Update the samples for 3.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4012 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration.
+# Shorewall version 3.2 - Sample Interfaces File for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -30,7 +30,7 @@
 #
 #			Example:
 #
-#				loc	eth1	-	
+#				loc	eth1	-
 #				loc	eth2	-
 #
 #	INTERFACE	Name of interface. Each interface may be listed only
@@ -51,11 +51,10 @@
 #			addresses on multiple subnets then list the broadcast
 #			addresses as a comma-separated list.
 #
-#			If you use the special value "detect", the firewall
-#			will detect the broadcast address for you. If you
+#			If you use the special value "detect", Shorewall
+#			will detect the broadcast address(es) for you. If you
 #			select this option, the interface must be up before
-#			the firewall is started, you must have iproute
-#			installed.
+#			the firewall is started.
 #
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
@@ -81,7 +80,7 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses. If packet mangling or
+#				       addresses). If packet mangling or
 #				       connection-tracking match is enabled in
 #				       your kernel, packets whose destination
 #				       addresses are reserved by RFC 1918 are
@@ -188,6 +187,17 @@
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
+#			sourceroute  - If this option is not specified for an
+#				       interface, then source-routed packets
+#				       will not be accepted from that
+#				       interface (sets /proc/sys/net/ipv4/
+#				       conf/<interface>/
+#				       accept_source_route to 1).
+#				       Only set this option if you know what
+#				       you are you doing. This might represent
+#				       a security risk and is not usually
+#				       needed.
+#
 #			upnp	     - Incoming requests from this interface
 #				       may be remapped via UPNP (upnpd).
 #

Samples/one-interface/policy

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Policy File for one-interface configuration.
+# Shorewall version 3.2 - Sample Policy File for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -27,6 +27,11 @@
 #	entry in this file. The overriding entry must be explicit (cannot use
 #	"all" in the SOURCE or DEST).
 #
+#       Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
+#       the implicit policy to/from any sub-zone is CONTINUE. These implicit
+#       CONTINUE policies may also be overridden by an explicit entry in this
+#       file.
+#
 # Columns are:
 #
 #	SOURCE		Source zone. Must be the name of a zone defined

Samples/one-interface/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Zones File for one-interface configuration.
+# Shorewall version 3.2 - Sample Zones File for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -12,7 +12,20 @@
 #
 # /etc/shorewall/zones
 #
-#	This file determines your network zones.
+#	This file declares your network zones. You specify the hosts in
+#	each zone through entries in /etc/shorewall/interfaces or
+#	/etc/shorewall/hosts.
+#
+#	WARNING: The format of this file changed in Shorewall 3.0.0. You can
+#		 continue to use your old records provided that you set
+#		 IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
+#		 signal Shorewall that the IPSEC-related zone options are
+#		 still specified in /etc/shorewall/ipsec rather than in this
+#		 file.
+#
+#		 To use records in the format described below, you must have
+#		 IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
+#		 AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
 #
 # Columns are:
 #
@@ -33,10 +46,13 @@
 #			b	  ipv4
 #			c:a,b     ipv4
 #
-#		Currently, Shorewall uses this information only to reorder the
+#		Currently, Shorewall uses this information to reorder the
 #		zone list so that parent zones appear after their subzones in
-#		the list. In the future, Shorewall may make more extensive use
-#		of that information.
+#		the list. The IMPLICIT_CONTINUE option in shorewall.conf can
+#		also create implicit CONTINUE policies to/from the subzone.
+#
+#		In the future, Shorewall may make additional use
+#		of nesting information.
 #
 #	TYPE	ipv4 -	This is the standard Shorewall zone type and is the
 #			default if you leave this column empty or if you enter
@@ -78,7 +94,7 @@
 #			strict	Means that packets must match all rules.
 #
 #			next	Separates rules; can only be used with
-#				strict..
+#				strict
 #
 #		Example:
 #			mode=transport,reqid=44
@@ -91,10 +107,8 @@
 #	If you wish to leave a column empty but need to make an entry
 #	in a following column, use "-".
 #
-# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
-# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
 #
-# See http://www.shorewall.net/Documentation.htm#Nested
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Interfaces File for three-interface configuration.
+# Shorewall version 3.2 - Sample Interfaces File for three-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -30,7 +30,7 @@
 #
 #			Example:
 #
-#				loc	eth1	-	
+#				loc	eth1	-
 #				loc	eth2	-
 #
 #	INTERFACE	Name of interface. Each interface may be listed only
@@ -51,11 +51,10 @@
 #			addresses on multiple subnets then list the broadcast
 #			addresses as a comma-separated list.
 #
-#			If you use the special value "detect", the firewall
-#			will detect the broadcast address for you. If you
+#			If you use the special value "detect", Shorewall
+#			will detect the broadcast address(es) for you. If you
 #			select this option, the interface must be up before
-#			the firewall is started, you must have iproute
-#			installed.
+#			the firewall is started.
 #
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
@@ -81,7 +80,7 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses. If packet mangling or
+#				       addresses). If packet mangling or
 #				       connection-tracking match is enabled in
 #				       your kernel, packets whose destination
 #				       addresses are reserved by RFC 1918 are
@@ -188,6 +187,17 @@
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
+#			sourceroute  - If this option is not specified for an
+#				       interface, then source-routed packets
+#				       will not be accepted from that
+#				       interface (sets /proc/sys/net/ipv4/
+#				       conf/<interface>/
+#				       accept_source_route to 1).
+#				       Only set this option if you know what
+#				       you are you doing. This might represent
+#				       a security risk and is not usually
+#				       needed.
+#
 #			upnp	     - Incoming requests from this interface
 #				       may be remapped via UPNP (upnpd).
 #

