shorewall_code/Shorewall/rules

#
# Shorewall version 1.2 - Rules File
#
# /etc/shorewall/rules 
#
#	Rules in this file govern connection establishment. Requests and
#	responses are automatically allowed using connection tracking.
#
#	In most places where an IP address or subnet is allowed, you
#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
#	indicate that the rule matches all addresses except the address/subnet
#	given. Notice that no white space is permitted between "!" and the
#	address/subnet.
#
#	If any of the following columns contain the word "none" then the rule
#	is ignored:
#
#		PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.
#
# Columns are:
#
#
#	RESULT		ACCEPT, DROP or REJECT
#
#				ACCEPT -- allow the connection request
#				DROP   -- ignore the request
#				REJECT -- disallow the request and return an
#					  icmp-unreachable packet.
#
#			May optionally be followed by ":" and a syslog log
#			level (e.g, REJECT:info). This causes the packet to be
#			logged at the specified level.
#
#	CLIENT(S)	Hosts permitted to be clients. May be a zone defined
#			in /etc/shorewall/zones or $FW to indicate the
#			firewall itself.
#
#			Clients may be further restricted to a list of subnets
#			and/or hosts by appending ":" and a comma-separated
#			list of subnets and/or hosts. Hosts may be specified 
#			by IP or MAC address; mac addresses must begin with
#			"~" and must use "-" as a separator.
#
#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
#
#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
#						Internet
#
#			loc:192.168.1.1,192.168.1.2
#						Hosts 192.168.1.1 and
#						192.168.1.2 in the local zone.
#			loc:~00-A0-C9-15-39-78  Host in the local zone with 
#                                               MAC address 00:A0:C9:15:39:78.
#
#			Alternatively, clients may be specified by interface
#			by appending ":" followed by the interface name. For
#			example, loc:eth1 specifies a client that
#			communicates with the firewall system through eth1.
#
#	SERVER		Location of Server. May be a zone defined in
#			/etc/shorewall/zones or $FW to indicate the firewall
#			itself.
#
#			The server may be further restricted to a particular
#			subnet, host or interface by appending ":" and the
#			subnet, host or interface. See above.
#
#			The port that the server is listening on may be
#			included and separated from the server's IP address by
#			":". If omitted, the firewall will not modifiy the
#			destination port.
#
#			Example: loc:192.168.1.3:8080 specifies a local
#			server at IP address 192.168.1.3 and listening on port
#			8080. The port number MUST be specified as an integer
#			and not as a name from /etc/services.
#
#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
#			"all" or "related". If "related", the remainder of the
#			entry must be omitted and connection requests that are
#			related to existing requests will be accepted.
#
#	PORT(S)		Destination Ports. A comma-separated list of Port
#			names (from /etc/services), port numbers or port
#			ranges; if the protocol is "icmp", this column is
#			interpreted as the destination icmp-type(s).
#
#			This column is ignored if PROTOCOL = all but must be
#			entered if any of the following ields are supplied.
#			In that case, it is suggested that this field contain
#			 "-"
#
#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
#			any source port is acceptable. Specified as a comma-
#			separated list of port names, port numbers or port
#			ranges.
#
#			If you don't want to restrict client ports but need to
#			specify an ADDRESS in the next column, then place "-"
#			in this column.
#
#	ADDRESS		(0ptional) If included and different from the IP
#			address given in the SERVER column, this is an address
#			on some interface on the firewall and connections to
#			that address will be forwarded to the IP and port
#			specified in the SERVER column.
#
#			If the special value "all" is used, then requests from
#			the client zone given in the CLIENT(s) column with the
#			destination port given in PORT(s) will be forwarded to
#			the IP address given in SERVER. The value "all" is
#			intended to be used when your internet IP address is
#			dynamic and you want to do port forwarding or you want
#			to do proxy redirection. IT SHOULD NOT BE USED IN ANY
#			OTHER SITUATION.
#
#			The address (or "all") may optionally be followed by
#			a colon (":") an an IP address. This causes Shorewall
#			to use the specified IP address as the source address
#			in forwarded packets. See the Shorewall documentation
#			for restrictions concerning this feature. If no source
#			IP address is given, the original source address is not
#			altered.
#
#	Example: Forward all ssh and http connection requests from the internet
#		 to local system 192.168.1.3
#
#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	 CLIENT PORT(S) ADDRESS
#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,http -	        all
#
#	Example: Redirect all locally-originating www connection requests to
#		 port 8080 on the firewall (Squid running on the firewall
#		 system)except when the destination address is 192.168.2.2
#
#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
#	ACCEPT	loc	$FW::8080  tcp	www	 -		!192.168.2.2
##############################################################################
#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
#
# Allow SSH from the local network
#
ACCEPT		loc	  $FW		tcp	ssh
#
# Allow SSH and Auth from the internet
#
ACCEPT		net	  $FW		tcp	ssh,auth
#
# Run an NTP daemon on the firewall that is synced with outside sources
#
ACCEPT		$FW	  net		udp	ntp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@10 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2002-05-01 01:13:15 +02:00			`#`
			`# Shorewall version 1.2 - Rules File`
			`#`
			`# /etc/shorewall/rules`
			`#`
			`# Rules in this file govern connection establishment. Requests and`
			`# responses are automatically allowed using connection tracking.`
			`#`
			`# In most places where an IP address or subnet is allowed, you`
			`# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to`
			`# indicate that the rule matches all addresses except the address/subnet`
			`# given. Notice that no white space is permitted between "!" and the`
			`# address/subnet.`
			`#`
			`# If any of the following columns contain the word "none" then the rule`
			`# is ignored:`
			`#`
			`# PORT(S), CLIENT PORT(S), CLIENT(S) and SERVER.`
			`#`
			`# Columns are:`
			`#`
			`#`
			`# RESULT ACCEPT, DROP or REJECT`
			`#`
			`# ACCEPT -- allow the connection request`
			`# DROP -- ignore the request`
			`# REJECT -- disallow the request and return an`
			`# icmp-unreachable packet.`
			`#`
			`# May optionally be followed by ":" and a syslog log`
			`# level (e.g, REJECT:info). This causes the packet to be`
			`# logged at the specified level.`
			`#`
			`# CLIENT(S) Hosts permitted to be clients. May be a zone defined`
			`# in /etc/shorewall/zones or $FW to indicate the`
			`# firewall itself.`
			`#`
			`# Clients may be further restricted to a list of subnets`
			`# and/or hosts by appending ":" and a comma-separated`
			`# list of subnets and/or hosts. Hosts may be specified`
			`# by IP or MAC address; mac addresses must begin with`
			`# "~" and must use "-" as a separator.`
			`#`
			`# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ`
			`#`
			`# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the`
			`# Internet`
			`#`
			`# loc:192.168.1.1,192.168.1.2`
			`# Hosts 192.168.1.1 and`
			`# 192.168.1.2 in the local zone.`
			`# loc:~00-A0-C9-15-39-78 Host in the local zone with`
			`# MAC address 00:A0:C9:15:39:78.`
			`#`
			`# Alternatively, clients may be specified by interface`
			`# by appending ":" followed by the interface name. For`
			`# example, loc:eth1 specifies a client that`
			`# communicates with the firewall system through eth1.`
			`#`
			`# SERVER Location of Server. May be a zone defined in`
			`# /etc/shorewall/zones or $FW to indicate the firewall`
			`# itself.`
			`#`
			`# The server may be further restricted to a particular`
			`# subnet, host or interface by appending ":" and the`
			`# subnet, host or interface. See above.`
			`#`
			`# The port that the server is listening on may be`
			`# included and separated from the server's IP address by`
			`# ":". If omitted, the firewall will not modifiy the`
			`# destination port.`
			`#`
			`# Example: loc:192.168.1.3:8080 specifies a local`
			`# server at IP address 192.168.1.3 and listening on port`
			`# 8080. The port number MUST be specified as an integer`
			`# and not as a name from /etc/services.`
			`#`
			`# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,`
			`# "all" or "related". If "related", the remainder of the`
			`# entry must be omitted and connection requests that are`
			`# related to existing requests will be accepted.`
			`#`
			`# PORT(S) Destination Ports. A comma-separated list of Port`
			`# names (from /etc/services), port numbers or port`
			`# ranges; if the protocol is "icmp", this column is`
			`# interpreted as the destination icmp-type(s).`
			`#`
			`# This column is ignored if PROTOCOL = all but must be`
			`# entered if any of the following ields are supplied.`
			`# In that case, it is suggested that this field contain`
			`# "-"`
			`#`
			`# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,`
			`# any source port is acceptable. Specified as a comma-`
			`# separated list of port names, port numbers or port`
			`# ranges.`
			`#`
			`# If you don't want to restrict client ports but need to`
			`# specify an ADDRESS in the next column, then place "-"`
			`# in this column.`
			`#`
			`# ADDRESS (0ptional) If included and different from the IP`
			`# address given in the SERVER column, this is an address`
			`# on some interface on the firewall and connections to`
			`# that address will be forwarded to the IP and port`
			`# specified in the SERVER column.`
			`#`
			`# If the special value "all" is used, then requests from`
			`# the client zone given in the CLIENT(s) column with the`
			`# destination port given in PORT(s) will be forwarded to`
			`# the IP address given in SERVER. The value "all" is`
			`# intended to be used when your internet IP address is`
			`# dynamic and you want to do port forwarding or you want`
			`# to do proxy redirection. IT SHOULD NOT BE USED IN ANY`
			`# OTHER SITUATION.`
			`#`
			`# The address (or "all") may optionally be followed by`
			`# a colon (":") an an IP address. This causes Shorewall`
			`# to use the specified IP address as the source address`
			`# in forwarded packets. See the Shorewall documentation`
			`# for restrictions concerning this feature. If no source`
			`# IP address is given, the original source address is not`
			`# altered.`
			`#`
			`# Example: Forward all ssh and http connection requests from the internet`
			`# to local system 192.168.1.3`
			`#`
			`# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS`
			`# ACCEPT net loc:192.168.1.3 tcp ssh,http - all`
			`#`
			`# Example: Redirect all locally-originating www connection requests to`
			`# port 8080 on the firewall (Squid running on the firewall`
			`# system)except when the destination address is 192.168.2.2`
			`#`
			`# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS`
			`# ACCEPT loc $FW::8080 tcp www - !192.168.2.2`
			`##############################################################################`
			`#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS`
			`#`
			`# Allow SSH from the local network`
			`#`
			`ACCEPT loc $FW tcp ssh`
			`#`
			`# Allow SSH and Auth from the internet`
			`#`
			`ACCEPT net $FW tcp ssh,auth`
			`#`
			`# Run an NTP daemon on the firewall that is synced with outside sources`
			`#`
			`ACCEPT $FW net udp ntp`
			`#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE`