extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-16 17:51:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated Samples For 1.4.7 Final Release Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@753 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
frannie 2003-10-06 20:20:34 +00:00
parent f30faa416f
commit 064c96e0d7
16 changed files with 242 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Samples/one-interface/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Interface File For One Interface
# Shorewall 1.4.7.7.7.7.7.7.7 -- Sample Interface File For One Interface
#
# /etc/shorewall/interfaces
#
@ -106,6 +106,13 @@
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if NEWNOTSYN=Yes
# arp_filter
# If specified, this interface will only respond
# to ARP who-has requests for IP addresses
# configured on the interface. If not specified,
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
#
# The order in which you list the options is not
# significant but the list should have no embedded white

3
Samples/one-interface/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Policy File For One Interface
# Shorewall 1.4.7 -- Sample Policy File For One Interface
#
# /etc/shorewall/policy
#
@ -75,5 +75,6 @@
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

68
Samples/one-interface/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Sample Rules File For One Interface
# Shorewall version 1.4.7 - Sample Rules File For One Interface
#
# /etc/shorewall/rules
#
@ -55,9 +55,27 @@
# LOG
# Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
@ -207,6 +225,36 @@
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
#
# <rate>/<interval>[:<burst>]
#
# Where <rate> is the number of connections per <interval> ("sec"
# or "min") and <burst> is the largest burst permitted. If no
# <burst> is given, a value of 5 is assummed. There may be no
# whitespace embedded in the specification.
#
# Example:
# 10/sec:20
#
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
#
# Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT.
# DNAT, DNAT-, CONTINUE rules are for multiple interface firewall.
# Also by default all outbound fw -> net communications are allowed.
@ -214,17 +262,17 @@
#
# Example: Accept www requests to the one interface server.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT net fw tcp http
#
# Example: Redirect port 88 Internet traffic to fw port 80
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# REDIRECT net 80 tcp 88
#
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
ACCEPT net fw icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Samples/one-interface/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Zone File For One Interface
# Shorewall 1.4.7 -- Sample Zone File For One Interface
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
@ -8,6 +8,13 @@
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.html#Nested
#
# Of Course This Is A Single Zone .. So The Above Does Not Apply
#
#ZONE DISPLAY COMMENTS
net Net Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

9
Samples/three-interfaces/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Interface File For Three Interfaces
# Shorewall 1.4.7 -- Sample Interface File For Three Interfaces
#
# /etc/shorewall/interfaces
#
@ -106,6 +106,13 @@
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if NEWNOTSYN=Yes.
# arp_filter
# If specified, this interface will only respond
# to ARP who-has requests for IP addresses
# configured on the interface. If not specified,
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
#
# The order in which you list the options is not
# significant but the list should have no embedded white

2
Samples/three-interfaces/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - Sample Masquerade file For Three Interfaces
# Shorewall 1.4.7 - Sample Masquerade file For Three Interfaces
#
# etc/shorewall/masq
#

3
Samples/three-interfaces/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Policy File For Three Interfaces
# Shorewall 1.4.7 -- Sample Policy File For Three Interfaces
#
# /etc/shorewall/policy
#
@ -81,5 +81,6 @@ loc net ACCEPT
# remove the comment from the following line.
#dmz net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2
Samples/three-interfaces/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Sample Routestopped File For Three Interfaces.
# Shorewall 1.4.7 -- Sample Routestopped File For Three Interfaces.
#
# /etc/shorewall/routestopped
#

82
Samples/three-interfaces/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Sample Rules File For Three Interfaces
# Shorewall version 1.4.7 - Sample Rules File For Three Interfaces
#
# /etc/shorewall/rules
#
@ -55,9 +55,27 @@
# LOG
# Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
@ -207,45 +225,75 @@
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
#
# <rate>/<interval>[:<burst>]
#
# Where <rate> is the number of connections per <interval> ("sec"
# or "min") and <burst> is the largest burst permitted. If no
# <burst> is given, a value of 5 is assummed. There may be no
# whitespace embedded in the specification.
#
# Example:
# 10/sec:20
#
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net fw tcp http
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to dmz system 192.168.2.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net dmz:192.168.2.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#
# Accept DNS connections from the firewall to the Internet
#

7
Samples/three-interfaces/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
# Shorewall 1.4.7 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
@ -8,6 +8,11 @@
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.html#Nested
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks

9
Samples/two-interfaces/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Interface File For Two Interfaces
# Shorewall 1.4.7 -- Sample Interface File For Two Interfaces
#
# /etc/shorewall/interfaces
#
@ -110,6 +110,13 @@
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if NEWNOTSYN=Yes.
# arp_filter
# If specified, this interface will only respond
# to ARP who-has requests for IP addresses
# configured on the interface. If not specified,
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
#
# The order in which you list the options is not
# significant but the list should have no embedded white

2
Samples/two-interfaces/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 - Sample Masquerade file For Two Interfaces
# Shorewall 1.4.7 - Sample Masquerade file For Two Interfaces
#
# etc/shorewall/masq
#

3
Samples/two-interfaces/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Policy File For Two Interfaces
# Shorewall 1.4.7 -- Sample Policy File For Two Interfaces
#
# /etc/shorewall/policy
#
@ -78,5 +78,6 @@ loc net ACCEPT
# remove the comment from the following line.
#fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2
Samples/two-interfaces/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4 -- Sample Routestopped file for two interfaces.
# Shorewall 1.4.7 -- Sample Routestopped file for two interfaces.
#
# /etc/shorewall/routestopped
#

82
Samples/two-interfaces/rules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 1.4 - Sample Rules File For Two Interfaces
# Shorewall version 1.4.7 - Sample Rules File For Two Interfaces
#
# /etc/shorewall/rules
#
@ -55,9 +55,27 @@
# LOG
# Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
@ -207,45 +225,75 @@
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
#
# <rate>/<interval>[:<burst>]
#
# Where <rate> is the number of connections per <interval> ("sec"
# or "min") and <burst> is the largest burst permitted. If no
# <burst> is given, a value of 5 is assummed. There may be no
# whitespace embedded in the specification.
#
# Example:
# 10/sec:20
#
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net fw tcp http
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#
# Accept DNS connections from the firewall to the network
#

7
Samples/two-interfaces/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
# Shorewall 1.4.7 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
@ -8,6 +8,11 @@
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.html#Nested
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks