mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 23:59:01 +01:00
Initial revision
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@38 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a74f576c76
commit
390ee5a4a0
22
Lrp/etc/shorewall/icmp.def
Normal file
22
Lrp/etc/shorewall/icmp.def
Normal file
@ -0,0 +1,22 @@
|
||||
##############################################################################
|
||||
# Shorewall 1.3 /etc/shorewall/icmp.def
|
||||
#
|
||||
# This file defines the default rules for accepting ICMP packets.
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, create
|
||||
# /etc/shorewall/icmpdef to replace it. It is suggested that you include
|
||||
# the command "source /etc/shorewall/icmp.def" in your
|
||||
# /etc/shorewall/icmpdef file so that you will continue to get the
|
||||
# advantage of new releases of this file.
|
||||
#
|
||||
# For example, if you want to accept 'ping' everywhere then create
|
||||
# /etc/shorewall/icmpdef with the following two lines:
|
||||
#
|
||||
# source /etc/shorewall/icmp.def
|
||||
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
|
||||
#
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
|
||||
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
|
104
Lrp/etc/shorewall/interfaces
Normal file
104
Lrp/etc/shorewall/interfaces
Normal file
@ -0,0 +1,104 @@
|
||||
#
|
||||
# Shorewall 1.3 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# You must add an entry in this file for each network interface on your
|
||||
# firewall system.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Must match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# If the interface serves multiple zones that will be
|
||||
# defined in the /etc/shorewall/hosts file, you may
|
||||
# place "-" in this column.
|
||||
#
|
||||
# INTERFACE Name of interface
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started and you must have iproute
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall.
|
||||
# noping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be ignored on this interface
|
||||
# filterping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be controlled by the rules file and
|
||||
# applicable policy. If neither 'noping'
|
||||
# nor 'filterping' are specified then
|
||||
# the firewall will respond to 'ping'
|
||||
# requests. 'filterping' takes
|
||||
# precedence over 'noping' if both are
|
||||
# given.
|
||||
# routestopped - When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling is
|
||||
# enabled in shorewall.conf, packets
|
||||
# whose destination addresses are
|
||||
# reserved by RFC 1918 are also rejected.
|
||||
# multi - This interface has multiple IP
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
# dropunclean - Logs and drops mangled/invalid packets
|
||||
#
|
||||
# logunclean - Logs mangled/invalid packets but does
|
||||
# not drop them.
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# loc eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections and you want to ignore ping requests.
|
||||
#
|
||||
# net ppp0 - noping
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
Loading…
Reference in New Issue
Block a user