2002-06-21 02:44:49 +02:00
|
|
|
##############################################################################
|
|
|
|
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
|
|
|
|
# match your setup
|
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
|
|
#
|
|
|
|
# This file should be placed in /etc/shorewall
|
|
|
|
#
|
|
|
|
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
|
|
|
##############################################################################
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# NAME OF THE FIREWALL ZONE
|
|
|
|
#
|
2002-06-21 02:44:49 +02:00
|
|
|
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
|
|
|
# is assumed.
|
|
|
|
#
|
|
|
|
FW=fw
|
|
|
|
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# SUBSYSTEM LOCK FILE
|
|
|
|
#
|
2002-06-21 02:44:49 +02:00
|
|
|
# Set this to the name of the lock file expected by your init scripts. For
|
|
|
|
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
|
|
|
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
2002-08-06 22:30:45 +02:00
|
|
|
# set this to "".
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
|
|
|
|
SUBSYSLOCK=/var/run/shorewall
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# SHOREWALL TEMPORARY STATE DIRECTORY
|
|
|
|
#
|
2002-06-21 02:44:49 +02:00
|
|
|
# This is the directory where the firewall maintains state information while
|
|
|
|
# it is running
|
|
|
|
#
|
|
|
|
|
|
|
|
STATEDIR=/tmp/shorewall
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# ALLOW RELATED CONNECTIONS
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
|
|
|
# that are related to already established connections. For example, you want
|
|
|
|
# to accept FTP data connections. If you say "no" here, then to accept
|
|
|
|
# these connections between particular zones or hosts, you must include
|
|
|
|
# explicit "related" rules in /etc/shorewall/rules.
|
|
|
|
#
|
|
|
|
|
|
|
|
ALLOWRELATED=yes
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# KERNEL MODULE DIRECTORY
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# If your netfilter kernel modules are in a directory other than
|
|
|
|
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
|
|
|
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
|
|
|
|
|
|
|
MODULESDIR=
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# LOG RATE LIMITING
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# The next two variables can be used to control the amount of log output
|
|
|
|
# generated. LOGRATE is expressed as a number followed by an optional
|
|
|
|
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
|
|
|
# rate at which a particular message will occur. LOGBURST determines the
|
|
|
|
# maximum initial burst size that will be logged. If set empty, the default
|
|
|
|
# value of 5 will be used.
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# Example:
|
|
|
|
#
|
|
|
|
# LOGRATE=10/minute
|
|
|
|
# LOGBURST=5
|
|
|
|
#
|
2002-06-21 02:44:49 +02:00
|
|
|
# If BOTH variables are set empty then logging will not be rate-limited.
|
|
|
|
#
|
|
|
|
|
|
|
|
LOGRATE=
|
|
|
|
LOGBURST=
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# This variable determines the level at which Mangled/Invalid packets are logged
|
|
|
|
# under the 'dropunclean' interface option. If you set this variable to an
|
|
|
|
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
|
|
|
|
# silently.
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# The value of this variable also determines the level at which Mangled/Invalid
|
|
|
|
# packets are logged under the 'logunclean' interface option. If the variable
|
|
|
|
# is empty, these packets will still be logged at the 'info' level.
|
|
|
|
#
|
2002-06-21 02:44:49 +02:00
|
|
|
|
|
|
|
LOGUNCLEAN=info
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# LOG FILE LOCATION
|
|
|
|
#
|
2002-06-21 02:44:49 +02:00
|
|
|
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
|
|
|
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
|
|
|
# /var/log/messages is assumed.
|
|
|
|
#
|
|
|
|
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
|
|
|
# look for Shorewall messages.It does NOT control the destination for
|
|
|
|
# these messages. For information about how to do that, see
|
|
|
|
#
|
|
|
|
# http://www.shorewall.net/FAQ.htm#faq6
|
|
|
|
|
|
|
|
LOGFILE=/var/log/messages
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# ENABLE NAT SUPPORT
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# You probally want yes here. Only gateways not doing NAT in any form, like
