /var/lib/shorewall ']'
+ touch /var/lib/shorewall/proxyarp
++ ls /proc/sys/net/ipv4/conf/all/proxy_arp /proc/sys/net/ipv4/conf/default/proxy_arp /proc/sys/net/ipv4/conf/eth0/proxy_arp /proc/sys/net/ipv4/conf/eth1/proxy_arp /proc/sys/net/ipv4/conf/lo/proxy_arp
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ '[' -n Yes ']'
+ run_iptables -t mangle -F
+ iptables -t mangle -F
+ run_iptables -t mangle -X
+ iptables -t mangle -X
+ '[' -n '' ']'
+ echo 'Deleting user chains...'
+ setpolicy INPUT DROP
+ run_iptables -P INPUT DROP
+ iptables -P INPUT DROP
+ setpolicy OUTPUT DROP
+ run_iptables -P OUTPUT DROP
+ iptables -P OUTPUT DROP
+ setpolicy FORWARD DROP
+ run_iptables -P FORWARD DROP
+ iptables -P FORWARD DROP
+ deleteallchains
+ run_iptables -F
+ iptables -F
+ run_iptables -X
+ iptables -X
+ setcontinue FORWARD
+ run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ setcontinue INPUT
+ run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ setcontinue OUTPUT
+ run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ '[' -n '' ']'
+ run_iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ run_iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
++ find_file accounting
++ '[' -n '' -a -f /accounting ']'
++ '[' -f /etc/shorewall/accounting ']'
++ echo /etc/shorewall/accounting
+ accounting_file=/etc/shorewall/accounting
+ '[' -f /etc/shorewall/accounting ']'
+ setup_accounting /etc/shorewall/accounting
+ echo 'Setting up Accounting...'
+ strip_file accounting /etc/shorewall/accounting
+ local fname
+ '[' 2 = 1 ']'
+ fname=/etc/shorewall/accounting
+ '[' -f /etc/shorewall/accounting ']'
+ read_file /etc/shorewall/accounting 0
+ local first rest
+ '[' -f /etc/shorewall/accounting ']'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Shorewall version 2.0 - Accounting File'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# /etc/shorewall/accounting'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Accounting rules exist simply to count packets and bytes in categories'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# that you define in this file. You may display these rules and their'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# packet and byte counters using the "shorewall show accounting" command.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Please see http://shorewall.net/Accounting.html for examples and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# additional information about how to use this file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Columns are:'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# ACTION	      - What to do when a match is found.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# COUNT	- Simply count the match and continue'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# with the next rule'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DONE	- Count the match and don'\''t attempt'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# to match any other accounting rules'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# in the chain specified in the CHAIN'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# <chain>[:COUNT]'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# - Where <chain> is the name of'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a chain. Shorewall will create'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# the chain automatically if it'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# doesn'\''t already exist. Causes'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# a jump to that chain. If :COUNT'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# is including, a counting rule'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# matching this record will be'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# added to <chain>'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# CHAIN	      - The name of a chain. If specified as "-" the'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '\''accounting'\'' chain is assumed. This is the chain'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# where the accounting rule is added. The chain will'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# be created if it doesn'\''t already exist.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# SOURCE	      - Packet Source'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# The name of an interface, an address (host or net) or'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# an interface name followed by ":"'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# and a host or net address.