Initial revision

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@38 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp/etc/shorewall/icmp.def

@@ -0,0 +1,22 @@
+##############################################################################
+# Shorewall 1.3 /etc/shorewall/icmp.def
+#
+# This file defines the default rules for accepting ICMP packets. 
+#
+# Do not modify this file -- if you wish to change these rules, create
+# /etc/shorewall/icmpdef to replace it. It is suggested that you include
+# the command "source /etc/shorewall/icmp.def" in your
+# /etc/shorewall/icmpdef file so that you will continue to get the
+# advantage of new releases of this file.
+#
+# For example, if you want to accept 'ping' everywhere then create
+# /etc/shorewall/icmpdef with the following two lines:
+#
+# source /etc/shorewall/icmp.def
+# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
+#
+run_iptables -A icmpdef -p ICMP --icmp-type echo-reply              -j ACCEPT
+run_iptables -A icmpdef -p ICMP --icmp-type source-quench           -j ACCEPT
+run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded           -j ACCEPT
+run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem       -j ACCEPT

Lrp/etc/shorewall/interfaces

@@ -0,0 +1,104 @@
+#
+# Shorewall 1.3 -- Interfaces File
+#
+# /etc/shorewall/interfaces
+#
+#	You must add an entry in this file for each network interface on your
+#	firewall system.
+#
+# Columns are:
+#
+#	ZONE		Zone for this interface. Must match the short name
+#			of a zone defined in /etc/shorewall/zones.
+#
+#			If the interface serves multiple zones that will be
+#			defined in the /etc/shorewall/hosts file, you may
+#			place "-" in this column.
+#	
+#	INTERFACE	Name of interface
+#
+#	BROADCAST	The broadcast address for the subnetwork to which the
+#			interface belongs. For P-T-P interfaces, this
+#			column is left black.
+#					    
+#			If you use the special value "detect", the firewall
+#			will detect the broadcast address for you. If you
+#			select this option, the interface must be up before
+#			the firewall is started and you must have iproute
+#			installed.
+#			
+#			If you don't want to give a value for this column but
+#			you want to enter a value in the OPTIONS column, enter
+#			"-" in this column.
+#
+#	OPTIONS		A comma-separated list of options including the
+#			following:
+#
+#			dhcp	     - interface is managed by DHCP or used by
+#                                      a DHCP server running on the firewall.
+#			noping	     - icmp echo-request (ping) packets
+#				       addressed to the firewall should
+#				       be ignored on this interface
+#			filterping   - icmp echo-request (ping) packets 
+#				       addressed to the firewall should
+#				       be controlled by the rules file and
+#				       applicable policy. If neither 'noping'
+#				       nor 'filterping' are specified then
+#				       the firewall will respond to 'ping'
+#				       requests. 'filterping' takes 
+#				       precedence over 'noping' if both are
+#				       given.
+#			routestopped - When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
+#			norfc1918    - This interface should not receive
+#				       any packets whose source is in one
+#				       of the ranges reserved by RFC 1918
+#				       (i.e., private or "non-routable"
+#				       addresses. If packet mangling is
+#				       enabled in shorewall.conf, packets
+#				       whose destination addresses are
+#				       reserved by RFC 1918 are also rejected.
+#			multi	     - This interface has multiple IP
+#				       addresses and you want to be able to
+#				       route between them.
+#			routefilter  - turn on kernel route filtering for this
+#				       interface (anti-spoofing measure).
+#			dropunclean  - Logs and drops mangled/invalid packets
+#
+#			logunclean   - Logs mangled/invalid packets but does
+#				       not drop them.
+#	.	.	blacklist    - Check packets arriving on this interface
+#				       against the /etc/shorewall/blacklist
+#				       file.
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
+#			eth1 connected to your local network and that your
+#			local subnet is 192.168.1.0/24. The interface gets
+#			it's IP address via DHCP from subnet
+#			206.191.149.192/27 and you want pings from the internet
+#			to be ignored. You interface a DMZ with subnet
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
+#
+#			Your entries for this setup would look like:
+#
+#			net	eth0	206.191.149.223	noping,dhcp
+#			local	eth1	192.168.1.255	routestopped
+#			dmz	eth2	192.168.2.255
+#
+#	Example 2:	The same configuration without specifying broadcast
+#			addresses is:
+#
+#			net	eth0	detect		noping,dhcp
+#			loc	eth1	detect		routestopped
+#			dmz	eth2	detect
+#
+#	Example 3:	You have a simple dial-in system with no ethernet
+#			connections and you want to ignore ping requests.
+#
+#			net	ppp0	-		noping
+##############################################################################
+#ZONE	 INTERFACE	BROADCAST	OPTIONS
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE