From 011345f9b6f390b270d38045e87456cd5bce5a55 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 7 Jun 2006 15:26:06 +0000 Subject: [PATCH] Update the samples for 3.2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4012 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 24 +++++++++++++++------- Samples/one-interface/policy | 7 ++++++- Samples/one-interface/zones | 32 +++++++++++++++++++++-------- Samples/three-interfaces/interfaces | 24 +++++++++++++++------- Samples/three-interfaces/masq | 11 +++++++--- Samples/three-interfaces/policy | 7 ++++++- Samples/three-interfaces/zones | 28 +++++++++++++++++++------ Samples/two-interfaces/interfaces | 24 +++++++++++++++------- Samples/two-interfaces/masq | 11 +++++++--- Samples/two-interfaces/policy | 7 ++++++- Samples/two-interfaces/zones | 28 +++++++++++++++++++------ 11 files changed, 152 insertions(+), 51 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 233baf5e6..ad3a85ecc 100644 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration. +# Shorewall version 3.2 - Sample Interfaces File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -30,7 +30,7 @@ # # Example: # -# loc eth1 - +# loc eth1 - # loc eth2 - # # INTERFACE Name of interface. Each interface may be listed only @@ -51,11 +51,10 @@ # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you +# If you use the special value "detect", Shorewall +# will detect the broadcast address(es) for you. If you # select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. +# the firewall is started. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter @@ -81,7 +80,7 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. If packet mangling or +# addresses). If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are @@ -188,6 +187,17 @@ # in the ZONE column to include only those # hosts routed through the interface. # +# sourceroute - If this option is not specified for an +# interface, then source-routed packets +# will not be accepted from that +# interface (sets /proc/sys/net/ipv4/ +# conf// +# accept_source_route to 1). +# Only set this option if you know what +# you are you doing. This might represent +# a security risk and is not usually +# needed. +# # upnp - Incoming requests from this interface # may be remapped via UPNP (upnpd). # diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index 20bead989..0ca7ec3a9 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Policy File for one-interface configuration. +# Shorewall version 3.2 - Sample Policy File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -27,6 +27,11 @@ # entry in this file. The overriding entry must be explicit (cannot use # "all" in the SOURCE or DEST). # +# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then +# the implicit policy to/from any sub-zone is CONTINUE. These implicit +# CONTINUE policies may also be overridden by an explicit entry in this +# file. +# # Columns are: # # SOURCE Source zone. Must be the name of a zone defined diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones index 88925c60c..efd36577e 100644 --- a/Samples/one-interface/zones +++ b/Samples/one-interface/zones @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Zones File for one-interface configuration. +# Shorewall version 3.2 - Sample Zones File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -12,7 +12,20 @@ # # /etc/shorewall/zones # -# This file determines your network zones. +# This file declares your network zones. You specify the hosts in +# each zone through entries in /etc/shorewall/interfaces or +# /etc/shorewall/hosts. +# +# WARNING: The format of this file changed in Shorewall 3.0.0. You can +# continue to use your old records provided that you set +# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will +# signal Shorewall that the IPSEC-related zone options are +# still specified in /etc/shorewall/ipsec rather than in this +# file. +# +# To use records in the format described below, you must have +# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf +# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! # # Columns are: # @@ -33,10 +46,13 @@ # b ipv4 # c:a,b ipv4 # -# Currently, Shorewall uses this information only to reorder the +# Currently, Shorewall uses this information to reorder the # zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. +# the list. The IMPLICIT_CONTINUE option in shorewall.conf can +# also create implicit CONTINUE policies to/from the subzone. +# +# In the future, Shorewall may make additional use +# of nesting information. # # TYPE ipv4 - This is the standard Shorewall zone type and is the # default if you leave this column empty or if you enter @@ -78,7 +94,7 @@ # strict Means that packets must match all rules. # # next Separates rules; can only be used with -# strict.. +# strict # # Example: # mode=transport,reqid=44 @@ -91,10 +107,8 @@ # If you wish to leave a column empty but need to make an entry # in a following column, use "-". # -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR -# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# For more information, see http://www.shorewall.net/Documentation.htm#Zones # -# See http://www.shorewall.net/Documentation.htm#Nested ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index a0a5239da..d85ff5bcd 100644 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Interfaces File for three-interface configuration. +# Shorewall version 3.2 - Sample Interfaces File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -30,7 +30,7 @@ # # Example: # -# loc eth1 - +# loc eth1 - # loc eth2 - # # INTERFACE Name of interface. Each interface may be listed only @@ -51,11 +51,10 @@ # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you +# If you use the special value "detect", Shorewall +# will detect the broadcast address(es) for you. If you # select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. +# the firewall is started. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter @@ -81,7 +80,7 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. If packet mangling or +# addresses). If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are @@ -188,6 +187,17 @@ # in the ZONE column to include only those # hosts routed through the interface. # +# sourceroute - If this option is not specified for an +# interface, then source-routed packets +# will not be accepted from that +# interface (sets /proc/sys/net/ipv4/ +# conf// +# accept_source_route to 1). +# Only set this option if you know what +# you are you doing. This might represent +# a security risk and is not usually +# needed. +# # upnp - Incoming requests from this interface # may be remapped via UPNP (upnpd). # diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index 8cb1f1607..0fd0771a9 100644 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Masq file for three-interface configuration. +# Shorewall version 3.2 - Sample Masq file for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -15,6 +15,10 @@ # Use this file to define dynamic NAT (Masquerading) and to define # Source NAT (SNAT). # +# WARNING: The entries in this file are order-sensitive. The first +# entry that matches a particular connection will be the one that +# is used. +# # WARNING: If you have more than one ISP, adding entries to this # file will *not* force connections to go out through a particular # ISP. You must use PREROUTING entries in /etc/shorewall/tcrules @@ -55,8 +59,9 @@ # # SUBNET -- Subnet that you wish to masquerade. You can specify this as # a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. +# interface, the interface must be up before you start the +# firewall (Shorewall will use your main routing table to +# determine the appropriate subnet(s) to masquerade). # # In order to exclude a subset of the specified SUBNET, you # may append "!" and a comma-separated list of IP addresses diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index 3fc6f9a16..e24893f04 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Policy File for three-interface configuration. +# Shorewall version 3.2 - Sample Policy File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -27,6 +27,11 @@ # entry in this file. The overriding entry must be explicit (cannot use # "all" in the SOURCE or DEST). # +# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then +# the implicit policy to/from any sub-zone is CONTINUE. These implicit +# CONTINUE policies may also be overridden by an explicit entry in this +# file. +# # Columns are: # # SOURCE Source zone. Must be the name of a zone defined diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index a596ccf5d..31a0a209e 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Zones File for three-interface configuration. +# Shorewall version 3.2 - Sample Zones File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -12,7 +12,20 @@ # # /etc/shorewall/zones # -# This file determines your network zones. +# This file declares your network zones. You specify the hosts in +# each zone through entries in /etc/shorewall/interfaces or +# /etc/shorewall/hosts. +# +# WARNING: The format of this file changed in Shorewall 3.0.0. You can +# continue to use your old records provided that you set +# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will +# signal Shorewall that the IPSEC-related zone options are +# still specified in /etc/shorewall/ipsec rather than in this +# file. +# +# To use records in the format described below, you must have +# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf +# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! # # Columns are: # @@ -33,10 +46,13 @@ # b ipv4 # c:a,b ipv4 # -# Currently, Shorewall uses this information only to reorder the +# Currently, Shorewall uses this information to reorder the # zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. +# the list. The IMPLICIT_CONTINUE option in shorewall.conf can +# also create implicit CONTINUE policies to/from the subzone. +# +# In the future, Shorewall may make additional use +# of nesting information. # # TYPE ipv4 - This is the standard Shorewall zone type and is the # default if you leave this column empty or if you enter @@ -78,7 +94,7 @@ # strict Means that packets must match all rules. # # next Separates rules; can only be used with -# strict.. +# strict # # Example: # mode=transport,reqid=44 diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index cda14fa55..696e09952 100644 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Interfaces File for two-interface configuration. +# Shorewall version 3.2 - Sample Interfaces File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -30,7 +30,7 @@ # # Example: # -# loc eth1 - +# loc eth1 - # loc eth2 - # # INTERFACE Name of interface. Each interface may be listed only @@ -51,11 +51,10 @@ # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you +# If you use the special value "detect", Shorewall +# will detect the broadcast address(es) for you. If you # select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. +# the firewall is started. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter @@ -81,7 +80,7 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. If packet mangling or +# addresses). If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are @@ -188,6 +187,17 @@ # in the ZONE column to include only those # hosts routed through the interface. # +# sourceroute - If this option is not specified for an +# interface, then source-routed packets +# will not be accepted from that +# interface (sets /proc/sys/net/ipv4/ +# conf// +# accept_source_route to 1). +# Only set this option if you know what +# you are you doing. This might represent +# a security risk and is not usually +# needed. +# # upnp - Incoming requests from this interface # may be remapped via UPNP (upnpd). # diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index e24fdb051..6d7f649f5 100644 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Masq file for two-interface configuration. +# Shorewall version 3.2 - Sample Masq file for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -15,6 +15,10 @@ # Use this file to define dynamic NAT (Masquerading) and to define # Source NAT (SNAT). # +# WARNING: The entries in this file are order-sensitive. The first +# entry that matches a particular connection will be the one that +# is used. +# # WARNING: If you have more than one ISP, adding entries to this # file will *not* force connections to go out through a particular # ISP. You must use PREROUTING entries in /etc/shorewall/tcrules @@ -55,8 +59,9 @@ # # SUBNET -- Subnet that you wish to masquerade. You can specify this as # a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. +# interface, the interface must be up before you start the +# firewall (Shorewall will use your main routing table to +# determine the appropriate subnet(s) to masquerade). # # In order to exclude a subset of the specified SUBNET, you # may append "!" and a comma-separated list of IP addresses diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index 2be3040f9..e1d8b7ca8 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Policy File for two-interface configuration. +# Shorewall version 3.2 - Sample Policy File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -27,6 +27,11 @@ # entry in this file. The overriding entry must be explicit (cannot use # "all" in the SOURCE or DEST). # +# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then +# the implicit policy to/from any sub-zone is CONTINUE. These implicit +# CONTINUE policies may also be overridden by an explicit entry in this +# file. +# # Columns are: # # SOURCE Source zone. Must be the name of a zone defined diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index ebb1bcaed..f8add5423 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall version 3.0 - Sample Zones File for two-interface configuration. +# Shorewall version 3.2 - Sample Zones File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -12,7 +12,20 @@ # # /etc/shorewall/zones # -# This file determines your network zones. +# This file declares your network zones. You specify the hosts in +# each zone through entries in /etc/shorewall/interfaces or +# /etc/shorewall/hosts. +# +# WARNING: The format of this file changed in Shorewall 3.0.0. You can +# continue to use your old records provided that you set +# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will +# signal Shorewall that the IPSEC-related zone options are +# still specified in /etc/shorewall/ipsec rather than in this +# file. +# +# To use records in the format described below, you must have +# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf +# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! # # Columns are: # @@ -33,10 +46,13 @@ # b ipv4 # c:a,b ipv4 # -# Currently, Shorewall uses this information only to reorder the +# Currently, Shorewall uses this information to reorder the # zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. +# the list. The IMPLICIT_CONTINUE option in shorewall.conf can +# also create implicit CONTINUE policies to/from the subzone. +# +# In the future, Shorewall may make additional use +# of nesting information. # # TYPE ipv4 - This is the standard Shorewall zone type and is the # default if you leave this column empty or if you enter @@ -78,7 +94,7 @@ # strict Means that packets must match all rules. # # next Separates rules; can only be used with -# strict.. +# strict # # Example: # mode=transport,reqid=44