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DESTINATION   - Packet Destination'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Format the same as the SOURCE column.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# PROTOCOL	A protocol name (from /etc/protocols), a protocol'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# number.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# DEST PORT	Destination Port number'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Service name from /etc/services or port number. May'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# only be specified if the protocol is TCP or UDP (6'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# or 17).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# SOURCE PORT	Source Port number'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Service name from /etc/services or port number. May'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# only be specified if the protocol is TCP or UDP (6'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# or 17).'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# In all of the above columns except ACTION and CHAIN, the values "-",'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# "any" and "all" may be used as wildcards'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# Please see http://shorewall.net/Accounting.html for examples and'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# additional information about how to use this file.'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x#ACTION = xINCLUDE ']'
+ echo '#ACTION CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# PORT		PORT'
+ read first rest
+ '[' x# = xINCLUDE ']'
+ echo '# '
+ read first rest
+ '[' x#LAST = xINCLUDE ']'
+ echo '#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE'
+ read first rest
+ cut -d# -f1
+ grep -v '^[[:space:]]*$'
+ read action chain source dest proto port sport
+ havechain accounting
++ chain_base accounting
++ local c=accounting
++ true
++ echo accounting
++ return
+ local c=accounting
+ eval test '"$exists_accounting"' = Yes
++ test '' = Yes
+ run_iptables -A INPUT -p udp --dport 53 -j ACCEPT
+ iptables -A INPUT -p udp --dport 53 -j ACCEPT
+ run_iptables -A INPUT -p '!' icmp -m state --state INVALID -j DROP
+ iptables -A INPUT -p '!' icmp -m state --state INVALID -j DROP
+ run_iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+ run_iptables -A OUTPUT -p '!' icmp -m state --state INVALID -j DROP
+ iptables -A OUTPUT -p '!' icmp -m state --state INVALID -j DROP
+ run_iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ run_iptables -A FORWARD -p '!' icmp -m state --state INVALID -j DROP
+ iptables -A FORWARD -p '!' icmp -m state --state INVALID -j DROP
+ '[' -n '' ']'
+ '[' -z Yes ']'
+ createchain icmpdef no
++ chain_base icmpdef
++ local c=icmpdef
++ true
++ echo icmpdef
++ return
+ local c=icmpdef
+ run_iptables -N icmpdef
+ iptables -N icmpdef
+ '[' no = yes ']'
+ eval exists_icmpdef=Yes
++ exists_icmpdef=Yes
+ createchain reject no
++ chain_base reject
++ local c=reject
++ true
++ echo reject
++ return
+ local c=reject
+ run_iptables -N reject
+ iptables -N reject
+ '[' no = yes ']'
+ eval exists_reject=Yes
++ exists_reject=Yes
+ createchain dynamic no
++ chain_base dynamic
++ local c=dynamic
++ true
++ echo dynamic
++ return
+ local c=dynamic
+ run_iptables -N dynamic
+ iptables -N dynamic
+ '[' no = yes ']'
+ eval exists_dynamic=Yes
++ exists_dynamic=Yes
+ createchain smurfs no
++ chain_base smurfs
++ local c=smurfs
++ true
++ echo smurfs
++ return
+ local c=smurfs
+ run_iptables -N smurfs
+ iptables -N smurfs
+ '[' no = yes ']'
+ eval exists_smurfs=Yes
++ exists_smurfs=Yes
+ '[' -f /var/lib/shorewall/save ']'
+ '[' -n Yes ']'
+ state=-m state --state NEW
+ echo 'Creating Interface Chains...'
++ forward_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_fwd
+ createchain eth1_fwd no
++ chain_base eth1_fwd
++ local c=eth1_fwd
++ true
++ echo eth1_fwd
++ return
+ local c=eth1_fwd
+ run_iptables -N eth1_fwd
+ iptables -N eth1_fwd
+ '[' no = yes ']'
+ eval exists_eth1_fwd=Yes
++ exists_eth1_fwd=Yes
++ forward_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_fwd
+ run_iptables -A eth1_fwd -m state --state NEW -j dynamic
+ iptables -A eth1_fwd -m state --state NEW -j dynamic
++ input_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_in
+ createchain eth1_in no
++ chain_base eth1_in
++ local c=eth1_in
++ true
++ echo eth1_in
++ return
+ local c=eth1_in
+ run_iptables -N eth1_in
+ iptables -N eth1_in
+ '[' no = yes ']'
