diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 0bf732ef1..76a12cea9 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -16,7 +16,11 @@ # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only -# once in this file. +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this @@ -81,6 +85,20 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index b5117b17b..53e3a26eb 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -17,6 +17,10 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # +# WARNING: Firewall->Firewall policies are not allowed; if +# you have a policy where both SOURCE and DEST are $FW, +# Shorewall will not start! +# # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index f18c30471..42889ed50 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -8,6 +8,12 @@ # # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## +# +# PATH - Change this if you want to change the order in which Shorewall +# searches directories for executable files. +# +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + # # NAME OF THE FIREWALL ZONE # @@ -154,7 +160,8 @@ ADD_IP_ALIASES=Yes # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say -# "No" or "no", you must add these aliases youself. +# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless +# you are sure that you need it -- most people don't!!! # ADD_SNAT_ALIASES=No @@ -339,6 +346,8 @@ MUTEX_TIMEOUT=60 # # LOGGING 'New not SYN' rejects # +# This variable only has an effect when NEWNOTSYN=No (see below). +# # When a TCP packet that does not have the SYN flag set and the ACK and RST # flags clear then unless the packet is part of an established connection, # it will be rejected by the firewall. If you want these rejects logged, @@ -357,4 +366,62 @@ LOGNEWNOTSYN= FORWARDPING=Yes +# +# NEWNOTSYN +# +# If this variable is set to "No" or "no", then When a TCP packet that does +# not have the SYN flag set and the ACK and RST flags clear then unless the +# packet is part of an established connection, it will be dropped by the +# firewall +# +# If this variable is set to "Yes" or "yes" then such packets will not be +# dropped but will pass through the normal rule processing. +# +# Users with a High-availability setup with two firewall's and one acting +# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may +# also need to select NEWNOTSYN=Yes. + +NEWNOTSYN=No + +# +# MAC List Disposition +# +# This variable determines the disposition of connection requests arriving +# on interfaces that have the 'maclist' option and that are from a device +# that is not listed for that interface in /etc/shorewall/maclist. Valid +# values are ACCEPT, DROP and REJECT. If not specified or specified as +# empty (MACLIST_DISPOSITION="") then REJECT is assumed + +MACLIST_DISPOSITION=REJECT + +# +# MAC List Log Level +# +# Specifies the logging level for connection requests that fail MAC +# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then +# such connection requests will not be logged. +# + +MACLIST_LOG_LEVEL=info + +# +# TCP FLAGS Disposition +# +# This variable determins the disposition of packets having an invalid +# combination of TCP flags that are received on interfaces having the +# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified +# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. + +TCP_FLAGS_DISPOSITION=DROP + +# +# TCP FLAGS Log Level +# +# Specifies the logging level for packets that fail TCP Flags +# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then +# such packets will not be logged. +# + +TCP_FLAGS_LOG_LEVEL=info + #LAST LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 9b7900eef..75e57d634 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -16,7 +16,11 @@ # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only -# once in this file. +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this @@ -81,6 +85,20 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index a73d5835c..8a6cbc8ee 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -37,7 +37,9 @@ # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE -# column. +# column. +# +# This column may not contain a DNS Name. # # Example 1: # diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index fc2294330..de01405cd 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -17,6 +17,10 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # +# WARNING: Firewall->Firewall policies are not allowed; if +# you have a policy where both SOURCE and DEST are $FW, +# Shorewall will not start! +# # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index bfea6c609..aacea2033 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -32,17 +32,18 @@ # logged at the specified level. # # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones or $FW to indicate the -# firewall itself. If the ACTION is DNAT or REDIRECT, -# sub-zones of the specified zone may be excluded from -# the rule by following the zone name with "!' and a -# comma-separated list of sub-zone names. +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, or "all" If the ACTION is DNAT or +# REDIRECT, sub-zones of the specified zone may be +# excluded from the rule by following the zone name with +# "!' and a comma-separated list of sub-zone names. # -# Clients may be further restricted to a list of subnets -# and/or hosts by appending ":" and a comma-separated -# list of subnets and/or hosts. Hosts may be specified -# by IP or MAC address; mac addresses must begin with -# "~" and must use "-" as a separator. +# Except when "all" is specified, clients may be further +# restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # @@ -64,12 +65,20 @@ # as described above (e.g., loc:eth1:192.168.1.5). # # DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones or $FW to indicate the firewall -# itself. +# /etc/shorewall/zones, $FW to indicate the firewall +# itself or "all" # -# The server may be further restricted to a particular -# subnet, host or interface by appending ":" and the -# subnet, host or interface. See above. +# Except when "all" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. # # The port that the server is listening on may be # included and separated from the server's IP address by diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 953655f8b..782a6104f 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -16,7 +16,11 @@ # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only -# once in this file. +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this @@ -81,6 +85,20 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. # proxyarp - # Sets # /proc/sys/net/ipv4/conf//proxy_arp. diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index e30c88829..d0bcf1633 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -37,7 +37,9 @@ # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE -# column. +# column. +# +# This column may not contain a DNS Name. # # Example 1: # diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index fc2294330..de01405cd 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -17,6 +17,10 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # +# WARNING: Firewall->Firewall policies are not allowed; if +# you have a policy where both SOURCE and DEST are $FW, +# Shorewall will not start! +# # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 6772a80c6..e55f2cc3e 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -32,17 +32,18 @@ # logged at the specified level. # # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones or $FW to indicate the -# firewall itself. If the ACTION is DNAT or REDIRECT, -# sub-zones of the specified zone may be excluded from -# the rule by following the zone name with "!' and a -# comma-separated list of sub-zone names. +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, or "all" If the ACTION is DNAT or +# REDIRECT, sub-zones of the specified zone may be +# excluded from the rule by following the zone name with +# "!' and a comma-separated list of sub-zone names. # -# Clients may be further restricted to a list of subnets -# and/or hosts by appending ":" and a comma-separated -# list of subnets and/or hosts. Hosts may be specified -# by IP or MAC address; mac addresses must begin with -# "~" and must use "-" as a separator. +# Except when "all" is specified, clients may be further +# restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # @@ -62,14 +63,22 @@ # through eth1. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address # as described above (e.g., loc:eth1:192.168.1.5). -## -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones or $FW to indicate the firewall -# itself. # -# The server may be further restricted to a particular -# subnet, host or interface by appending ":" and the -# subnet, host or interface. See above. +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself or "all" +# +# Except when "all" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. # # The port that the server is listening on may be # included and separated from the server's IP address by