Shorewall-1.3.11 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@343 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -16,7 +16,11 @@
 #			place "-" in this column.
 #	
 #	INTERFACE	Name of interface. Each interface may be listed only
-#			once in this file.
+#			once in this file. You may NOT specify the name of
+#			an alias (e.g., eth0:0) here; see
+#			http://www.shorewall.net/FAQ.htm#faq18
+#
+#			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
@@ -81,6 +85,20 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			maclist	     - Connection requests from this interface
+#				       are compared against the contents of
+#				       /etc/shorewall/maclist. If this option
+#				       is specified, the interface must be
+#				       an ethernet NIC and must be up before
+#				       Shorewall is started.
+#			tcpflags     - Packets arriving on this interface are
+#				       checked for certain illegal combinations
+#				       of TCP flags. Packets found to have
+#				       such a combination of flags are handled
+#				       according to the setting of
+#				       TCP_FLAGS_DISPOSITION after having been
+#				       logged according to the setting of
+#				       TCP_FLAGS_LOG_LEVEL.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.

Samples/one-interface/policy

@@ -17,6 +17,10 @@
 #	DEST		Destination zone. Must be the name of a zone defined
 #			in /etc/shorewall/zones, $FW or "all"
 #
+#		WARNING: Firewall->Firewall policies are not allowed; if
+#			 you have a policy where both SOURCE and DEST are $FW,
+#			 Shorewall will not start!
+#
 #	POLICY		Policy if no match from the rules file is found. Must
 #			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
 #

Samples/one-interface/shorewall.conf

@@ -8,6 +8,12 @@
 #
 #  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
+#
+# PATH - Change this if you want to change the order in which Shorewall
+#        searches directories for executable files.	
+#
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
 #
 # NAME OF THE FIREWALL ZONE
 #
@@ -154,7 +160,8 @@ ADD_IP_ALIASES=Yes
 #
 # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
 # for each SNAT external address that you give in /etc/shorewall/masq. If you say
-# "No" or "no", you must add these aliases youself.
+# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
+# you are sure that you need it -- most people don't!!!
 #
 ADD_SNAT_ALIASES=No
 
@@ -339,6 +346,8 @@ MUTEX_TIMEOUT=60
 #
 # LOGGING 'New not SYN' rejects
 #
+# This variable only has an effect when NEWNOTSYN=No (see below).
+#
 # When a TCP packet that does not have the SYN flag set and the ACK and RST
 # flags clear then unless the packet is part of an established connection,
 # it will be rejected by the firewall. If you want these rejects logged, 
@@ -357,4 +366,62 @@ LOGNEWNOTSYN=
 
 FORWARDPING=Yes
 
+#
+# NEWNOTSYN
+#
+# If this variable is set to "No" or "no", then When a TCP packet that does
+# not have the SYN flag set and the ACK and RST flags clear then unless the
+# packet is part of an established connection, it will be dropped by the
+# firewall
+#
+# If this variable is set to "Yes" or "yes" then such packets will not be
+# dropped but will pass through the normal rule processing.
+#
+# Users with a High-availability setup with two firewall's and one acting
+# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
+# also need to select NEWNOTSYN=Yes.
+ 
+NEWNOTSYN=No
+
+#
+# MAC List Disposition
+#
+# This variable determines the disposition of connection requests arriving
+# on interfaces that have the 'maclist' option and that are from a device
+# that is not listed for that interface in /etc/shorewall/maclist. Valid
+# values are ACCEPT, DROP and REJECT. If not specified or specified as
+# empty (MACLIST_DISPOSITION="") then REJECT is assumed
+
+MACLIST_DISPOSITION=REJECT
+
+#
+# MAC List Log Level
+#
+# Specifies the logging level for connection requests that fail MAC
+# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
+# such connection requests will not be logged. 
+# 
+
+MACLIST_LOG_LEVEL=info
+
+#
+# TCP FLAGS Disposition
+#
+# This variable determins the disposition of packets having an invalid 
+# combination of TCP flags that are received on interfaces having the
+# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
+# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#
+# TCP FLAGS Log Level
+#
+# Specifies the logging level for packets that fail TCP Flags
+# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
+# such packets will not be logged. 
+# 
+
+TCP_FLAGS_LOG_LEVEL=info
+
 #LAST LINE -- DO NOT REMOVE

Samples/three-interfaces/interfaces

@@ -16,7 +16,11 @@
 #			place "-" in this column.
 #	
 #	INTERFACE	Name of interface. Each interface may be listed only
-#			once in this file.
+#			once in this file. You may NOT specify the name of
+#			an alias (e.g., eth0:0) here; see
+#			http://www.shorewall.net/FAQ.htm#faq18
+#
+#			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
@@ -81,6 +85,20 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			maclist	     - Connection requests from this interface
+#				       are compared against the contents of
+#				       /etc/shorewall/maclist. If this option
+#				       is specified, the interface must be
+#				       an ethernet NIC and must be up before
+#				       Shorewall is started.
+#			tcpflags     - Packets arriving on this interface are
+#				       checked for certain illegal combinations
+#				       of TCP flags. Packets found to have
+#				       such a combination of flags are handled
+#				       according to the setting of
+#				       TCP_FLAGS_DISPOSITION after having been
+#				       logged according to the setting of
+#				       TCP_FLAGS_LOG_LEVEL.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.

Samples/three-interfaces/masq

@@ -39,6 +39,8 @@
 #				IP address for the interface in the INTERFACE
 #				column.
 #
+#				This column may not contain a DNS Name. 
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to

Samples/three-interfaces/policy

@@ -17,6 +17,10 @@
 #	DEST		Destination zone. Must be the name of a zone defined
 #			in /etc/shorewall/zones, $FW or "all"
 #
+#		WARNING: Firewall->Firewall policies are not allowed; if
+#			 you have a policy where both SOURCE and DEST are $FW,
+#			 Shorewall will not start!
+#
 #	POLICY		Policy if no match from the rules file is found. Must
 #			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
 #

Samples/three-interfaces/rules

@@ -32,17 +32,18 @@
 #			logged at the specified level.
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
-#                       defined in /etc/shorewall/zones or $FW to indicate the
-#			firewall itself. If the ACTION is DNAT or REDIRECT,
-#			sub-zones of the specified zone may be excluded from
-#			the rule by following the zone name with "!' and a
-#			comma-separated list of sub-zone names.
+#                       defined in /etc/shorewall/zones, $FW to indicate the
+#			firewall itself, or "all" If the ACTION is DNAT or
+#			REDIRECT, sub-zones of the specified zone may be
+#			excluded from the rule by following the zone name with
+#			"!' and a comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a list of subnets
-#			and/or hosts by appending ":" and a comma-separated
-#			list of subnets and/or hosts. Hosts may be specified
-#			by IP or MAC address; mac addresses must begin with
-#			"~" and must use "-" as a separator.
+#			Except when "all" is specified, clients may be further
+#			restricted to a list of subnets and/or hosts by
+#			appending ":" and a comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@@ -64,12 +65,20 @@
 #			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or $FW to indicate the firewall
-#			itself.
+#			/etc/shorewall/zones, $FW to indicate the firewall
+#			itself or "all"
 #
-#			The server may be further restricted to a particular
-#			subnet, host or interface by appending ":" and the
-#			subnet, host or interface. See above.
+#			Except when "all" is specified, the server may be
+#			further restricted to a particular subnet, host or
+#			interface by appending ":" and the subnet, host or
+#			interface. See above.
+#
+#				Restrictions:
+#
+#				1. MAC addresses are not allowed.
+#				2. In DNAT rules, only IP addresses are
+#				   allowed; no FQDNs or subnet addresses
+#				   are permitted.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by

Samples/two-interfaces/interfaces

@@ -16,7 +16,11 @@
 #			place "-" in this column.
 #	
 #	INTERFACE	Name of interface. Each interface may be listed only
-#			once in this file.
+#			once in this file. You may NOT specify the name of
+#			an alias (e.g., eth0:0) here; see
+#			http://www.shorewall.net/FAQ.htm#faq18
+#
+#			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
@@ -81,6 +85,20 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			maclist	     - Connection requests from this interface
+#				       are compared against the contents of
+#				       /etc/shorewall/maclist. If this option
+#				       is specified, the interface must be
+#				       an ethernet NIC and must be up before
+#				       Shorewall is started.
+#			tcpflags     - Packets arriving on this interface are
+#				       checked for certain illegal combinations
+#				       of TCP flags. Packets found to have
+#				       such a combination of flags are handled
+#				       according to the setting of
+#				       TCP_FLAGS_DISPOSITION after having been
+#				       logged according to the setting of
+#				       TCP_FLAGS_LOG_LEVEL.
 #			proxyarp     - 
 #				Sets 
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.

Samples/two-interfaces/masq

@@ -39,6 +39,8 @@
 #				IP address for the interface in the INTERFACE
 #				column.
 #
+#				This column may not contain a DNS Name. 
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to

Samples/two-interfaces/policy

@@ -17,6 +17,10 @@
 #	DEST		Destination zone. Must be the name of a zone defined
 #			in /etc/shorewall/zones, $FW or "all"
 #
+#		WARNING: Firewall->Firewall policies are not allowed; if
+#			 you have a policy where both SOURCE and DEST are $FW,
+#			 Shorewall will not start!
+#
 #	POLICY		Policy if no match from the rules file is found. Must
 #			be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
 #

Samples/two-interfaces/rules

@@ -32,17 +32,18 @@
 #			logged at the specified level.
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
-#                       defined in /etc/shorewall/zones or $FW to indicate the
-#			firewall itself. If the ACTION is DNAT or REDIRECT,
-#			sub-zones of the specified zone may be excluded from
-#			the rule by following the zone name with "!' and a
-#			comma-separated list of sub-zone names.
+#                       defined in /etc/shorewall/zones, $FW to indicate the
+#			firewall itself, or "all" If the ACTION is DNAT or
+#			REDIRECT, sub-zones of the specified zone may be
+#			excluded from the rule by following the zone name with
+#			"!' and a comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a list of subnets
-#			and/or hosts by appending ":" and a comma-separated
-#			list of subnets and/or hosts. Hosts may be specified
-#			by IP or MAC address; mac addresses must begin with
-#			"~" and must use "-" as a separator.
+#			Except when "all" is specified, clients may be further
+#			restricted to a list of subnets and/or hosts by
+#			appending ":" and a comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@@ -62,14 +63,22 @@
 #			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., loc:eth1:192.168.1.5).
-##
-#	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or $FW to indicate the firewall
-#			itself.
 #
-#			The server may be further restricted to a particular
-#			subnet, host or interface by appending ":" and the
-#			subnet, host or interface. See above.
+#	DEST		Location of Server. May be a zone defined in
+#			/etc/shorewall/zones, $FW to indicate the firewall
+#			itself or "all"
+#
+#			Except when "all" is specified, the server may be
+#			further restricted to a particular subnet, host or
+#			interface by appending ":" and the subnet, host or
+#			interface. See above.
+#
+#				Restrictions:
+#
+#				1. MAC addresses are not allowed.
+#				2. In DNAT rules, only IP addresses are
+#				   allowed; no FQDNs or subnet addresses
+#				   are permitted.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by