+ eval exists_eth1_in=Yes
++ exists_eth1_in=Yes
++ input_chain eth1
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ echo eth1_in
+ run_iptables -A eth1_in -m state --state NEW -j dynamic
+ iptables -A eth1_in -m state --state NEW -j dynamic
++ forward_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_fwd
+ createchain eth0_fwd no
++ chain_base eth0_fwd
++ local c=eth0_fwd
++ true
++ echo eth0_fwd
++ return
+ local c=eth0_fwd
+ run_iptables -N eth0_fwd
+ iptables -N eth0_fwd
+ '[' no = yes ']'
+ eval exists_eth0_fwd=Yes
++ exists_eth0_fwd=Yes
++ forward_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_fwd
+ run_iptables -A eth0_fwd -m state --state NEW -j dynamic
+ iptables -A eth0_fwd -m state --state NEW -j dynamic
++ input_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_in
+ createchain eth0_in no
++ chain_base eth0_in
++ local c=eth0_in
++ true
++ echo eth0_in
++ return
+ local c=eth0_in
+ run_iptables -N eth0_in
+ iptables -N eth0_in
+ '[' no = yes ']'
+ eval exists_eth0_in=Yes
++ exists_eth0_in=Yes
++ input_chain eth0
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ echo eth0_in
+ run_iptables -A eth0_in -m state --state NEW -j dynamic
+ iptables -A eth0_in -m state --state NEW -j dynamic
+ echo 'Configuring Proxy ARP'
+ setup_proxy_arp
+ read address interface external haveroute persistent
++ find_interfaces_by_option proxyarp
+++ chain_base eth1
+++ local c=eth1
+++ true
+++ echo eth1
+++ return
++ eval 'options=$eth1_options'
+++ options=
++ list_search proxyarp
++ local e=proxyarp
++ '[' 1 -gt 1 ']'
++ return 1
+++ chain_base eth0
+++ local c=eth0
+++ true
+++ echo eth0
+++ return
++ eval 'options=$eth0_options'
+++ options=
++ list_search proxyarp
++ local e=proxyarp
++ '[' 1 -gt 1 ']'
++ return 1
+ interfaces=
+ echo 'Setting up NAT...'
+ setup_nat
+ local allints
+ read external interface internal allints localnat
+ expandv external interface internal allints localnat
+ local varval
+ '[' 5 -gt 0 ']'
+ eval 'varval=$external'
++ varval=129.246.226.136
+ eval 'external="129.246.226.136"'
++ external=129.246.226.136
+ shift
+ '[' 4 -gt 0 ']'
+ eval 'varval=$interface'
++ varval=eth1:136
+ eval 'interface="eth1:136"'
++ interface=eth1:136
+ shift
+ '[' 3 -gt 0 ']'
+ eval 'varval=$internal'
++ varval=192.168.0.136
+ eval 'internal="192.168.0.136"'
++ internal=192.168.0.136
+ shift
+ '[' 2 -gt 0 ']'
+ eval 'varval=$allints'
++ varval=yes
+ eval 'allints="yes"'
++ allints=yes
+ shift
+ '[' 1 -gt 0 ']'
+ eval 'varval=$localnat'
++ varval=yes
+ eval 'localnat="yes"'
++ localnat=yes
+ shift
+ '[' 0 -gt 0 ']'
+ iface=eth1
+ '[' -n Yes ']'
+ qt ip addr del 129.246.226.136 dev eth1
+ ip addr del 129.246.226.136 dev eth1
+ '[' -z yes -o yes = Yes -o yes = yes ']'
+ addnatrule nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ ensurenatchain nat_in
+ havenatchain nat_in
+ eval test '"$exists_nat_nat_in"' = Yes
++ test '' = Yes
+ createnatchain nat_in
+ run_iptables -t nat -N nat_in
+ iptables -t nat -N nat_in
+ eval exists_nat_nat_in=Yes
++ exists_nat_nat_in=Yes
+ run_iptables2 -t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ '[' 'x-t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136' = 'x-t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136' ']'
+ run_iptables -t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ iptables -t nat -A nat_in -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ return
+ addnatrule nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136
+ ensurenatchain nat_out
+ havenatchain nat_out
+ eval test '"$exists_nat_nat_out"' = Yes
++ test '' = Yes
+ createnatchain nat_out
+ run_iptables -t nat -N nat_out
+ iptables -t nat -N nat_out
+ eval exists_nat_nat_out=Yes
++ exists_nat_nat_out=Yes
+ run_iptables2 -t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136
+ '[' 'x-t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136' = 'x-t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136' ']'
+ run_iptables -t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136
+ iptables -t nat -A nat_out -s 192.168.0.136 -j SNAT --to-source 129.246.226.136
+ return
+ '[' yes = Yes -o yes = yes ']'
+ run_iptables2 -t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ '[' 'x-t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136' = 'x-t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136' ']'
+ run_iptables -t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
+ iptables -t nat -A OUTPUT -d 129.246.226.136 -j DNAT --to-destination 192.168.0.136
iptables: Invalid argument
+ '[' -z '' ']'
+ stop_firewall
+ set +x


More information about the Shorewall-users mailing list