|
|
|
|
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
|
|
|
|
#
|
|
|
|
NAT_ENABLED=Yes
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# ENABLE MANGLE SUPPORT
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
|
|
|
|
# and will not initialize the mangle table when starting or stopping
|
|
|
|
# your firewall. You must enable mangling if you want Traffic Shaping
|
|
|
|
# (see TC_ENABLED below).
|
|
|
|
#
|
|
|
|
MANGLE_ENABLED=Yes
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# ENABLE IP FORWARDING
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
|
|
|
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
|
|
|
# to disable packet forwarding if you are installing Shorewall on a
|
|
|
|
# standalone system or if you want all traffic through the Shorewall system
|
|
|
|
# to be handled by proxies.
|
|
|
|
#
|
|
|
|
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
|
|
|
# enable nor disable packet forwarding.
|
|
|
|
#
|
|
|
|
IP_FORWARDING=On
|
2002-08-06 22:30:45 +02:00
|
|
|
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
2002-06-21 02:44:49 +02:00
|
|
|
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
|
|
|
# "No" or "no", you must add these aliases youself.
|
|
|
|
#
|
|
|
|
ADD_IP_ALIASES=Yes
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
2002-06-21 02:44:49 +02:00
|
|
|
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
|
|
|
# "No" or "no", you must add these aliases youself.
|
|
|
|
#
|
|
|
|
ADD_SNAT_ALIASES=No
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# ENABLE TRAFFIC SHAPING
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
|
|
|
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
|
|
|
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
|
|
|
# you must enable packet mangling above.
|
|
|
|
#
|
|
|
|
TC_ENABLED=No
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# BLACKLIST DISPOSITION
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# Set this variable to the action that you want to perform on packets from
|
|
|
|
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
|
|
|
# DROP is assumed.
|
|
|
|
#
|
|
|
|
BLACKLIST_DISPOSITION=DROP
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# BLACKLIST LOG LEVEL
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# Set this variable to the syslogd level that you want blacklist packets logged
|
|
|
|
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
|
|
|
# of blacklist packets occurs.
|
|
|
|
#
|
|
|
|
BLACKLIST_LOGLEVEL=
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# MSS CLAMPING
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
|
|
|
# option. This option is most commonly required when your internet
|
|
|
|
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
|
|
|
# have CONFIG_IP_NF_TARGET_TCPMSS set.
|
|
|
|
#
|
|
|
|
# [From the kernel help:
|
|
|
|
#
|
|
|
|
# This option adds a `TCPMSS' target, which allows you to alter the
|
|
|
|
# MSS value of TCP SYN packets, to control the maximum size for that
|
|
|
|
# connection (usually limiting it to your outgoing interface's MTU
|
|
|
|
# minus 40).
|
|
|
|
#
|
|
|
|
# This is used to overcome criminally braindead ISPs or servers which
|
|
|
|
# block ICMP Fragmentation Needed packets. The symptoms of this
|
|
|
|
# problem are that everything works fine from your Linux
|
|
|
|
# firewall/router, but machines behind it can never exchange large
|
|
|
|
# packets:
|
|
|
|
# 1) Web browsers connect, then hang with no data received.
|
|
|
|
# 2) Small mail works fine, but large emails hang.
|
|
|
|
# 3) ssh works fine, but scp hangs after initial handshaking.
|
|
|
|
# ]
|
|
|
|
#
|
|
|
|
# If left blank, or set to "No" or "no", the option is not enabled.
|
|
|
|
#
|
|
|
|
CLAMPMSS=No
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# ROUTE FILTERING
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
|
|
|
# interfaces (anti-spoofing measure).
|
|
|
|
#
|
|
|
|
# If this variable is not set or is set to the empty value, "No" is assumed.
|
2002-08-06 22:30:45 +02:00
|
|
|
# In that case, you can still enable route filtering on individual interfaces
|
|
|
|
# in the /etc/shorewall/interfaces file.
|
2002-06-21 02:44:49 +02:00
|
|
|
|
|
|
|
ROUTE_FILTER=No
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# NAT BEFORE RULES
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# Shorewall has traditionally processed static NAT rules before port forwarding
|
|
|
|
# rules. If you would like to reverse the order, set this variable to "No".
|
|
|
|
#
|
|
|
|
# If this variable is not set or is set to the empty value, "Yes" is assumed.
|
|
|
|
|
|
|
|
NAT_BEFORE_RULES=Yes
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
# MULTIPORT support
|
2002-06-21 02:44:49 +02:00
|
|
|
#
|
|
|
|
# If your kernel includes the multiport match option
|
|
|
|
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
|
|
|
|
# option is enabled by setting it's value to "Yes" or "yes":
|
|
|
|
#
|
|
|
|
# 1) If you list more that 15 ports in a comma-seperated list in
|
|
|
|
# /etc/shorewall/rules, Shorewall will not use the multiport option
|
|
|
|
# but will generate a separate rule for each element of each port
|
|
|
|
# list.
|
|
|
|
# 2) If you include a port range (<low port>:<high port>) in the
|
|
|
|
# rule, Shorewall will not use the multiport option but will generate
|
|
|
|
# a separate rule for each element of each port list.
|
|
|
|
#
|
|
|
|
# See the /etc/shorewall/rules file for additional information on this option.
|
|
|
|
#
|
|
|
|
# if this variable is not set or is set to the empty value, "No" is assumed.
|
|
|
|
|
|
|
|
MULTIPORT=No
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
# DNAT IP ADDRESS DETECTION
|
2002-07-13 17:20:10 +02:00
|
|
|
#
|
|
|
|
# Normally when Shorewall encounters the following rule:
|
|
|
|
#
|
|
|
|
# DNAT net loc:192.168.1.3 tcp 80
|
|
|
|
#
|
|
|
|
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
|
|
|
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
|
|
|
# convenient for two reasons:
|
|
|
|
#
|
|
|
|
# a) If the the network interface has a dynamic IP address, the
|
|
|
|
# firewall configuration will work even when the address
|
|
|
|
# changes.
|
|
|
|
#
|
|
|
|
# b) It saves having to configure the IP address in the rule
|
|
|
|
# while still allowing the firewall to be started before the
|
|
|
|
# internet interface is brought up.
|
|
|
|
#
|
|
|
|
# This default behavior can also have a negative effect. If the
|
|
|
|
# internet interface has more than one IP address then the above
|
|
|
|
# rule will forward connection requests on all of these addresses;
|
|
|
|
# that may not be what is desired.
|
|
|
|
#
|
|
|
|
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
|
|
|
# only if the original destination address is the primary IP address of
|
|
|
|
# one of the interfaces associated with the source zone. Note that this
|
|
|
|
# requires all interfaces to the source zone to be up when the firewall
|
|
|
|
# is [re]started.
|
|
|
|
|
|
|
|
DETECT_DNAT_IPADDRS=No
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# MERGE HOSTS FILE
|
2002-07-24 16:09:55 +02:00
|
|
|
#
|
|
|
|
# The traditional behavior of the /etc/shorewall/hosts file has been that
|
|
|
|
# if that file has ANY entry for a zone then the zone must be defined
|
|
|
|
# entirely in the hosts file. This is counter-intuitive and has caused
|
|
|
|
# people some problems.
|
|
|
|
#
|
|
|
|
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
|
|
|
|
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
|
|
|
|
# are added to the contents described in the /etc/shorewall/interfaces file.
|
|
|
|
#
|
|
|
|
# Example: Suppose that we have the following interfaces and hosts files:
|
|
|
|
#
|
|
|
|
# Interfaces:
|
|
|
|
#
|
|
|
|
# net eth0
|
|
|
|
# loc eth1
|
|
|
|
# - ppp+
|
|
|
|
#
|
|
|
|
# Hosts:
|
|
|
|
#
|
|
|
|
# loc ppp+:192.168.1.0/24
|
|
|
|
# wrk ppp+:!192.168.1.0/24
|
|
|
|
#
|
|
|
|
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
|
|
|
|
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
|
|
|
|
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
|
|
|
|
#
|
|
|
|
# If this variable is not set or is set to the empty value, "No" is assumed.
|
|
|
|
|
|
|
|
MERGE_HOSTS=Yes
|
|
|
|
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# MUTEX TIMEOUT
|
2002-07-24 16:09:55 +02:00
|
|
|
#
|
|
|
|
# The value of this variable determines the number of seconds that programs
|
|
|
|
# will wait for exclusive access to the Shorewall lock file. After the number
|
|
|
|
# of seconds corresponding to the value of this variable, programs will assume
|
|
|
|
# that the last program to hold the lock died without releasing the lock.
|
|
|
|
#
|
|
|
|
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
|
|
|
|
#
|
|
|
|
# An appropriate value for this parameter would be twice the length of time
|
|
|
|
# that it takes your firewall system to process a "shorewall restart" command.
|
|
|
|
|
|
|
|
MUTEX_TIMEOUT=60
|
|
|
|
|
2002-08-06 22:30:45 +02:00
|
|
|
#
|
|
|
|
# LOGGING 'New not SYN' rejects
|
|
|
|
#
|
2002-09-29 23:47:51 +02:00
|
|
|
# This variable only has an effect when NEWNOTSYN=No (see below).
|
|
|
|
#
|
2002-08-06 22:30:45 +02:00
|
|
|
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
|
|
|
# flags clear then unless the packet is part of an established connection,
|
|
|
|
# it will be rejected by the firewall. If you want these rejects logged,
|
|
|
|
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
|
|
|
#
|
|
|
|
# Example: LOGNEWNOTSYN=debug
|
|
|
|
|
|
|
|
|
|
|
|
LOGNEWNOTSYN=
|
|
|
|
|
2002-08-22 23:33:54 +02:00
|
|
|
#
|
|
|
|
# Forward "Ping"
|
|
|
|
#
|
|
|
|
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
|
|
|
|
# forwarded by the firewall.
|
|
|
|
|
|
|
|
FORWARDPING=Yes
|
|
|
|
|
2002-09-29 23:47:51 +02:00
|
|
|
#
|
|
|
|
# NEWNOTSYN
|
|
|
|
#
|
|
|
|
# If this variable is set to "No" or "no", then When a TCP packet that does
|
|
|
|
# not have the SYN flag set and the ACK and RST flags clear then unless the
|
|
|
|
# packet is part of an established connection, it will be dropped by the
|
|
|
|
# firewall
|
|
|
|
#
|
|
|
|
# If this variable is set to "Yes" or "yes" then such packets will not be
|
|
|
|
# dropped but will pass through the normal rule processing.
|
|
|
|
#
|
|
|
|
# Users with a High-availability setup with two firewall's and one acting
|
|
|
|
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
|
|
|
# also need to select NEWNOTSYN=Yes.
|
|
|
|
|
|
|
|
NEWNOTSYN=No
|
|
|
|
|
2002-06-21 02:44:49 +02:00
|
|
|
#LAST LINE -- DO NOT REMOVE
|