diff --git a/Shorewall/Samples/one-interface/interfaces b/Shorewall/Samples/one-interface/interfaces new file mode 100755 index 000000000..fe0bb3929 --- /dev/null +++ b/Shorewall/Samples/one-interface/interfaces @@ -0,0 +1,236 @@ +# +# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration. +# +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the name of a +# zone defined in /etc/shorewall/zones. You may not +# list the firewall zone in this column. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you should +# place "-" in this column. +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You may specify wildcards here. For example, if you +# want to make an entry that applies to all PPP +# interfaces, use 'ppp+'. +# +# There is no need to define the loopback interface (lo) +# in this file. +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left blank.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. +# +# If you use the special value "detect", the firewall +# will detect the broadcast address for you. If you +# select this option, the interface must be up before +# the firewall is started, you must have iproute +# installed. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. +# +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# +# logmartians - turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. +# +# blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this +# interface are processed as if +# NEWNOTSYN=Yes had been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if +# NEWNOTSYN=Yes. +# +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). +# +# routeback - If specified, indicates that Shorewall +# should include rules that allow +# filtering traffic arriving on this +# interface back out that same interface. +# +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. +# +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . +# +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface +# +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# +# nosmurfs - Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# upnp - Incoming requests from this interface +# may be remapped via UPNP (upnpd). +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE. +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27. You have a DMZ with subnet +# 192.168.2.0/24 using eth2. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections. +# +# net ppp0 - +# +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/one-interface/policy b/Shorewall/Samples/one-interface/policy new file mode 100644 index 000000000..865f3de87 --- /dev/null +++ b/Shorewall/Samples/one-interface/policy @@ -0,0 +1,90 @@ +# +# Shorewall version 3.0 - Sample Policy File for one-interface configuration. +# +# /etc/shorewall/policy +# +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# +# This file determines what to do with a new connection request if we +# don't get a match from the /etc/shorewall/rules file . For each +# source/destination pair, the file is processed in order until a +# match is found ("all" will match any client or server). +# +# INTRA-ZONE POLICIES ARE PRE-DEFINED +# +# For $FW and for all of the zoned defined in /etc/shorewall/zones, +# the POLICY for connections from the zone to itself is ACCEPT (with no +# logging or TCP connection rate limiting but may be overridden by an +# entry in this file. The overriding entry must be explicit (cannot use +# "all" in the SOURCE or DEST). +# +# Columns are: +# +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". +# +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" +# +# POLICY Policy if no match from the rules file is found. Must +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, +# send "port unreachable" ICMP. +# QUEUE - Send the request to a user-space +# application using the QUEUE target. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or +# destination zone in those rules is +# a superset of the SOURCE or DEST +# in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set +# up any infrastructure to handle such +# packets and you may not have any +# rules with this SOURCE and DEST in +# the /etc/shorewall/rules file. If +# such a packet _is_ received, the +# result is undefined. NONE may not be +# used if the SOURCE or DEST columns +# contain the firewall zone ($FW) or +# "all". +# +# If this column contains ACCEPT, DROP or REJECT and a +# corresponding common action is defined in +# /etc/shorewall/actions (or +# /usr/share/shorewall/actions.std) then that action +# will be invoked before the policy named in this column +# is enforced. +# +# LOG LEVEL If supplied, each connection handled under the default +# POLICY is logged at that level. If not supplied, no +# log message is generated. See syslog.conf(5) for a +# description of log levels. +# +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# If you don't want to log but need to specify the +# following column, place "-" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# +# See http://shorewall.net/Documentation.htm#Policy for additional information. +# +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +$FW net ACCEPT +net all DROP info +# The FOLLOWING POLICY MUST BE LAST +all all REJECT info +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/one-interface/rules b/Shorewall/Samples/one-interface/rules new file mode 100755 index 000000000..3ecb2084a --- /dev/null +++ b/Shorewall/Samples/one-interface/rules @@ -0,0 +1,430 @@ +# +# Shorewall version 3.0 - Sample Rules File for one-interface configuration. +# +# /etc/shorewall/rules +# +# Rules in this file govern connection establishment. Requests and +# responses are automatically allowed using connection tracking. For any +# particular (source,dest) pair of zones, the rules are evaluated in the +# order in which they appear in this file and the first match is the one +# that determines the disposition of the request. +# +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +#------------------------------------------------------------------------------ +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to +# that system. You *must* use a DNAT rule instead. +#------------------------------------------------------------------------------ +# +# The rules file is divided into sections. Each section is introduced by +# a "Section Header" which is a line beginning with SECTION followed by the +# section name. +# +# Sections are as follows and must appear in the order listed: +# +# ESTABLISHED Packets in the ESTABLISHED state are processed +# by rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# RELATED Packets in the RELATED state are processed by +# rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# NEW Packets in the NEW and INVALID states are +# processed by rules in this section. +# +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# ESTABLISHED and RELATED sections must be empty. +# +# Note: If you are not familiar with Netfilter to the point where you are +# comfortable with the differences between the various connection +# tracking states, then I suggest that you omit the ESTABLISHED and +# RELATED sections and place all of your rules in the NEW section. +# +# You may omit any section that you don't need. If no Section Headers appear +# in the file then all rules are assumed to be in the NEW section. +# +# Columns are: +# +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE or an . +# +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. +# +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# -- The name of an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std. +# +# -- The name of a macro defined in a +# file named macro.. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. +# +# If the ACTION names an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std then: +# +# - If the log level is followed by "!' then all rules +# in the action are logged at the log level. +# +# - If the log level is not followed by "!" then only +# those rules in the action that do not specify +# logging are logged at the specified level. +# +# - The special log level 'none!' suppresses logging +# by the action. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, "all", "all+" or "none" If the ACTION +# is DNAT or REDIRECT, sub-zones of the specified zone +# may be excluded from the rule by following the zone +# name with "!' and a comma-separated list of sub-zone +# names. +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# +# Alternatively, clients may be specified by interface +# by appending ":" to the zone name followed by the +# interface name. For example, loc:eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., loc:eth1:192.168.1.5). +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself, "all". "all+" or "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. +# +# Like in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# a number, or "all". "ipp2p" requires ipp2p match +# support in your kernel and iptables. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] +# then if included and different from the IP +# address given in the SERVER column, this is an address +# on some interface on the firewall and connections to +# that address will be forwarded to the IP and port +# specified in the DEST column. +# +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address +# matches one of the listed addresses. This feature is +# most useful when you want to generate a filter rule +# that corresponds to a DNAT- or REDIRECT- rule. In this +# usage, the list of addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named 'upnpd' +# +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp +# +# Example: Forward all ssh and http connection requests from the +# internet to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http +# +# Example: Forward all http connection requests from the internet +# to local system 192.168.1.3 with a limit of 3 per second and +# a maximum burst of 10 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 +# +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# +# Example: You want to accept SSH connections to your firewall only +# from internet IP addresses 130.252.100.69 and 130.252.100.70 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ +# tcp 22 +############################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP + +# Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. + +Ping/REJECT net $FW + +# Permit all ICMP traffic FROM the firewall TO the net zone + +ACCEPT $FW net icmp + +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/one-interface/zones b/Shorewall/Samples/one-interface/zones new file mode 100644 index 000000000..5f23e5155 --- /dev/null +++ b/Shorewall/Samples/one-interface/zones @@ -0,0 +1,94 @@ +# +# Shorewall version 3.0 - Sample Zones File for one-interface configuration. +# +# /etc/shorewall/zones +# +# This file determines your network zones. +# +# Columns are: +# +# ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. +# +# Where a zone is nested in one or more other zones, +# you may follow the (sub)zone name by ":" and a +# comma-separated list of the parent zones. The parent +# zones must have been defined in earlier records in this +# file. +# +# Example: +# +# #ZONE TYPE OPTIONS +# a ipv4 +# b ipv4 +# c:a,b ipv4 +# +# Currently, Shorewall uses this information only to reorder the +# zone list so that parent zones appear after their subzones in +# the list. In the future, Shorewall may make more extensive use +# of that information. +# +# TYPE ipv4 - This is the standard Shorewall zone type and is the +# default if you leave this column empty or if you enter +# "-" in the column. Communication with some zone hosts +# may be encrypted. Encrypted hosts are designated using +# the 'ipsec'option in /etc/shorewall/hosts. +# ipsec - Communication with all zone hosts is encrypted +# Your kernel and iptables must include policy +# match support. +# firewall +# - Designates the firewall itself. You must have +# exactly one 'firewall' zone. No options are +# permitted with a 'firewall' zone. The name that you +# enter in the ZONE column will be stored in the shell +# variable $FW which you may use in other configuration +# files to designate the firewall zone. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". +# +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# +# See http://www.shorewall.net/Documentation.htm#Nested +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS\ +fw firewall +net ipv4 +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/interfaces b/Shorewall/Samples/three-interfaces/interfaces new file mode 100755 index 000000000..ac57d11c9 --- /dev/null +++ b/Shorewall/Samples/three-interfaces/interfaces @@ -0,0 +1,238 @@ +# +# Shorewall version 3.0 - Sample Interfaces File for three-interface configuration. +# +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the name of a +# zone defined in /etc/shorewall/zones. You may not +# list the firewall zone in this column. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you should +# place "-" in this column. +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You may specify wildcards here. For example, if you +# want to make an entry that applies to all PPP +# interfaces, use 'ppp+'. +# +# There is no need to define the loopback interface (lo) +# in this file. +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left blank.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. +# +# If you use the special value "detect", the firewall +# will detect the broadcast address for you. If you +# select this option, the interface must be up before +# the firewall is started, you must have iproute +# installed. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. +# +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# +# logmartians - turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. +# +# blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this +# interface are processed as if +# NEWNOTSYN=Yes had been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if +# NEWNOTSYN=Yes. +# +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). +# +# routeback - If specified, indicates that Shorewall +# should include rules that allow +# filtering traffic arriving on this +# interface back out that same interface. +# +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. +# +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . +# +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface +# +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# +# nosmurfs - Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# upnp - Incoming requests from this interface +# may be remapped via UPNP (upnpd). +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE. +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27. You have a DMZ with subnet +# 192.168.2.0/24 using eth2. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections. +# +# net ppp0 - +# +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians +loc eth1 detect tcpflags,detectnets,nosmurfs +dmz eth2 detect +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/masq b/Shorewall/Samples/three-interfaces/masq new file mode 100755 index 000000000..b9f6e3a8e --- /dev/null +++ b/Shorewall/Samples/three-interfaces/masq @@ -0,0 +1,222 @@ +# +# Shorewall version 3.0 - Sample Masq file for three-interface configuration. +# +# /etc/shorewall/masq +# +# Use this file to define dynamic NAT (Masquerading) and to define +# Source NAT (SNAT). +# +# Columns are: +# +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. +# +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. +# +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: +# +# eth0: +# eth2::192.0.2.32/27 +# +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": +# +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 +# +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. +# +# SUBNET -- Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. +# +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# You may also specify a range of up to 256 +# IP addresses if you want the SNAT address to +# be assigned from that range in a round-robin +# range by connection. The range is specified by +# -. +# +# Example: 206.124.146.177-206.124.146.180 +# +# Finally, you may also specify a comma-separated +# list of ranges and/or addresses in this column. +# +# This column may not contain DNS Names. +# +# Normally, Netfilter will attempt to retain +# the source port number. You may cause +# netfilter to remap the source port by following +# an address or range (if any) by ":" and +# a port range with the format - +# . If this is done, you must +# specify "tcp" or "udp" in the PROTO column. +# +# Examples: +# +# 192.0.2.4:5000-6000 +# :4000-5000 +# +# You can invoke the SAME target using the +# following in this column: +# +# SAME:[nodst:][,...] +# +# The may be single addresses. +# +# SAME works like SNAT with the exception that +# the same local IP address is assigned to each +# connection from a local address to a given +# remote address. +# +# If the 'nodst:' option is included, then the +# same source address is used for a given +# internal system regardless of which remote +# system is involved. +# +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. +# +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. +# +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. +# +# IPSEC -- (Optional) If you specify a value other than "-" in this +# column, you must be running kernel 2.6 and +# your kernel and iptables must include policy +# match support. +# +# Comma-separated list of options from the +# following. Only packets that will be encrypted +# via an SA that matches these options will have +# their source address changed. +# +# Yes or yes -- must be the only option +# listed and matches all outbound +# traffic that will be encrypted. +# +# reqid= where is +# specified using setkey(8) using the +# 'unique: option for the SPD +# level. +# +# spi= where is the +# SPI of the SA. +# +# proto=ah|esp|ipcomp +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match +# all rules. +# +# next Separates rules; can only be +# used with strict.. +# +# Example 1: +# +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. +# +# Your entry in the file can be either: +# +# eth0 eth1 +# +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: +# +# ipsec0:10.1.1.0/24 196.168.1.0/24 +# +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. +# +# eth0:0 192.168.1.0/24 206.124.146.176 +# +# Example 5: +# +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. +# +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 +# +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +# For additional information, see http://shorewall.net/Documentation.htm#Masq +# +############################################################################## +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +eth0 eth1 +eth0 eth2 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/policy b/Shorewall/Samples/three-interfaces/policy new file mode 100644 index 000000000..4d9c2f529 --- /dev/null +++ b/Shorewall/Samples/three-interfaces/policy @@ -0,0 +1,96 @@ +# +# Shorewall version 3.0 - Sample Policy File for three-interface configuration. +# +# /etc/shorewall/policy +# +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# +# This file determines what to do with a new connection request if we +# don't get a match from the /etc/shorewall/rules file . For each +# source/destination pair, the file is processed in order until a +# match is found ("all" will match any client or server). +# +# INTRA-ZONE POLICIES ARE PRE-DEFINED +# +# For $FW and for all of the zoned defined in /etc/shorewall/zones, +# the POLICY for connections from the zone to itself is ACCEPT (with no +# logging or TCP connection rate limiting but may be overridden by an +# entry in this file. The overriding entry must be explicit (cannot use +# "all" in the SOURCE or DEST). +# +# Columns are: +# +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". +# +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" +# +# POLICY Policy if no match from the rules file is found. Must +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, +# send "port unreachable" ICMP. +# QUEUE - Send the request to a user-space +# application using the QUEUE target. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or +# destination zone in those rules is +# a superset of the SOURCE or DEST +# in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set +# up any infrastructure to handle such +# packets and you may not have any +# rules with this SOURCE and DEST in +# the /etc/shorewall/rules file. If +# such a packet _is_ received, the +# result is undefined. NONE may not be +# used if the SOURCE or DEST columns +# contain the firewall zone ($FW) or +# "all". +# +# If this column contains ACCEPT, DROP or REJECT and a +# corresponding common action is defined in +# /etc/shorewall/actions (or +# /usr/share/shorewall/actions.std) then that action +# will be invoked before the policy named in this column +# is enforced. +# +# LOG LEVEL If supplied, each connection handled under the default +# POLICY is logged at that level. If not supplied, no +# log message is generated. See syslog.conf(5) for a +# description of log levels. +# +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# If you don't want to log but need to specify the +# following column, place "-" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# +# See http://shorewall.net/Documentation.htm#Policy for additional information. +# +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +loc net ACCEPT +# If you want open access to the Internet from your Firewall +# remove the comment from the following line. +#$FW net ACCEPT +# Also If You Wish To Open Up DMZ Access To The Internet +# remove the comment from the following line. +#dmz net ACCEPT +net all DROP info +# THE FOLLOWING POLICY MUST BE LAST +all all REJECT info +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/routestopped b/Shorewall/Samples/three-interfaces/routestopped new file mode 100644 index 000000000..9687ecc97 --- /dev/null +++ b/Shorewall/Samples/three-interfaces/routestopped @@ -0,0 +1,66 @@ +# +# Shorewall version 3.0 - Sample Routestopped File for three-interface configuration. +# +# /etc/shorewall/routestopped +# +# This file is used to define the hosts that are accessible when the +# firewall is stopped or when it is in the process of being +# [re]started. +# +# Columns are: +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. +# +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +# OPTIONS - (Optional) A comma-separated list of +# options. The currently-supported options are: +# +# routeback - Set up a rule to ACCEPT traffic from +# these hosts back to themselves. +# +# source - Allow traffic from these hosts to ANY +# destination. Without this option or the 'dest' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'source' is specified then 'routeback' is redundent. +# +# dest - Allow traffic to these hosts from ANY +# source. Without this option or the 'source' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'dest' is specified then 'routeback' is redundent. +# +# critical - Allow traffic between the firewall and +# these hosts throughout '[re]start', 'stop' and +# 'clear'. Specifying 'critical' on one or more +# entries will cause your firewall to be "totally +# open" for a brief window during each of those +# operations. +# +# NOTE: The 'source' and 'dest' options work best when used +# in conjunction with ADMINISABSENTMINDED=Yes in +# /etc/shorewall/shorewall.conf. +# +# Example: +# +# INTERFACE HOST(S) OPTIONS +# eth2 192.168.1.0/24 +# eth0 192.0.2.44 +# br0 - routeback +# eth3 - source +# +# See http://shorewall.net/Documentation.htm#Routestopped and +# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################## +#INTERFACE HOST(S) +eth1 - +eth2 - +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/rules b/Shorewall/Samples/three-interfaces/rules new file mode 100755 index 000000000..bd2234aa6 --- /dev/null +++ b/Shorewall/Samples/three-interfaces/rules @@ -0,0 +1,462 @@ +# +# Shorewall version 3.0 - Sample Rules File for three-interface configuration. +# +# /etc/shorewall/rules +# +# Rules in this file govern connection establishment. Requests and +# responses are automatically allowed using connection tracking. For any +# particular (source,dest) pair of zones, the rules are evaluated in the +# order in which they appear in this file and the first match is the one +# that determines the disposition of the request. +# +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +#------------------------------------------------------------------------------ +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to +# that system. You *must* use a DNAT rule instead. +#------------------------------------------------------------------------------ +# +# The rules file is divided into sections. Each section is introduced by +# a "Section Header" which is a line beginning with SECTION followed by the +# section name. +# +# Sections are as follows and must appear in the order listed: +# +# ESTABLISHED Packets in the ESTABLISHED state are processed +# by rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# RELATED Packets in the RELATED state are processed by +# rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# NEW Packets in the NEW and INVALID states are +# processed by rules in this section. +# +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# ESTABLISHED and RELATED sections must be empty. +# +# Note: If you are not familiar with Netfilter to the point where you are +# comfortable with the differences between the various connection +# tracking states, then I suggest that you omit the ESTABLISHED and +# RELATED sections and place all of your rules in the NEW section. +# +# You may omit any section that you don't need. If no Section Headers appear +# in the file then all rules are assumed to be in the NEW section. +# +# Columns are: +# +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE or an . +# +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. +# +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# -- The name of an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std. +# +# -- The name of a macro defined in a +# file named macro.. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. +# +# If the ACTION names an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std then: +# +# - If the log level is followed by "!' then all rules +# in the action are logged at the log level. +# +# - If the log level is not followed by "!" then only +# those rules in the action that do not specify +# logging are logged at the specified level. +# +# - The special log level 'none!' suppresses logging +# by the action. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, "all", "all+" or "none" If the ACTION +# is DNAT or REDIRECT, sub-zones of the specified zone +# may be excluded from the rule by following the zone +# name with "!' and a comma-separated list of sub-zone +# names. +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# +# Alternatively, clients may be specified by interface +# by appending ":" to the zone name followed by the +# interface name. For example, loc:eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., loc:eth1:192.168.1.5). +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself, "all". "all+" or "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. +# +# Like in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# a number, or "all". "ipp2p" requires ipp2p match +# support in your kernel and iptables. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] +# then if included and different from the IP +# address given in the SERVER column, this is an address +# on some interface on the firewall and connections to +# that address will be forwarded to the IP and port +# specified in the DEST column. +# +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address +# matches one of the listed addresses. This feature is +# most useful when you want to generate a filter rule +# that corresponds to a DNAT- or REDIRECT- rule. In this +# usage, the list of addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named 'upnpd' +# +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp +# +# Example: Forward all ssh and http connection requests from the +# internet to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http +# +# Example: Forward all http connection requests from the internet +# to local system 192.168.1.3 with a limit of 3 per second and +# a maximum burst of 10 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 +# +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# +# Example: You want to accept SSH connections to your firewall only +# from internet IP addresses 130.252.100.69 and 130.252.100.70 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ +# tcp 22 +############################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +# +# Accept DNS connections from the firewall to the Internet +# +DNS/ACCEPT $FW net +# +# +# Accept SSH connections from the local network to the firewall and DMZ +# +SSH/ACCEPT loc $FW +SSH/ACCEPT loc dmz +# +# DMZ DNS access to the Internet +# +DNS/ACCEPT dmz net + + +# Reject Ping from the "bad" net zone. + +Ping/REJECT net $FW + +# +# Make ping work bi-directionally between the dmz, net, Firewall and local zone +# (assumes that the loc-> net policy is ACCEPT). +# + +Ping/ACCEPT loc $FW +Ping/ACCEPT dmz $FW +Ping/ACCEPT loc dmz +Ping/ACCEPT dmz loc +Ping/ACCEPT dmz net + +ACCEPT $FW net icmp +ACCEPT $FW loc icmp +ACCEPT $FW dmz icmp + +# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from +# the net zone to the dmz and loc + +#Ping/ACCEPT net dmz +#Ping/ACCEPT net loc + +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/zones b/Shorewall/Samples/three-interfaces/zones new file mode 100644 index 000000000..88f916725 --- /dev/null +++ b/Shorewall/Samples/three-interfaces/zones @@ -0,0 +1,94 @@ +# +# Shorewall version 3.0 - Sample Zones File for three-interface configuration. +# +# /etc/shorewall/zones +# +# This file determines your network zones. +# +# Columns are: +# +# ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. +# +# Where a zone is nested in one or more other zones, +# you may follow the (sub)zone name by ":" and a +# comma-separated list of the parent zones. The parent +# zones must have been defined in earlier records in this +# file. +# +# Example: +# +# #ZONE TYPE OPTIONS +# a ipv4 +# b ipv4 +# c:a,b ipv4 +# +# Currently, Shorewall uses this information only to reorder the +# zone list so that parent zones appear after their subzones in +# the list. In the future, Shorewall may make more extensive use +# of that information. +# +# TYPE ipv4 - This is the standard Shorewall zone type and is the +# default if you leave this column empty or if you enter +# "-" in the column. Communication with some zone hosts +# may be encrypted. Encrypted hosts are designated using +# the 'ipsec'option in /etc/shorewall/hosts. +# ipsec - Communication with all zone hosts is encrypted +# Your kernel and iptables must include policy +# match support. +# firewall +# - Designates the firewall itself. You must have +# exactly one 'firewall' zone. No options are +# permitted with a 'firewall' zone. The name that you +# enter in the ZONE column will be stored in the shell +# variable $FW which you may use in other configuration +# files to designate the firewall zone. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". +# +# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 +loc ipv4 +dmz ipv4 +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/interfaces b/Shorewall/Samples/two-interfaces/interfaces new file mode 100755 index 000000000..9204a3170 --- /dev/null +++ b/Shorewall/Samples/two-interfaces/interfaces @@ -0,0 +1,237 @@ +# +# Shorewall version 3.0 - Sample Interfaces File for two-interface configuration. +# +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the name of a +# zone defined in /etc/shorewall/zones. You may not +# list the firewall zone in this column. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you should +# place "-" in this column. +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You may specify wildcards here. For example, if you +# want to make an entry that applies to all PPP +# interfaces, use 'ppp+'. +# +# There is no need to define the loopback interface (lo) +# in this file. +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left blank.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. +# +# If you use the special value "detect", the firewall +# will detect the broadcast address for you. If you +# select this option, the interface must be up before +# the firewall is started, you must have iproute +# installed. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. +# +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# +# logmartians - turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. +# +# blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this +# interface are processed as if +# NEWNOTSYN=Yes had been specified in +# /etc/shorewall/shorewall.conf. +# +# This option has no effect if +# NEWNOTSYN=Yes. +# +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). +# +# routeback - If specified, indicates that Shorewall +# should include rules that allow +# filtering traffic arriving on this +# interface back out that same interface. +# +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. +# +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . +# +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface +# +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# +# nosmurfs - Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# upnp - Incoming requests from this interface +# may be remapped via UPNP (upnpd). +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE. +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27. You have a DMZ with subnet +# 192.168.2.0/24 using eth2. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections. +# +# net ppp0 - +# +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians +loc eth1 detect tcpflags,detectnets,nosmurfs +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/masq b/Shorewall/Samples/two-interfaces/masq new file mode 100755 index 000000000..f9adf3f73 --- /dev/null +++ b/Shorewall/Samples/two-interfaces/masq @@ -0,0 +1,221 @@ +# +# Shorewall version 3.0 - Sample Masq file for two-interface configuration. +# +# /etc/shorewall/masq +# +# Use this file to define dynamic NAT (Masquerading) and to define +# Source NAT (SNAT). +# +# Columns are: +# +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. +# +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. +# +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: +# +# eth0: +# eth2::192.0.2.32/27 +# +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": +# +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 +# +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. +# +# SUBNET -- Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. +# +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# You may also specify a range of up to 256 +# IP addresses if you want the SNAT address to +# be assigned from that range in a round-robin +# range by connection. The range is specified by +# -. +# +# Example: 206.124.146.177-206.124.146.180 +# +# Finally, you may also specify a comma-separated +# list of ranges and/or addresses in this column. +# +# This column may not contain DNS Names. +# +# Normally, Netfilter will attempt to retain +# the source port number. You may cause +# netfilter to remap the source port by following +# an address or range (if any) by ":" and +# a port range with the format - +# . If this is done, you must +# specify "tcp" or "udp" in the PROTO column. +# +# Examples: +# +# 192.0.2.4:5000-6000 +# :4000-5000 +# +# You can invoke the SAME target using the +# following in this column: +# +# SAME:[nodst:][,...] +# +# The may be single addresses. +# +# SAME works like SNAT with the exception that +# the same local IP address is assigned to each +# connection from a local address to a given +# remote address. +# +# If the 'nodst:' option is included, then the +# same source address is used for a given +# internal system regardless of which remote +# system is involved. +# +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. +# +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. +# +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. +# +# IPSEC -- (Optional) If you specify a value other than "-" in this +# column, you must be running kernel 2.6 and +# your kernel and iptables must include policy +# match support. +# +# Comma-separated list of options from the +# following. Only packets that will be encrypted +# via an SA that matches these options will have +# their source address changed. +# +# Yes or yes -- must be the only option +# listed and matches all outbound +# traffic that will be encrypted. +# +# reqid= where is +# specified using setkey(8) using the +# 'unique: option for the SPD +# level. +# +# spi= where is the +# SPI of the SA. +# +# proto=ah|esp|ipcomp +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match +# all rules. +# +# next Separates rules; can only be +# used with strict.. +# +# Example 1: +# +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. +# +# Your entry in the file can be either: +# +# eth0 eth1 +# +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: +# +# ipsec0:10.1.1.0/24 196.168.1.0/24 +# +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. +# +# eth0:0 192.168.1.0/24 206.124.146.176 +# +# Example 5: +# +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. +# +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 +# +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +# For additional information, see http://shorewall.net/Documentation.htm#Masq +# +############################################################################### +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +eth0 eth1 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/policy b/Shorewall/Samples/two-interfaces/policy new file mode 100644 index 000000000..320a0ddb7 --- /dev/null +++ b/Shorewall/Samples/two-interfaces/policy @@ -0,0 +1,93 @@ +# +# Shorewall version 3.0 - Sample Policy File for two-interface configuration. +# +# /etc/shorewall/policy +# +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# +# This file determines what to do with a new connection request if we +# don't get a match from the /etc/shorewall/rules file . For each +# source/destination pair, the file is processed in order until a +# match is found ("all" will match any client or server). +# +# INTRA-ZONE POLICIES ARE PRE-DEFINED +# +# For $FW and for all of the zoned defined in /etc/shorewall/zones, +# the POLICY for connections from the zone to itself is ACCEPT (with no +# logging or TCP connection rate limiting but may be overridden by an +# entry in this file. The overriding entry must be explicit (cannot use +# "all" in the SOURCE or DEST). +# +# Columns are: +# +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". +# +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" +# +# POLICY Policy if no match from the rules file is found. Must +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, +# send "port unreachable" ICMP. +# QUEUE - Send the request to a user-space +# application using the QUEUE target. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or +# destination zone in those rules is +# a superset of the SOURCE or DEST +# in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set +# up any infrastructure to handle such +# packets and you may not have any +# rules with this SOURCE and DEST in +# the /etc/shorewall/rules file. If +# such a packet _is_ received, the +# result is undefined. NONE may not be +# used if the SOURCE or DEST columns +# contain the firewall zone ($FW) or +# "all". +# +# If this column contains ACCEPT, DROP or REJECT and a +# corresponding common action is defined in +# /etc/shorewall/actions (or +# /usr/share/shorewall/actions.std) then that action +# will be invoked before the policy named in this column +# is enforced. +# +# LOG LEVEL If supplied, each connection handled under the default +# POLICY is logged at that level. If not supplied, no +# log message is generated. See syslog.conf(5) for a +# description of log levels. +# +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# If you don't want to log but need to specify the +# following column, place "-" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# +# See http://shorewall.net/Documentation.htm#Policy for additional information. +# +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +loc net ACCEPT +# If you want open access to the Internet from your Firewall +# remove the comment from the following line. +#$FW net ACCEPT +net all DROP info +# THE FOLLOWING POLICY MUST BE LAST +all all REJECT info +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/routestopped b/Shorewall/Samples/two-interfaces/routestopped new file mode 100644 index 000000000..2a7da6daf --- /dev/null +++ b/Shorewall/Samples/two-interfaces/routestopped @@ -0,0 +1,65 @@ +# +# Shorewall version 3.0 - Sample Routestopped File for two-interface configuration. +# +# /etc/shorewall/routestopped +# +# This file is used to define the hosts that are accessible when the +# firewall is stopped or when it is in the process of being +# [re]started. +# +# Columns are: +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. +# +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +# OPTIONS - (Optional) A comma-separated list of +# options. The currently-supported options are: +# +# routeback - Set up a rule to ACCEPT traffic from +# these hosts back to themselves. +# +# source - Allow traffic from these hosts to ANY +# destination. Without this option or the 'dest' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'source' is specified then 'routeback' is redundent. +# +# dest - Allow traffic to these hosts from ANY +# source. Without this option or the 'source' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'dest' is specified then 'routeback' is redundent. +# +# critical - Allow traffic between the firewall and +# these hosts throughout '[re]start', 'stop' and +# 'clear'. Specifying 'critical' on one or more +# entries will cause your firewall to be "totally +# open" for a brief window during each of those +# operations. +# +# NOTE: The 'source' and 'dest' options work best when used +# in conjunction with ADMINISABSENTMINDED=Yes in +# /etc/shorewall/shorewall.conf. +# +# Example: +# +# INTERFACE HOST(S) OPTIONS +# eth2 192.168.1.0/24 +# eth0 192.0.2.44 +# br0 - routeback +# eth3 - source +# +# See http://shorewall.net/Documentation.htm#Routestopped and +# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################## +#INTERFACE HOST(S) OPTIONS +eth1 - +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/rules b/Shorewall/Samples/two-interfaces/rules new file mode 100755 index 000000000..84a499a21 --- /dev/null +++ b/Shorewall/Samples/two-interfaces/rules @@ -0,0 +1,445 @@ +# +# Shorewall version 3.0 - Sample Rules File for two-interface configuration. +# +# /etc/shorewall/rules +# +# Rules in this file govern connection establishment. Requests and +# responses are automatically allowed using connection tracking. For any +# particular (source,dest) pair of zones, the rules are evaluated in the +# order in which they appear in this file and the first match is the one +# that determines the disposition of the request. +# +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +#------------------------------------------------------------------------------ +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to +# that system. You *must* use a DNAT rule instead. +#------------------------------------------------------------------------------ +# +# The rules file is divided into sections. Each section is introduced by +# a "Section Header" which is a line beginning with SECTION followed by the +# section name. +# +# Sections are as follows and must appear in the order listed: +# +# ESTABLISHED Packets in the ESTABLISHED state are processed +# by rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# RELATED Packets in the RELATED state are processed by +# rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# NEW Packets in the NEW and INVALID states are +# processed by rules in this section. +# +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# ESTABLISHED and RELATED sections must be empty. +# +# Note: If you are not familiar with Netfilter to the point where you are +# comfortable with the differences between the various connection +# tracking states, then I suggest that you omit the ESTABLISHED and +# RELATED sections and place all of your rules in the NEW section. +# +# You may omit any section that you don't need. If no Section Headers appear +# in the file then all rules are assumed to be in the NEW section. +# +# Columns are: +# +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE or an . +# +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. +# +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# -- The name of an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std. +# +# -- The name of a macro defined in a +# file named macro.. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. +# +# If the ACTION names an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std then: +# +# - If the log level is followed by "!' then all rules +# in the action are logged at the log level. +# +# - If the log level is not followed by "!" then only +# those rules in the action that do not specify +# logging are logged at the specified level. +# +# - The special log level 'none!' suppresses logging +# by the action. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, "all", "all+" or "none" If the ACTION +# is DNAT or REDIRECT, sub-zones of the specified zone +# may be excluded from the rule by following the zone +# name with "!' and a comma-separated list of sub-zone +# names. +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# +# Alternatively, clients may be specified by interface +# by appending ":" to the zone name followed by the +# interface name. For example, loc:eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., loc:eth1:192.168.1.5). +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself, "all". "all+" or "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. +# +# Like in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# a number, or "all". "ipp2p" requires ipp2p match +# support in your kernel and iptables. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] +# then if included and different from the IP +# address given in the SERVER column, this is an address +# on some interface on the firewall and connections to +# that address will be forwarded to the IP and port +# specified in the DEST column. +# +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address +# matches one of the listed addresses. This feature is +# most useful when you want to generate a filter rule +# that corresponds to a DNAT- or REDIRECT- rule. In this +# usage, the list of addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named 'upnpd' +# +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp +# +# Example: Forward all ssh and http connection requests from the +# internet to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http +# +# Example: Forward all http connection requests from the internet +# to local system 192.168.1.3 with a limit of 3 per second and +# a maximum burst of 10 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 +# +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# +# Example: You want to accept SSH connections to your firewall only +# from internet IP addresses 130.252.100.69 and 130.252.100.70 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ +# tcp 22 +############################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +# PORT PORT(S) DEST LIMIT GROUP +# +# Accept DNS connections from the firewall to the network +# +DNS/ACCEPT $FW net +# +# Accept SSH connections from the local network for administration +# +SSH/ACCEPT loc $FW +# +# Allow Ping from the local network +# +Ping/ACCEPT loc $FW + +# +# Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. +# + +Ping/REJECT net $FW + +ACCEPT $FW loc icmp +ACCEPT $FW net icmp +# + +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/zones b/Shorewall/Samples/two-interfaces/zones new file mode 100644 index 000000000..7e3e8a14e --- /dev/null +++ b/Shorewall/Samples/two-interfaces/zones @@ -0,0 +1,94 @@ +# +# Shorewall version 3.0 - Sample Zones File for two-interface configuration. +# +# /etc/shorewall/zones +# +# This file determines your network zones. +# +# Columns are: +# +# ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. +# +# Where a zone is nested in one or more other zones, +# you may follow the (sub)zone name by ":" and a +# comma-separated list of the parent zones. The parent +# zones must have been defined in earlier records in this +# file. +# +# Example: +# +# #ZONE TYPE OPTIONS +# a ipv4 +# b ipv4 +# c:a,b ipv4 +# +# Currently, Shorewall uses this information only to reorder the +# zone list so that parent zones appear after their subzones in +# the list. In the future, Shorewall may make more extensive use +# of that information. +# +# TYPE ipv4 - This is the standard Shorewall zone type and is the +# default if you leave this column empty or if you enter +# "-" in the column. Communication with some zone hosts +# may be encrypted. Encrypted hosts are designated using +# the 'ipsec'option in /etc/shorewall/hosts. +# ipsec - Communication with all zone hosts is encrypted +# Your kernel and iptables must include policy +# match support. +# firewall +# - Designates the firewall itself. You must have +# exactly one 'firewall' zone. No options are +# permitted with a 'firewall' zone. The name that you +# enter in the ZONE column will be stored in the shell +# variable $FW which you may use in other configuration +# files to designate the firewall zone. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". +# +# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 +loc ipv4 + +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 94f4f1c86..46412bc3b 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,9 @@ Changes in 3.0.0 RC 2. 2) Correct cut-and-paste error in 'arp_ignore' processing. +3) Add 'src' to gateway routes. Make 'find_first_interface_address' look for + global addresses only. + Changes in 3.0.0 RC 1. 1) Correct spelling of MACLIST_TABLE in shorewall.conf. diff --git a/Shorewall/firewall b/Shorewall/firewall index bbcdb5d55..f4e93dd68 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1315,7 +1315,7 @@ setup_providers() fi if [ $COMMAND != check ]; then - ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route replace $gateway dev $interface table $number" + ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route replace $gateway src $(find_first_interface_address $interface) dev $interface table $number" ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route add default via $gateway dev $interface table $number" fi @@ -1696,7 +1696,7 @@ find_first_interface_address() # $1 = interface # # get the line of output containing the first IP address # - addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) + addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1) # # If there wasn't one, bail out now # diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 4cd560bdd..8db885a01 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -154,7 +154,7 @@ fi %attr(0600,root,root) /usr/share/shorewall/rfc1918 %attr(0600,root,root) /usr/share/shorewall/configpath -%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn +%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog * Mon Oct 17 2005 Tom Eastep tom@shorewall.net