Samples/three-interfaces/masq

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Masq file for three-interface configuration.
+# Shorewall version 3.2 - Sample Masq file for three-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -15,6 +15,10 @@
 #	Use this file to define dynamic NAT (Masquerading) and to define
 #	Source NAT (SNAT).
 #
+#	WARNING: The entries in this file are order-sensitive. The first
+#	entry that matches a particular connection will be the one that
+#	is used.
+#
 #	WARNING: If you have more than one ISP, adding entries to this
 #	file will *not* force connections to go out through a particular
 #	ISP. You must use PREROUTING entries in /etc/shorewall/tcrules
@@ -55,8 +59,9 @@
 #
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
-#		  interface, you must have iproute installed and the interface
-#		  must be up before you start the firewall.
+#		  interface, the interface must be up before you start the
+#		  firewall (Shorewall will use your main routing table to
+#		  determine the appropriate subnet(s) to masquerade).
 #
 #		  In order to exclude a subset of the specified SUBNET, you
 #		  may append "!" and a comma-separated list of IP addresses

Samples/three-interfaces/policy

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Policy File for three-interface configuration.
+# Shorewall version 3.2 - Sample Policy File for three-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -27,6 +27,11 @@
 #	entry in this file. The overriding entry must be explicit (cannot use
 #	"all" in the SOURCE or DEST).
 #
+#       Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
+#       the implicit policy to/from any sub-zone is CONTINUE. These implicit
+#       CONTINUE policies may also be overridden by an explicit entry in this
+#       file.
+#
 # Columns are:
 #
 #	SOURCE		Source zone. Must be the name of a zone defined

Samples/three-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Zones File for three-interface configuration.
+# Shorewall version 3.2 - Sample Zones File for three-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -12,7 +12,20 @@
 #
 # /etc/shorewall/zones
 #
-#	This file determines your network zones.
+#	This file declares your network zones. You specify the hosts in
+#	each zone through entries in /etc/shorewall/interfaces or
+#	/etc/shorewall/hosts.
+#
+#	WARNING: The format of this file changed in Shorewall 3.0.0. You can
+#		 continue to use your old records provided that you set
+#		 IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
+#		 signal Shorewall that the IPSEC-related zone options are
+#		 still specified in /etc/shorewall/ipsec rather than in this
+#		 file.
+#
+#		 To use records in the format described below, you must have
+#		 IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
+#		 AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
 #
 # Columns are:
 #
@@ -33,10 +46,13 @@
 #			b	  ipv4
 #			c:a,b     ipv4
 #
-#		Currently, Shorewall uses this information only to reorder the
+#		Currently, Shorewall uses this information to reorder the
 #		zone list so that parent zones appear after their subzones in
-#		the list. In the future, Shorewall may make more extensive use
-#		of that information.
+#		the list. The IMPLICIT_CONTINUE option in shorewall.conf can
+#		also create implicit CONTINUE policies to/from the subzone.
+#
+#		In the future, Shorewall may make additional use
+#		of nesting information.
 #
 #	TYPE	ipv4 -	This is the standard Shorewall zone type and is the
 #			default if you leave this column empty or if you enter
@@ -78,7 +94,7 @@
 #			strict	Means that packets must match all rules.
 #
 #			next	Separates rules; can only be used with
-#				strict..
+#				strict
 #
 #		Example:
 #			mode=transport,reqid=44

Samples/two-interfaces/interfaces

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Interfaces File for two-interface configuration.
+# Shorewall version 3.2 - Sample Interfaces File for two-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -30,7 +30,7 @@
 #
 #			Example:
 #
-#				loc	eth1	-	
+#				loc	eth1	-
 #				loc	eth2	-
 #
 #	INTERFACE	Name of interface. Each interface may be listed only
@@ -51,11 +51,10 @@
 #			addresses on multiple subnets then list the broadcast
 #			addresses as a comma-separated list.
 #
-#			If you use the special value "detect", the firewall
-#			will detect the broadcast address for you. If you
+#			If you use the special value "detect", Shorewall
+#			will detect the broadcast address(es) for you. If you
 #			select this option, the interface must be up before
-#			the firewall is started, you must have iproute
-#			installed.
+#			the firewall is started.
 #
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
@@ -81,7 +80,7 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses. If packet mangling or
+#				       addresses). If packet mangling or
 #				       connection-tracking match is enabled in
 #				       your kernel, packets whose destination
 #				       addresses are reserved by RFC 1918 are
@@ -188,6 +187,17 @@
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
+#			sourceroute  - If this option is not specified for an
+#				       interface, then source-routed packets
+#				       will not be accepted from that
+#				       interface (sets /proc/sys/net/ipv4/
+#				       conf/<interface>/
+#				       accept_source_route to 1).
+#				       Only set this option if you know what
+#				       you are you doing. This might represent
+#				       a security risk and is not usually
+#				       needed.
+#
 #			upnp	     - Incoming requests from this interface
 #				       may be remapped via UPNP (upnpd).
 #

Samples/two-interfaces/masq

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Masq file for two-interface configuration.
+# Shorewall version 3.2 - Sample Masq file for two-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -15,6 +15,10 @@
 #	Use this file to define dynamic NAT (Masquerading) and to define
 #	Source NAT (SNAT).
 #
+#	WARNING: The entries in this file are order-sensitive. The first
+#	entry that matches a particular connection will be the one that
+#	is used.
+#
 #	WARNING: If you have more than one ISP, adding entries to this
 #	file will *not* force connections to go out through a particular
 #	ISP. You must use PREROUTING entries in /etc/shorewall/tcrules
@@ -55,8 +59,9 @@
 #
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
-#		  interface, you must have iproute installed and the interface
-#		  must be up before you start the firewall.
+#		  interface, the interface must be up before you start the
+#		  firewall (Shorewall will use your main routing table to
+#		  determine the appropriate subnet(s) to masquerade).
 #
 #		  In order to exclude a subset of the specified SUBNET, you
 #		  may append "!" and a comma-separated list of IP addresses

Samples/two-interfaces/policy

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Policy File for two-interface configuration.
+# Shorewall version 3.2 - Sample Policy File for two-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -27,6 +27,11 @@
 #	entry in this file. The overriding entry must be explicit (cannot use
 #	"all" in the SOURCE or DEST).
 #
+#       Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
+#       the implicit policy to/from any sub-zone is CONTINUE. These implicit
+#       CONTINUE policies may also be overridden by an explicit entry in this
+#       file.
+#
 # Columns are:
 #
 #	SOURCE		Source zone. Must be the name of a zone defined

Samples/two-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall version 3.0 - Sample Zones File for two-interface configuration.
+# Shorewall version 3.2 - Sample Zones File for two-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -12,7 +12,20 @@
 #
 # /etc/shorewall/zones
 #
-#	This file determines your network zones.
+#	This file declares your network zones. You specify the hosts in
+#	each zone through entries in /etc/shorewall/interfaces or
+#	/etc/shorewall/hosts.
+#
+#	WARNING: The format of this file changed in Shorewall 3.0.0. You can
+#		 continue to use your old records provided that you set
+#		 IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
+#		 signal Shorewall that the IPSEC-related zone options are
+#		 still specified in /etc/shorewall/ipsec rather than in this
+#		 file.
+#
+#		 To use records in the format described below, you must have
+#		 IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
+#		 AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
 #
 # Columns are:
 #
@@ -33,10 +46,13 @@
 #			b	  ipv4
 #			c:a,b     ipv4
 #
-#		Currently, Shorewall uses this information only to reorder the
+#		Currently, Shorewall uses this information to reorder the
 #		zone list so that parent zones appear after their subzones in
-#		the list. In the future, Shorewall may make more extensive use
-#		of that information.
+#		the list. The IMPLICIT_CONTINUE option in shorewall.conf can
+#		also create implicit CONTINUE policies to/from the subzone.
+#
+#		In the future, Shorewall may make additional use
+#		of nesting information.
 #
 #	TYPE	ipv4 -	This is the standard Shorewall zone type and is the
 #			default if you leave this column empty or if you enter
@@ -78,7 +94,7 @@
 #			strict	Means that packets must match all rules.
 #
 #			next	Separates rules; can only be used with
-#				strict..
+#				strict
 #
 #		Example:
 #			mode=transport,reqid=44