shorewall_code/Samples/three-interfaces/zones

120 lines
4.0 KiB
Plaintext
Raw Normal View History

#
# Shorewall version 3.2 - Sample Zones File for three-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
#
# /etc/shorewall/zones
#
# This file declares your network zones. You specify the hosts in
# each zone through entries in /etc/shorewall/interfaces or
# /etc/shorewall/hosts.
#
# WARNING: The format of this file changed in Shorewall 3.0.0. You can
# continue to use your old records provided that you set
# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
# signal Shorewall that the IPSEC-related zone options are
# still specified in /etc/shorewall/ipsec rather than in this
# file.
#
# To use records in the format described below, you must have
# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# Where a zone is nested in one or more other zones,
# you may follow the (sub)zone name by ":" and a
# comma-separated list of the parent zones. The parent
# zones must have been defined in earlier records in this
# file.
#
# Example:
#
# #ZONE TYPE OPTIONS
# a ipv4
# b ipv4
# c:a,b ipv4
#
# Currently, Shorewall uses this information to reorder the
# zone list so that parent zones appear after their subzones in
# the list. The IMPLICIT_CONTINUE option in shorewall.conf can
# also create implicit CONTINUE policies to/from the subzone.
#
# In the future, Shorewall may make additional use
# of nesting information.
#
# TYPE ipv4 - This is the standard Shorewall zone type and is the
# default if you leave this column empty or if you enter
# "-" in the column. Communication with some zone hosts
# may be encrypted. Encrypted hosts are designated using
# the 'ipsec'option in /etc/shorewall/hosts.
# ipsec - Communication with all zone hosts is encrypted
# Your kernel and iptables must include policy
# match support.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone. The name that you
# enter in the ZONE column will be stored in the shell
# variable $FW which you may use in other configuration
# files to designate the firewall zone.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE