mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-09 15:18:12 +01:00
Add samples to base package
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2907 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
629d7c87d2
commit
4b97c4584c
236
Shorewall/Samples/one-interface/interfaces
Executable file
236
Shorewall/Samples/one-interface/interfaces
Executable file
@ -0,0 +1,236 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/interfaces
|
||||||
|
#
|
||||||
|
# You must add an entry in this file for each network interface on your
|
||||||
|
# firewall system.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ZONE Zone for this interface. Must match the name of a
|
||||||
|
# zone defined in /etc/shorewall/zones. You may not
|
||||||
|
# list the firewall zone in this column.
|
||||||
|
#
|
||||||
|
# If the interface serves multiple zones that will be
|
||||||
|
# defined in the /etc/shorewall/hosts file, you should
|
||||||
|
# place "-" in this column.
|
||||||
|
#
|
||||||
|
# INTERFACE Name of interface. Each interface may be listed only
|
||||||
|
# once in this file. You may NOT specify the name of
|
||||||
|
# an alias (e.g., eth0:0) here; see
|
||||||
|
# http://www.shorewall.net/FAQ.htm#faq18
|
||||||
|
#
|
||||||
|
# You may specify wildcards here. For example, if you
|
||||||
|
# want to make an entry that applies to all PPP
|
||||||
|
# interfaces, use 'ppp+'.
|
||||||
|
#
|
||||||
|
# There is no need to define the loopback interface (lo)
|
||||||
|
# in this file.
|
||||||
|
#
|
||||||
|
# BROADCAST The broadcast address for the subnetwork to which the
|
||||||
|
# interface belongs. For P-T-P interfaces, this
|
||||||
|
# column is left blank.If the interface has multiple
|
||||||
|
# addresses on multiple subnets then list the broadcast
|
||||||
|
# addresses as a comma-separated list.
|
||||||
|
#
|
||||||
|
# If you use the special value "detect", the firewall
|
||||||
|
# will detect the broadcast address for you. If you
|
||||||
|
# select this option, the interface must be up before
|
||||||
|
# the firewall is started, you must have iproute
|
||||||
|
# installed.
|
||||||
|
#
|
||||||
|
# If you don't want to give a value for this column but
|
||||||
|
# you want to enter a value in the OPTIONS column, enter
|
||||||
|
# "-" in this column.
|
||||||
|
#
|
||||||
|
# OPTIONS A comma-separated list of options including the
|
||||||
|
# following:
|
||||||
|
#
|
||||||
|
# dhcp - Specify this option when any of
|
||||||
|
# the following are true:
|
||||||
|
# 1. the interface gets its IP address
|
||||||
|
# via DHCP
|
||||||
|
# 2. the interface is used by
|
||||||
|
# a DHCP server running on the firewall
|
||||||
|
# 3. you have a static IP but are on a LAN
|
||||||
|
# segment with lots of Laptop DHCP
|
||||||
|
# clients.
|
||||||
|
# 4. the interface is a bridge with
|
||||||
|
# a DHCP server on one port and DHCP
|
||||||
|
# clients on another port.
|
||||||
|
#
|
||||||
|
# norfc1918 - This interface should not receive
|
||||||
|
# any packets whose source is in one
|
||||||
|
# of the ranges reserved by RFC 1918
|
||||||
|
# (i.e., private or "non-routable"
|
||||||
|
# addresses. If packet mangling or
|
||||||
|
# connection-tracking match is enabled in
|
||||||
|
# your kernel, packets whose destination
|
||||||
|
# addresses are reserved by RFC 1918 are
|
||||||
|
# also rejected.
|
||||||
|
#
|
||||||
|
# routefilter - turn on kernel route filtering for this
|
||||||
|
# interface (anti-spoofing measure). This
|
||||||
|
# option can also be enabled globally in
|
||||||
|
# the /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# logmartians - turn on kernel martian logging (logging
|
||||||
|
# of packets with impossible source
|
||||||
|
# addresses. It is suggested that if you
|
||||||
|
# set routefilter on an interface that
|
||||||
|
# you also set logmartians. This option
|
||||||
|
# may also be enabled globally in the
|
||||||
|
# /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# blacklist - Check packets arriving on this interface
|
||||||
|
# against the /etc/shorewall/blacklist
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# maclist - Connection requests from this interface
|
||||||
|
# are compared against the contents of
|
||||||
|
# /etc/shorewall/maclist. If this option
|
||||||
|
# is specified, the interface must be
|
||||||
|
# an ethernet NIC and must be up before
|
||||||
|
# Shorewall is started.
|
||||||
|
#
|
||||||
|
# tcpflags - Packets arriving on this interface are
|
||||||
|
# checked for certain illegal combinations
|
||||||
|
# of TCP flags. Packets found to have
|
||||||
|
# such a combination of flags are handled
|
||||||
|
# according to the setting of
|
||||||
|
# TCP_FLAGS_DISPOSITION after having been
|
||||||
|
# logged according to the setting of
|
||||||
|
# TCP_FLAGS_LOG_LEVEL.
|
||||||
|
#
|
||||||
|
# proxyarp -
|
||||||
|
# Sets
|
||||||
|
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||||
|
# Do NOT use this option if you are
|
||||||
|
# employing Proxy ARP through entries in
|
||||||
|
# /etc/shorewall/proxyarp. This option is
|
||||||
|
# intended soley for use with Proxy ARP
|
||||||
|
# sub-networking as described at:
|
||||||
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||||
|
#
|
||||||
|
# newnotsyn - TCP packets that don't have the SYN
|
||||||
|
# flag set and which are not part of an
|
||||||
|
# established connection will be accepted
|
||||||
|
# from this interface, even if
|
||||||
|
# NEWNOTSYN=No has been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf. In other
|
||||||
|
# words, packets coming in on this
|
||||||
|
# interface are processed as if
|
||||||
|
# NEWNOTSYN=Yes had been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
|
# This option has no effect if
|
||||||
|
# NEWNOTSYN=Yes.
|
||||||
|
#
|
||||||
|
# It is the opinion of the author that
|
||||||
|
# NEWNOTSYN=No creates more problems than
|
||||||
|
# it solves and I recommend against using
|
||||||
|
# that setting in shorewall.conf (hence
|
||||||
|
# making the use of the 'newnotsyn'
|
||||||
|
# interface option unnecessary).
|
||||||
|
#
|
||||||
|
# routeback - If specified, indicates that Shorewall
|
||||||
|
# should include rules that allow
|
||||||
|
# filtering traffic arriving on this
|
||||||
|
# interface back out that same interface.
|
||||||
|
#
|
||||||
|
# arp_filter - If specified, this interface will only
|
||||||
|
# respond to ARP who-has requests for IP
|
||||||
|
# addresses configured on the interface.
|
||||||
|
# If not specified, the interface can
|
||||||
|
# respond to ARP who-has requests for
|
||||||
|
# IP addresses on any of the firewall's
|
||||||
|
# interface. The interface must be up
|
||||||
|
# when Shorewall is started.
|
||||||
|
#
|
||||||
|
# arp_ignore[=<number>]
|
||||||
|
# - If specified, this interface will
|
||||||
|
# respond to arp requests based on the
|
||||||
|
# value of <number>.
|
||||||
|
#
|
||||||
|
# 1 - reply only if the target IP address
|
||||||
|
# is local address configured on the
|
||||||
|
# incoming interface
|
||||||
|
#
|
||||||
|
# 2 - reply only if the target IP address
|
||||||
|
# is local address configured on the
|
||||||
|
# incoming interface and both with the
|
||||||
|
# sender's IP address are part from same
|
||||||
|
# subnet on this interface
|
||||||
|
#
|
||||||
|
# 3 - do not reply for local addresses
|
||||||
|
# configured with scope host, only
|
||||||
|
# resolutions for global and link
|
||||||
|
# addresses are replied
|
||||||
|
#
|
||||||
|
# 4-7 - reserved
|
||||||
|
#
|
||||||
|
# 8 - do not reply for all local
|
||||||
|
# addresses
|
||||||
|
#
|
||||||
|
# If no <number> is given then the value
|
||||||
|
# 1 is assumed
|
||||||
|
#
|
||||||
|
# WARNING -- DO NOT SPECIFY arp_ignore
|
||||||
|
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
|
||||||
|
#
|
||||||
|
# nosmurfs - Filter packets for smurfs
|
||||||
|
# (packets with a broadcast
|
||||||
|
# address as the source).
|
||||||
|
#
|
||||||
|
# Smurfs will be optionally logged based
|
||||||
|
# on the setting of SMURF_LOG_LEVEL in
|
||||||
|
# shorewall.conf. After logging, the
|
||||||
|
# packets are dropped.
|
||||||
|
#
|
||||||
|
# detectnets - Automatically taylors the zone named
|
||||||
|
# in the ZONE column to include only those
|
||||||
|
# hosts routed through the interface.
|
||||||
|
#
|
||||||
|
# upnp - Incoming requests from this interface
|
||||||
|
# may be remapped via UPNP (upnpd).
|
||||||
|
#
|
||||||
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||||
|
# INTERNET INTERFACE.
|
||||||
|
#
|
||||||
|
# The order in which you list the options is not
|
||||||
|
# significant but the list should have no embedded white
|
||||||
|
# space.
|
||||||
|
#
|
||||||
|
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||||
|
# eth1 connected to your local network and that your
|
||||||
|
# local subnet is 192.168.1.0/24. The interface gets
|
||||||
|
# it's IP address via DHCP from subnet
|
||||||
|
# 206.191.149.192/27. You have a DMZ with subnet
|
||||||
|
# 192.168.2.0/24 using eth2.
|
||||||
|
#
|
||||||
|
# Your entries for this setup would look like:
|
||||||
|
#
|
||||||
|
# net eth0 206.191.149.223 dhcp
|
||||||
|
# local eth1 192.168.1.255
|
||||||
|
# dmz eth2 192.168.2.255
|
||||||
|
#
|
||||||
|
# Example 2: The same configuration without specifying broadcast
|
||||||
|
# addresses is:
|
||||||
|
#
|
||||||
|
# net eth0 detect dhcp
|
||||||
|
# loc eth1 detect
|
||||||
|
# dmz eth2 detect
|
||||||
|
#
|
||||||
|
# Example 3: You have a simple dial-in system with no ethernet
|
||||||
|
# connections.
|
||||||
|
#
|
||||||
|
# net ppp0 -
|
||||||
|
#
|
||||||
|
# For additional information, see
|
||||||
|
# http://shorewall.net/Documentation.htm#Interfaces
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
90
Shorewall/Samples/one-interface/policy
Normal file
90
Shorewall/Samples/one-interface/policy
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Policy File for one-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/policy
|
||||||
|
#
|
||||||
|
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
||||||
|
#
|
||||||
|
# This file determines what to do with a new connection request if we
|
||||||
|
# don't get a match from the /etc/shorewall/rules file . For each
|
||||||
|
# source/destination pair, the file is processed in order until a
|
||||||
|
# match is found ("all" will match any client or server).
|
||||||
|
#
|
||||||
|
# INTRA-ZONE POLICIES ARE PRE-DEFINED
|
||||||
|
#
|
||||||
|
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||||
|
# the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||||
|
# logging or TCP connection rate limiting but may be overridden by an
|
||||||
|
# entry in this file. The overriding entry must be explicit (cannot use
|
||||||
|
# "all" in the SOURCE or DEST).
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# SOURCE Source zone. Must be the name of a zone defined
|
||||||
|
# in /etc/shorewall/zones, $FW or "all".
|
||||||
|
#
|
||||||
|
# DEST Destination zone. Must be the name of a zone defined
|
||||||
|
# in /etc/shorewall/zones, $FW or "all"
|
||||||
|
#
|
||||||
|
# POLICY Policy if no match from the rules file is found. Must
|
||||||
|
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||||
|
#
|
||||||
|
# ACCEPT - Accept the connection
|
||||||
|
# DROP - Ignore the connection request
|
||||||
|
# REJECT - For TCP, send RST. For all other,
|
||||||
|
# send "port unreachable" ICMP.
|
||||||
|
# QUEUE - Send the request to a user-space
|
||||||
|
# application using the QUEUE target.
|
||||||
|
# CONTINUE - Pass the connection request past
|
||||||
|
# any other rules that it might also
|
||||||
|
# match (where the source or
|
||||||
|
# destination zone in those rules is
|
||||||
|
# a superset of the SOURCE or DEST
|
||||||
|
# in this policy).
|
||||||
|
# NONE - Assume that there will never be any
|
||||||
|
# packets from this SOURCE
|
||||||
|
# to this DEST. Shorewall will not set
|
||||||
|
# up any infrastructure to handle such
|
||||||
|
# packets and you may not have any
|
||||||
|
# rules with this SOURCE and DEST in
|
||||||
|
# the /etc/shorewall/rules file. If
|
||||||
|
# such a packet _is_ received, the
|
||||||
|
# result is undefined. NONE may not be
|
||||||
|
# used if the SOURCE or DEST columns
|
||||||
|
# contain the firewall zone ($FW) or
|
||||||
|
# "all".
|
||||||
|
#
|
||||||
|
# If this column contains ACCEPT, DROP or REJECT and a
|
||||||
|
# corresponding common action is defined in
|
||||||
|
# /etc/shorewall/actions (or
|
||||||
|
# /usr/share/shorewall/actions.std) then that action
|
||||||
|
# will be invoked before the policy named in this column
|
||||||
|
# is enforced.
|
||||||
|
#
|
||||||
|
# LOG LEVEL If supplied, each connection handled under the default
|
||||||
|
# POLICY is logged at that level. If not supplied, no
|
||||||
|
# log message is generated. See syslog.conf(5) for a
|
||||||
|
# description of log levels.
|
||||||
|
#
|
||||||
|
# Beginning with Shorewall version 1.3.12, you may
|
||||||
|
# also specify ULOG (must be in upper case). This will
|
||||||
|
# log to the ULOG target and sent to a separate log
|
||||||
|
# through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
|
#
|
||||||
|
# If you don't want to log but need to specify the
|
||||||
|
# following column, place "-" here.
|
||||||
|
#
|
||||||
|
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||||
|
# and the size of an acceptable burst. If not specified,
|
||||||
|
# TCP connections are not limited.
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
$FW net ACCEPT
|
||||||
|
net all DROP info
|
||||||
|
# The FOLLOWING POLICY MUST BE LAST
|
||||||
|
all all REJECT info
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
430
Shorewall/Samples/one-interface/rules
Executable file
430
Shorewall/Samples/one-interface/rules
Executable file
@ -0,0 +1,430 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Rules File for one-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/rules
|
||||||
|
#
|
||||||
|
# Rules in this file govern connection establishment. Requests and
|
||||||
|
# responses are automatically allowed using connection tracking. For any
|
||||||
|
# particular (source,dest) pair of zones, the rules are evaluated in the
|
||||||
|
# order in which they appear in this file and the first match is the one
|
||||||
|
# that determines the disposition of the request.
|
||||||
|
#
|
||||||
|
# In most places where an IP address or subnet is allowed, you
|
||||||
|
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||||
|
# indicate that the rule matches all addresses except the address/subnet
|
||||||
|
# given. Notice that no white space is permitted between "!" and the
|
||||||
|
# address/subnet.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
||||||
|
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||||
|
# that system. You *must* use a DNAT rule instead.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# The rules file is divided into sections. Each section is introduced by
|
||||||
|
# a "Section Header" which is a line beginning with SECTION followed by the
|
||||||
|
# section name.
|
||||||
|
#
|
||||||
|
# Sections are as follows and must appear in the order listed:
|
||||||
|
#
|
||||||
|
# ESTABLISHED Packets in the ESTABLISHED state are processed
|
||||||
|
# by rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# RELATED Packets in the RELATED state are processed by
|
||||||
|
# rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# NEW Packets in the NEW and INVALID states are
|
||||||
|
# processed by rules in this section.
|
||||||
|
#
|
||||||
|
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||||
|
# ESTABLISHED and RELATED sections must be empty.
|
||||||
|
#
|
||||||
|
# Note: If you are not familiar with Netfilter to the point where you are
|
||||||
|
# comfortable with the differences between the various connection
|
||||||
|
# tracking states, then I suggest that you omit the ESTABLISHED and
|
||||||
|
# RELATED sections and place all of your rules in the NEW section.
|
||||||
|
#
|
||||||
|
# You may omit any section that you don't need. If no Section Headers appear
|
||||||
|
# in the file then all rules are assumed to be in the NEW section.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||||
|
# LOG, QUEUE or an <action>.
|
||||||
|
#
|
||||||
|
# ACCEPT -- allow the connection request
|
||||||
|
# ACCEPT+ -- like ACCEPT but also excludes the
|
||||||
|
# connection from any subsequent
|
||||||
|
# DNAT[-] or REDIRECT[-] rules
|
||||||
|
# NONAT -- Excludes the connection from any
|
||||||
|
# subsequent DNAT[-] or REDIRECT[-]
|
||||||
|
# rules but doesn't generate a rule
|
||||||
|
# to accept the traffic.
|
||||||
|
# DROP -- ignore the request
|
||||||
|
# REJECT -- disallow the request and return an
|
||||||
|
# icmp-unreachable or an RST packet.
|
||||||
|
# DNAT -- Forward the request to another
|
||||||
|
# system (and optionally another
|
||||||
|
# port).
|
||||||
|
# DNAT- -- Advanced users only.
|
||||||
|
# Like DNAT but only generates the
|
||||||
|
# DNAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
# SAME -- Similar to DNAT except that the
|
||||||
|
# port may not be remapped and when
|
||||||
|
# multiple server addresses are
|
||||||
|
# listed, all requests from a given
|
||||||
|
# remote system go to the same
|
||||||
|
# server.
|
||||||
|
# SAME- -- Advanced users only.
|
||||||
|
# Like SAME but only generates the
|
||||||
|
# NAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
# REDIRECT -- Redirect the request to a local
|
||||||
|
# port on the firewall.
|
||||||
|
# REDIRECT-
|
||||||
|
# -- Advanced users only.
|
||||||
|
# Like REDIRET but only generates the
|
||||||
|
# REDIRECT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
#
|
||||||
|
# CONTINUE -- (For experts only). Do not process
|
||||||
|
# any of the following rules for this
|
||||||
|
# (source zone,destination zone). If
|
||||||
|
# The source and/or destination IP
|
||||||
|
# address falls into a zone defined
|
||||||
|
# later in /etc/shorewall/zones, this
|
||||||
|
# connection request will be passed
|
||||||
|
# to the rules defined for that
|
||||||
|
# (those) zone(s).
|
||||||
|
# LOG -- Simply log the packet and continue.
|
||||||
|
# QUEUE -- Queue the packet to a user-space
|
||||||
|
# application such as ftwall
|
||||||
|
# (http://p2pwall.sf.net).
|
||||||
|
# <action> -- The name of an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std.
|
||||||
|
#
|
||||||
|
# <macro> -- The name of a macro defined in a
|
||||||
|
# file named macro.<macro-name>.
|
||||||
|
#
|
||||||
|
# The ACTION may optionally be followed
|
||||||
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||||
|
# DNAT:debug). This causes the packet to be
|
||||||
|
# logged at the specified level.
|
||||||
|
#
|
||||||
|
# If the ACTION names an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std then:
|
||||||
|
#
|
||||||
|
# - If the log level is followed by "!' then all rules
|
||||||
|
# in the action are logged at the log level.
|
||||||
|
#
|
||||||
|
# - If the log level is not followed by "!" then only
|
||||||
|
# those rules in the action that do not specify
|
||||||
|
# logging are logged at the specified level.
|
||||||
|
#
|
||||||
|
# - The special log level 'none!' suppresses logging
|
||||||
|
# by the action.
|
||||||
|
#
|
||||||
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
|
# log level.This will log to the ULOG target for routing
|
||||||
|
# to a separate log through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
|
#
|
||||||
|
# Actions specifying logging may be followed by a
|
||||||
|
# log tag (a string of alphanumeric characters)
|
||||||
|
# are appended to the string generated by the
|
||||||
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||||
|
#
|
||||||
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||||
|
# at the end of the log prefix generated by the
|
||||||
|
# LOGPREFIX setting.
|
||||||
|
#
|
||||||
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||||
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||||
|
# firewall itself, "all", "all+" or "none" If the ACTION
|
||||||
|
# is DNAT or REDIRECT, sub-zones of the specified zone
|
||||||
|
# may be excluded from the rule by following the zone
|
||||||
|
# name with "!' and a comma-separated list of sub-zone
|
||||||
|
# names.
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST
|
||||||
|
# column, the rule is ignored.
|
||||||
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
|
# used, intra-zone traffic is affected.
|
||||||
|
#
|
||||||
|
# Except when "all[+]" is specified, clients may be
|
||||||
|
# further restricted to a list of subnets and/or hosts by
|
||||||
|
# appending ":" and a comma-separated list of subnets
|
||||||
|
# and/or hosts. Hosts may be specified by IP or MAC
|
||||||
|
# address; mac addresses must begin with "~" and must use
|
||||||
|
# "-" as a separator.
|
||||||
|
#
|
||||||
|
# Hosts may be specified as an IP address range using the
|
||||||
|
# syntax <low address>-<high address>. This requires that
|
||||||
|
# your kernel and iptables contain iprange match support.
|
||||||
|
# If you kernel and iptables have ipset match support
|
||||||
|
# then you may give the name of an ipset prefaced by "+".
|
||||||
|
# The ipset name may be optionally followed by a number
|
||||||
|
# from 1 to 6 enclosed in square brackets ([]) to
|
||||||
|
# indicate the number of levels of source bindings to be
|
||||||
|
# matched.
|
||||||
|
#
|
||||||
|
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||||
|
#
|
||||||
|
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||||
|
# Internet
|
||||||
|
#
|
||||||
|
# loc:192.168.1.1,192.168.1.2
|
||||||
|
# Hosts 192.168.1.1 and
|
||||||
|
# 192.168.1.2 in the local zone.
|
||||||
|
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||||
|
# MAC address 00:A0:C9:15:39:78.
|
||||||
|
#
|
||||||
|
# net:192.0.2.11-192.0.2.17
|
||||||
|
# Hosts 192.0.2.11-192.0.2.17 in
|
||||||
|
# the net zone.
|
||||||
|
#
|
||||||
|
# Alternatively, clients may be specified by interface
|
||||||
|
# by appending ":" to the zone name followed by the
|
||||||
|
# interface name. For example, loc:eth1 specifies a
|
||||||
|
# client that communicates with the firewall system
|
||||||
|
# through eth1. This may be optionally followed by
|
||||||
|
# another colon (":") and an IP/MAC/subnet address
|
||||||
|
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||||
|
#
|
||||||
|
# DEST Location of Server. May be a zone defined in
|
||||||
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||||
|
# itself, "all". "all+" or "none".
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST
|
||||||
|
# column, the rule is ignored.
|
||||||
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
|
# used, intra-zone traffic is affected.
|
||||||
|
#
|
||||||
|
# Except when "all[+]" is specified, the server may be
|
||||||
|
# further restricted to a particular subnet, host or
|
||||||
|
# interface by appending ":" and the subnet, host or
|
||||||
|
# interface. See above.
|
||||||
|
#
|
||||||
|
# Restrictions:
|
||||||
|
#
|
||||||
|
# 1. MAC addresses are not allowed.
|
||||||
|
# 2. In DNAT rules, only IP addresses are
|
||||||
|
# allowed; no FQDNs or subnet addresses
|
||||||
|
# are permitted.
|
||||||
|
# 3. You may not specify both an interface and
|
||||||
|
# an address.
|
||||||
|
#
|
||||||
|
# Like in the SOURCE column, you may specify a range of
|
||||||
|
# up to 256 IP addresses using the syntax
|
||||||
|
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||||
|
# the connections will be assigned to addresses in the
|
||||||
|
# range in a round-robin fashion.
|
||||||
|
#
|
||||||
|
# If you kernel and iptables have ipset match support
|
||||||
|
# then you may give the name of an ipset prefaced by "+".
|
||||||
|
# The ipset name may be optionally followed by a number
|
||||||
|
# from 1 to 6 enclosed in square brackets ([]) to
|
||||||
|
# indicate the number of levels of destination bindings
|
||||||
|
# to be matched. Only one of the SOURCE and DEST columns
|
||||||
|
# may specify an ipset name.
|
||||||
|
#
|
||||||
|
# The port that the server is listening on may be
|
||||||
|
# included and separated from the server's IP address by
|
||||||
|
# ":". If omitted, the firewall will not modifiy the
|
||||||
|
# destination port. A destination port may only be
|
||||||
|
# included if the ACTION is DNAT or REDIRECT.
|
||||||
|
#
|
||||||
|
# Example: loc:192.168.1.3:3128 specifies a local
|
||||||
|
# server at IP address 192.168.1.3 and listening on port
|
||||||
|
# 3128. The port number MUST be specified as an integer
|
||||||
|
# and not as a name from /etc/services.
|
||||||
|
#
|
||||||
|
# if the ACTION is REDIRECT, this column needs only to
|
||||||
|
# contain the port number on the firewall that the
|
||||||
|
# request should be redirected to.
|
||||||
|
#
|
||||||
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
|
#
|
||||||
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
|
# names (from /etc/services), port numbers or port
|
||||||
|
# ranges; if the protocol is "icmp", this column is
|
||||||
|
# interpreted as the destination icmp-type(s).
|
||||||
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example
|
||||||
|
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
|
# A port range is expressed as <low port>:<high port>.
|
||||||
|
#
|
||||||
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
|
# entered if any of the following ields are supplied.
|
||||||
|
# In that case, it is suggested that this field contain
|
||||||
|
# "-"
|
||||||
|
#
|
||||||
|
# If your kernel contains multi-port match support, then
|
||||||
|
# only a single Netfilter rule will be generated if in
|
||||||
|
# this list and the CLIENT PORT(S) list below:
|
||||||
|
# 1. There are 15 or less ports listed.
|
||||||
|
# 2. No port ranges are included.
|
||||||
|
# Otherwise, a separate rule will be generated for each
|
||||||
|
# port.
|
||||||
|
#
|
||||||
|
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||||
|
# any source port is acceptable. Specified as a comma-
|
||||||
|
# separated list of port names, port numbers or port
|
||||||
|
# ranges.
|
||||||
|
#
|
||||||
|
# If you don't want to restrict client ports but need to
|
||||||
|
# specify an ORIGINAL DEST in the next column, then
|
||||||
|
# place "-" in this column.
|
||||||
|
#
|
||||||
|
# If your kernel contains multi-port match support, then
|
||||||
|
# only a single Netfilter rule will be generated if in
|
||||||
|
# this list and the DEST PORT(S) list above:
|
||||||
|
# 1. There are 15 or less ports listed.
|
||||||
|
# 2. No port ranges are included.
|
||||||
|
# Otherwise, a separate rule will be generated for each
|
||||||
|
# port.
|
||||||
|
#
|
||||||
|
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
|
||||||
|
# then if included and different from the IP
|
||||||
|
# address given in the SERVER column, this is an address
|
||||||
|
# on some interface on the firewall and connections to
|
||||||
|
# that address will be forwarded to the IP and port
|
||||||
|
# specified in the DEST column.
|
||||||
|
#
|
||||||
|
# A comma-separated list of addresses may also be used.
|
||||||
|
# This is usually most useful with the REDIRECT target
|
||||||
|
# where you want to redirect traffic destined for
|
||||||
|
# particular set of hosts.
|
||||||
|
#
|
||||||
|
# Finally, if the list of addresses begins with "!" then
|
||||||
|
# the rule will be followed only if the original
|
||||||
|
# destination address in the connection request does not
|
||||||
|
# match any of the addresses listed.
|
||||||
|
#
|
||||||
|
# For other actions, this column may be included and may
|
||||||
|
# contain one or more addresses (host or network)
|
||||||
|
# separated by commas. Address ranges are not allowed.
|
||||||
|
# When this column is supplied, rules are generated
|
||||||
|
# that require that the original destination address
|
||||||
|
# matches one of the listed addresses. This feature is
|
||||||
|
# most useful when you want to generate a filter rule
|
||||||
|
# that corresponds to a DNAT- or REDIRECT- rule. In this
|
||||||
|
# usage, the list of addresses should not begin with "!".
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/PortKnocking.html for an
|
||||||
|
# example of using an entry in this column with a
|
||||||
|
# user-defined action rule.
|
||||||
|
#
|
||||||
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
|
# this colume:
|
||||||
|
#
|
||||||
|
# <rate>/<interval>[:<burst>]
|
||||||
|
#
|
||||||
|
# where <rate> is the number of connections per
|
||||||
|
# <interval> ("sec" or "min") and <burst> is the
|
||||||
|
# largest burst permitted. If no <burst> is given,
|
||||||
|
# a value of 5 is assumed. There may be no
|
||||||
|
# no whitespace embedded in the specification.
|
||||||
|
#
|
||||||
|
# Example: 10/sec:20
|
||||||
|
#
|
||||||
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||||
|
# the firewall itself.
|
||||||
|
#
|
||||||
|
# The column may contain:
|
||||||
|
#
|
||||||
|
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||||
|
#
|
||||||
|
# When this column is non-empty, the rule applies only
|
||||||
|
# if the program generating the output is running under
|
||||||
|
# the effective <user> and/or <group> specified (or is
|
||||||
|
# NOT running under that id if "!" is given).
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# joe #program must be run by joe
|
||||||
|
# :kids #program must be run by a member of
|
||||||
|
# #the 'kids' group
|
||||||
|
# !:kids #program must not be run by a member
|
||||||
|
# #of the 'kids' group
|
||||||
|
# +upnpd #program named 'upnpd'
|
||||||
|
#
|
||||||
|
# Example: Accept SMTP requests from the DMZ to the internet
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# ACCEPT dmz net tcp smtp
|
||||||
|
#
|
||||||
|
# Example: Forward all ssh and http connection requests from the
|
||||||
|
# internet to local system 192.168.1.3
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||||
|
#
|
||||||
|
# Example: Forward all http connection requests from the internet
|
||||||
|
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||||
|
# a maximum burst of 10
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
|
# # PORT PORT(S) DEST LIMIT
|
||||||
|
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||||
|
#
|
||||||
|
# Example: Redirect all locally-originating www connection requests to
|
||||||
|
# port 3128 on the firewall (Squid running on the firewall
|
||||||
|
# system) except when the destination address is 192.168.2.2
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||||
|
#
|
||||||
|
# Example: All http requests from the internet to address
|
||||||
|
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||||
|
#
|
||||||
|
# Example: You want to accept SSH connections to your firewall only
|
||||||
|
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||||
|
# tcp 22
|
||||||
|
#############################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
|
||||||
|
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||||
|
|
||||||
|
Ping/REJECT net $FW
|
||||||
|
|
||||||
|
# Permit all ICMP traffic FROM the firewall TO the net zone
|
||||||
|
|
||||||
|
ACCEPT $FW net icmp
|
||||||
|
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
94
Shorewall/Samples/one-interface/zones
Normal file
94
Shorewall/Samples/one-interface/zones
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Zones File for one-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/zones
|
||||||
|
#
|
||||||
|
# This file determines your network zones.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ZONE Short name of the zone (5 Characters or less in length).
|
||||||
|
# The names "all" and "none" are reserved and may not be
|
||||||
|
# used as zone names.
|
||||||
|
#
|
||||||
|
# Where a zone is nested in one or more other zones,
|
||||||
|
# you may follow the (sub)zone name by ":" and a
|
||||||
|
# comma-separated list of the parent zones. The parent
|
||||||
|
# zones must have been defined in earlier records in this
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# #ZONE TYPE OPTIONS
|
||||||
|
# a ipv4
|
||||||
|
# b ipv4
|
||||||
|
# c:a,b ipv4
|
||||||
|
#
|
||||||
|
# Currently, Shorewall uses this information only to reorder the
|
||||||
|
# zone list so that parent zones appear after their subzones in
|
||||||
|
# the list. In the future, Shorewall may make more extensive use
|
||||||
|
# of that information.
|
||||||
|
#
|
||||||
|
# TYPE ipv4 - This is the standard Shorewall zone type and is the
|
||||||
|
# default if you leave this column empty or if you enter
|
||||||
|
# "-" in the column. Communication with some zone hosts
|
||||||
|
# may be encrypted. Encrypted hosts are designated using
|
||||||
|
# the 'ipsec'option in /etc/shorewall/hosts.
|
||||||
|
# ipsec - Communication with all zone hosts is encrypted
|
||||||
|
# Your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
# firewall
|
||||||
|
# - Designates the firewall itself. You must have
|
||||||
|
# exactly one 'firewall' zone. No options are
|
||||||
|
# permitted with a 'firewall' zone. The name that you
|
||||||
|
# enter in the ZONE column will be stored in the shell
|
||||||
|
# variable $FW which you may use in other configuration
|
||||||
|
# files to designate the firewall zone.
|
||||||
|
#
|
||||||
|
# OPTIONS, A comma-separated list of options as follows:
|
||||||
|
# IN OPTIONS,
|
||||||
|
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||||
|
# using setkey(8) using the 'unique:<number>
|
||||||
|
# option for the SPD level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the SPI of
|
||||||
|
# the SA used to encrypt/decrypt packets.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mss=<number> (sets the MSS field in TCP packets)
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match all rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be used with
|
||||||
|
# strict..
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# mode=transport,reqid=44
|
||||||
|
#
|
||||||
|
# The options in the OPTIONS column are applied to both incoming
|
||||||
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||||
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||||
|
# applied to outgoing traffic.
|
||||||
|
#
|
||||||
|
# If you wish to leave a column empty but need to make an entry
|
||||||
|
# in a following column, use "-".
|
||||||
|
#
|
||||||
|
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
||||||
|
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
||||||
|
#
|
||||||
|
# See http://www.shorewall.net/Documentation.htm#Nested
|
||||||
|
###############################################################################
|
||||||
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
|
# OPTIONS OPTIONS\
|
||||||
|
fw firewall
|
||||||
|
net ipv4
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
238
Shorewall/Samples/three-interfaces/interfaces
Executable file
238
Shorewall/Samples/three-interfaces/interfaces
Executable file
@ -0,0 +1,238 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Interfaces File for three-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/interfaces
|
||||||
|
#
|
||||||
|
# You must add an entry in this file for each network interface on your
|
||||||
|
# firewall system.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ZONE Zone for this interface. Must match the name of a
|
||||||
|
# zone defined in /etc/shorewall/zones. You may not
|
||||||
|
# list the firewall zone in this column.
|
||||||
|
#
|
||||||
|
# If the interface serves multiple zones that will be
|
||||||
|
# defined in the /etc/shorewall/hosts file, you should
|
||||||
|
# place "-" in this column.
|
||||||
|
#
|
||||||
|
# INTERFACE Name of interface. Each interface may be listed only
|
||||||
|
# once in this file. You may NOT specify the name of
|
||||||
|
# an alias (e.g., eth0:0) here; see
|
||||||
|
# http://www.shorewall.net/FAQ.htm#faq18
|
||||||
|
#
|
||||||
|
# You may specify wildcards here. For example, if you
|
||||||
|
# want to make an entry that applies to all PPP
|
||||||
|
# interfaces, use 'ppp+'.
|
||||||
|
#
|
||||||
|
# There is no need to define the loopback interface (lo)
|
||||||
|
# in this file.
|
||||||
|
#
|
||||||
|
# BROADCAST The broadcast address for the subnetwork to which the
|
||||||
|
# interface belongs. For P-T-P interfaces, this
|
||||||
|
# column is left blank.If the interface has multiple
|
||||||
|
# addresses on multiple subnets then list the broadcast
|
||||||
|
# addresses as a comma-separated list.
|
||||||
|
#
|
||||||
|
# If you use the special value "detect", the firewall
|
||||||
|
# will detect the broadcast address for you. If you
|
||||||
|
# select this option, the interface must be up before
|
||||||
|
# the firewall is started, you must have iproute
|
||||||
|
# installed.
|
||||||
|
#
|
||||||
|
# If you don't want to give a value for this column but
|
||||||
|
# you want to enter a value in the OPTIONS column, enter
|
||||||
|
# "-" in this column.
|
||||||
|
#
|
||||||
|
# OPTIONS A comma-separated list of options including the
|
||||||
|
# following:
|
||||||
|
#
|
||||||
|
# dhcp - Specify this option when any of
|
||||||
|
# the following are true:
|
||||||
|
# 1. the interface gets its IP address
|
||||||
|
# via DHCP
|
||||||
|
# 2. the interface is used by
|
||||||
|
# a DHCP server running on the firewall
|
||||||
|
# 3. you have a static IP but are on a LAN
|
||||||
|
# segment with lots of Laptop DHCP
|
||||||
|
# clients.
|
||||||
|
# 4. the interface is a bridge with
|
||||||
|
# a DHCP server on one port and DHCP
|
||||||
|
# clients on another port.
|
||||||
|
#
|
||||||
|
# norfc1918 - This interface should not receive
|
||||||
|
# any packets whose source is in one
|
||||||
|
# of the ranges reserved by RFC 1918
|
||||||
|
# (i.e., private or "non-routable"
|
||||||
|
# addresses. If packet mangling or
|
||||||
|
# connection-tracking match is enabled in
|
||||||
|
# your kernel, packets whose destination
|
||||||
|
# addresses are reserved by RFC 1918 are
|
||||||
|
# also rejected.
|
||||||
|
#
|
||||||
|
# routefilter - turn on kernel route filtering for this
|
||||||
|
# interface (anti-spoofing measure). This
|
||||||
|
# option can also be enabled globally in
|
||||||
|
# the /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# logmartians - turn on kernel martian logging (logging
|
||||||
|
# of packets with impossible source
|
||||||
|
# addresses. It is suggested that if you
|
||||||
|
# set routefilter on an interface that
|
||||||
|
# you also set logmartians. This option
|
||||||
|
# may also be enabled globally in the
|
||||||
|
# /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# blacklist - Check packets arriving on this interface
|
||||||
|
# against the /etc/shorewall/blacklist
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# maclist - Connection requests from this interface
|
||||||
|
# are compared against the contents of
|
||||||
|
# /etc/shorewall/maclist. If this option
|
||||||
|
# is specified, the interface must be
|
||||||
|
# an ethernet NIC and must be up before
|
||||||
|
# Shorewall is started.
|
||||||
|
#
|
||||||
|
# tcpflags - Packets arriving on this interface are
|
||||||
|
# checked for certain illegal combinations
|
||||||
|
# of TCP flags. Packets found to have
|
||||||
|
# such a combination of flags are handled
|
||||||
|
# according to the setting of
|
||||||
|
# TCP_FLAGS_DISPOSITION after having been
|
||||||
|
# logged according to the setting of
|
||||||
|
# TCP_FLAGS_LOG_LEVEL.
|
||||||
|
#
|
||||||
|
# proxyarp -
|
||||||
|
# Sets
|
||||||
|
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||||
|
# Do NOT use this option if you are
|
||||||
|
# employing Proxy ARP through entries in
|
||||||
|
# /etc/shorewall/proxyarp. This option is
|
||||||
|
# intended soley for use with Proxy ARP
|
||||||
|
# sub-networking as described at:
|
||||||
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||||
|
#
|
||||||
|
# newnotsyn - TCP packets that don't have the SYN
|
||||||
|
# flag set and which are not part of an
|
||||||
|
# established connection will be accepted
|
||||||
|
# from this interface, even if
|
||||||
|
# NEWNOTSYN=No has been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf. In other
|
||||||
|
# words, packets coming in on this
|
||||||
|
# interface are processed as if
|
||||||
|
# NEWNOTSYN=Yes had been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
|
# This option has no effect if
|
||||||
|
# NEWNOTSYN=Yes.
|
||||||
|
#
|
||||||
|
# It is the opinion of the author that
|
||||||
|
# NEWNOTSYN=No creates more problems than
|
||||||
|
# it solves and I recommend against using
|
||||||
|
# that setting in shorewall.conf (hence
|
||||||
|
# making the use of the 'newnotsyn'
|
||||||
|
# interface option unnecessary).
|
||||||
|
#
|
||||||
|
# routeback - If specified, indicates that Shorewall
|
||||||
|
# should include rules that allow
|
||||||
|
# filtering traffic arriving on this
|
||||||
|
# interface back out that same interface.
|
||||||
|
#
|
||||||
|
# arp_filter - If specified, this interface will only
|
||||||
|
# respond to ARP who-has requests for IP
|
||||||
|
# addresses configured on the interface.
|
||||||
|
# If not specified, the interface can
|
||||||
|
# respond to ARP who-has requests for
|
||||||
|
# IP addresses on any of the firewall's
|
||||||
|
# interface. The interface must be up
|
||||||
|
# when Shorewall is started.
|
||||||
|
#
|
||||||
|
# arp_ignore[=<number>]
|
||||||
|
# - If specified, this interface will
|
||||||
|
# respond to arp requests based on the
|
||||||
|
# value of <number>.
|
||||||
|
#
|
||||||
|
# 1 - reply only if the target IP address
|
||||||
|
# is local address configured on the
|
||||||
|
# incoming interface
|
||||||
|
#
|
||||||
|
# 2 - reply only if the target IP address
|
||||||
|
# is local address configured on the
|
||||||
|
# incoming interface and both with the
|
||||||
|
# sender's IP address are part from same
|
||||||
|
# subnet on this interface
|
||||||
|
#
|
||||||
|
# 3 - do not reply for local addresses
|
||||||
|
# configured with scope host, only
|
||||||
|
# resolutions for global and link
|
||||||
|
# addresses are replied
|
||||||
|
#
|
||||||
|
# 4-7 - reserved
|
||||||
|
#
|
||||||
|
# 8 - do not reply for all local
|
||||||
|
# addresses
|
||||||
|
#
|
||||||
|
# If no <number> is given then the value
|
||||||
|
# 1 is assumed
|
||||||
|
#
|
||||||
|
# WARNING -- DO NOT SPECIFY arp_ignore
|
||||||
|
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
|
||||||
|
#
|
||||||
|
# nosmurfs - Filter packets for smurfs
|
||||||
|
# (packets with a broadcast
|
||||||
|
# address as the source).
|
||||||
|
#
|
||||||
|
# Smurfs will be optionally logged based
|
||||||
|
# on the setting of SMURF_LOG_LEVEL in
|
||||||
|
# shorewall.conf. After logging, the
|
||||||
|
# packets are dropped.
|
||||||
|
#
|
||||||
|
# detectnets - Automatically taylors the zone named
|
||||||
|
# in the ZONE column to include only those
|
||||||
|
# hosts routed through the interface.
|
||||||
|
#
|
||||||
|
# upnp - Incoming requests from this interface
|
||||||
|
# may be remapped via UPNP (upnpd).
|
||||||
|
#
|
||||||
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||||
|
# INTERNET INTERFACE.
|
||||||
|
#
|
||||||
|
# The order in which you list the options is not
|
||||||
|
# significant but the list should have no embedded white
|
||||||
|
# space.
|
||||||
|
#
|
||||||
|
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||||
|
# eth1 connected to your local network and that your
|
||||||
|
# local subnet is 192.168.1.0/24. The interface gets
|
||||||
|
# it's IP address via DHCP from subnet
|
||||||
|
# 206.191.149.192/27. You have a DMZ with subnet
|
||||||
|
# 192.168.2.0/24 using eth2.
|
||||||
|
#
|
||||||
|
# Your entries for this setup would look like:
|
||||||
|
#
|
||||||
|
# net eth0 206.191.149.223 dhcp
|
||||||
|
# local eth1 192.168.1.255
|
||||||
|
# dmz eth2 192.168.2.255
|
||||||
|
#
|
||||||
|
# Example 2: The same configuration without specifying broadcast
|
||||||
|
# addresses is:
|
||||||
|
#
|
||||||
|
# net eth0 detect dhcp
|
||||||
|
# loc eth1 detect
|
||||||
|
# dmz eth2 detect
|
||||||
|
#
|
||||||
|
# Example 3: You have a simple dial-in system with no ethernet
|
||||||
|
# connections.
|
||||||
|
#
|
||||||
|
# net ppp0 -
|
||||||
|
#
|
||||||
|
# For additional information, see
|
||||||
|
# http://shorewall.net/Documentation.htm#Interfaces
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
|
||||||
|
loc eth1 detect tcpflags,detectnets,nosmurfs
|
||||||
|
dmz eth2 detect
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
222
Shorewall/Samples/three-interfaces/masq
Executable file
222
Shorewall/Samples/three-interfaces/masq
Executable file
@ -0,0 +1,222 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Masq file for three-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/masq
|
||||||
|
#
|
||||||
|
# Use this file to define dynamic NAT (Masquerading) and to define
|
||||||
|
# Source NAT (SNAT).
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||||
|
# interface. If ADD_SNAT_ALIASES=Yes in
|
||||||
|
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||||
|
# a digit to indicate that you want the alias added with
|
||||||
|
# that name (e.g., eth0:0). This will allow the alias to
|
||||||
|
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||||
|
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||||
|
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||||
|
#
|
||||||
|
# This may be qualified by adding the character
|
||||||
|
# ":" followed by a destination host or subnet.
|
||||||
|
#
|
||||||
|
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
||||||
|
# for this entry then include the ":" but omit the digit:
|
||||||
|
#
|
||||||
|
# eth0:
|
||||||
|
# eth2::192.0.2.32/27
|
||||||
|
#
|
||||||
|
# Normally Masq/SNAT rules are evaluated after those for
|
||||||
|
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
||||||
|
# the rule to be applied before one-to-one NAT rules,
|
||||||
|
# prefix the interface name with "+":
|
||||||
|
#
|
||||||
|
# +eth0
|
||||||
|
# +eth0:192.0.2.32/27
|
||||||
|
# +eth0:2
|
||||||
|
#
|
||||||
|
# This feature should only be required if you need to
|
||||||
|
# insert rules in this file that preempt entries in
|
||||||
|
# /etc/shorewall/nat.
|
||||||
|
#
|
||||||
|
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||||
|
# a subnet or as an interface. If you give the name of an
|
||||||
|
# interface, you must have iproute installed and the interface
|
||||||
|
# must be up before you start the firewall.
|
||||||
|
#
|
||||||
|
# In order to exclude a subset of the specified SUBNET, you
|
||||||
|
# may append "!" and a comma-separated list of IP addresses
|
||||||
|
# and/or subnets that you wish to exclude.
|
||||||
|
#
|
||||||
|
# Example: eth1!192.168.1.4,192.168.32.0/27
|
||||||
|
#
|
||||||
|
# In that example traffic from eth1 would be masqueraded unless
|
||||||
|
# it came from 192.168.1.4 or 196.168.32.0/27
|
||||||
|
#
|
||||||
|
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||||
|
# used and this will be the source address. If
|
||||||
|
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||||
|
# /etc/shorewall/shorewall.conf then Shorewall
|
||||||
|
# will automatically add this address to the
|
||||||
|
# INTERFACE named in the first column.
|
||||||
|
#
|
||||||
|
# You may also specify a range of up to 256
|
||||||
|
# IP addresses if you want the SNAT address to
|
||||||
|
# be assigned from that range in a round-robin
|
||||||
|
# range by connection. The range is specified by
|
||||||
|
# <first ip in range>-<last ip in range>.
|
||||||
|
#
|
||||||
|
# Example: 206.124.146.177-206.124.146.180
|
||||||
|
#
|
||||||
|
# Finally, you may also specify a comma-separated
|
||||||
|
# list of ranges and/or addresses in this column.
|
||||||
|
#
|
||||||
|
# This column may not contain DNS Names.
|
||||||
|
#
|
||||||
|
# Normally, Netfilter will attempt to retain
|
||||||
|
# the source port number. You may cause
|
||||||
|
# netfilter to remap the source port by following
|
||||||
|
# an address or range (if any) by ":" and
|
||||||
|
# a port range with the format <low port>-
|
||||||
|
# <high port>. If this is done, you must
|
||||||
|
# specify "tcp" or "udp" in the PROTO column.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# 192.0.2.4:5000-6000
|
||||||
|
# :4000-5000
|
||||||
|
#
|
||||||
|
# You can invoke the SAME target using the
|
||||||
|
# following in this column:
|
||||||
|
#
|
||||||
|
# SAME:[nodst:]<address-range>[,<address-range>...]
|
||||||
|
#
|
||||||
|
# The <address-ranges> may be single addresses.
|
||||||
|
#
|
||||||
|
# SAME works like SNAT with the exception that
|
||||||
|
# the same local IP address is assigned to each
|
||||||
|
# connection from a local address to a given
|
||||||
|
# remote address.
|
||||||
|
#
|
||||||
|
# If the 'nodst:' option is included, then the
|
||||||
|
# same source address is used for a given
|
||||||
|
# internal system regardless of which remote
|
||||||
|
# system is involved.
|
||||||
|
#
|
||||||
|
# If you want to leave this column empty
|
||||||
|
# but you need to specify the next column then
|
||||||
|
# place a hyphen ("-") here.
|
||||||
|
#
|
||||||
|
# PROTO -- (Optional) If you wish to restrict this entry to a
|
||||||
|
# particular protocol then enter the protocol
|
||||||
|
# name (from /etc/protocols) or number here.
|
||||||
|
#
|
||||||
|
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
|
||||||
|
# or UDP (protocol 17) then you may list one
|
||||||
|
# or more port numbers (or names from
|
||||||
|
# /etc/services) separated by commas or you
|
||||||
|
# may list a single port range
|
||||||
|
# (<low port>:<high port>).
|
||||||
|
#
|
||||||
|
# Where a comma-separated list is given, your
|
||||||
|
# kernel and iptables must have multiport match
|
||||||
|
# support and a maximum of 15 ports may be
|
||||||
|
# listed.
|
||||||
|
#
|
||||||
|
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||||
|
# column, you must be running kernel 2.6 and
|
||||||
|
# your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
#
|
||||||
|
# Comma-separated list of options from the
|
||||||
|
# following. Only packets that will be encrypted
|
||||||
|
# via an SA that matches these options will have
|
||||||
|
# their source address changed.
|
||||||
|
#
|
||||||
|
# Yes or yes -- must be the only option
|
||||||
|
# listed and matches all outbound
|
||||||
|
# traffic that will be encrypted.
|
||||||
|
#
|
||||||
|
# reqid=<number> where <number> is
|
||||||
|
# specified using setkey(8) using the
|
||||||
|
# 'unique:<number> option for the SPD
|
||||||
|
# level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the
|
||||||
|
# SPI of the SA.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match
|
||||||
|
# all rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be
|
||||||
|
# used with strict..
|
||||||
|
#
|
||||||
|
# Example 1:
|
||||||
|
#
|
||||||
|
# You have a simple masquerading setup where eth0 connects to
|
||||||
|
# a DSL or cable modem and eth1 connects to your local network
|
||||||
|
# with subnet 192.168.0.0/24.
|
||||||
|
#
|
||||||
|
# Your entry in the file can be either:
|
||||||
|
#
|
||||||
|
# eth0 eth1
|
||||||
|
#
|
||||||
|
# or
|
||||||
|
#
|
||||||
|
# eth0 192.168.0.0/24
|
||||||
|
#
|
||||||
|
# Example 2:
|
||||||
|
#
|
||||||
|
# You add a router to your local network to connect subnet
|
||||||
|
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||||
|
# add a second entry for eth0 to this file:
|
||||||
|
#
|
||||||
|
# eth0 192.168.1.0/24
|
||||||
|
#
|
||||||
|
# Example 3:
|
||||||
|
#
|
||||||
|
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||||
|
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||||
|
# these packets are destined for hosts in 10.1.1.0/24:
|
||||||
|
#
|
||||||
|
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||||
|
#
|
||||||
|
# Example 4:
|
||||||
|
#
|
||||||
|
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||||
|
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||||
|
# primary address of eth0. You want 206.124.146.176 added to
|
||||||
|
# be added to eth0 with name eth0:0.
|
||||||
|
#
|
||||||
|
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||||
|
#
|
||||||
|
# Example 5:
|
||||||
|
#
|
||||||
|
# You want all outgoing SMTP traffic entering the firewall
|
||||||
|
# on eth1 to be sent from eth0 with source IP address
|
||||||
|
# 206.124.146.177. You want all other outgoing traffic
|
||||||
|
# from eth1 to be sent from eth0 with source IP address
|
||||||
|
# 206.124.146.176.
|
||||||
|
#
|
||||||
|
# eth0 eth1 206.124.146.177 tcp smtp
|
||||||
|
# eth0 eth1 206.124.146.176
|
||||||
|
#
|
||||||
|
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||||
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||||
|
#
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||||
|
eth0 eth1
|
||||||
|
eth0 eth2
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
96
Shorewall/Samples/three-interfaces/policy
Normal file
96
Shorewall/Samples/three-interfaces/policy
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Policy File for three-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/policy
|
||||||
|
#
|
||||||
|
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
||||||
|
#
|
||||||
|
# This file determines what to do with a new connection request if we
|
||||||
|
# don't get a match from the /etc/shorewall/rules file . For each
|
||||||
|
# source/destination pair, the file is processed in order until a
|
||||||
|
# match is found ("all" will match any client or server).
|
||||||
|
#
|
||||||
|
# INTRA-ZONE POLICIES ARE PRE-DEFINED
|
||||||
|
#
|
||||||
|
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||||
|
# the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||||
|
# logging or TCP connection rate limiting but may be overridden by an
|
||||||
|
# entry in this file. The overriding entry must be explicit (cannot use
|
||||||
|
# "all" in the SOURCE or DEST).
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# SOURCE Source zone. Must be the name of a zone defined
|
||||||
|
# in /etc/shorewall/zones, $FW or "all".
|
||||||
|
#
|
||||||
|
# DEST Destination zone. Must be the name of a zone defined
|
||||||
|
# in /etc/shorewall/zones, $FW or "all"
|
||||||
|
#
|
||||||
|
# POLICY Policy if no match from the rules file is found. Must
|
||||||
|
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||||
|
#
|
||||||
|
# ACCEPT - Accept the connection
|
||||||
|
# DROP - Ignore the connection request
|
||||||
|
# REJECT - For TCP, send RST. For all other,
|
||||||
|
# send "port unreachable" ICMP.
|
||||||
|
# QUEUE - Send the request to a user-space
|
||||||
|
# application using the QUEUE target.
|
||||||
|
# CONTINUE - Pass the connection request past
|
||||||
|
# any other rules that it might also
|
||||||
|
# match (where the source or
|
||||||
|
# destination zone in those rules is
|
||||||
|
# a superset of the SOURCE or DEST
|
||||||
|
# in this policy).
|
||||||
|
# NONE - Assume that there will never be any
|
||||||
|
# packets from this SOURCE
|
||||||
|
# to this DEST. Shorewall will not set
|
||||||
|
# up any infrastructure to handle such
|
||||||
|
# packets and you may not have any
|
||||||
|
# rules with this SOURCE and DEST in
|
||||||
|
# the /etc/shorewall/rules file. If
|
||||||
|
# such a packet _is_ received, the
|
||||||
|
# result is undefined. NONE may not be
|
||||||
|
# used if the SOURCE or DEST columns
|
||||||
|
# contain the firewall zone ($FW) or
|
||||||
|
# "all".
|
||||||
|
#
|
||||||
|
# If this column contains ACCEPT, DROP or REJECT and a
|
||||||
|
# corresponding common action is defined in
|
||||||
|
# /etc/shorewall/actions (or
|
||||||
|
# /usr/share/shorewall/actions.std) then that action
|
||||||
|
# will be invoked before the policy named in this column
|
||||||
|
# is enforced.
|
||||||
|
#
|
||||||
|
# LOG LEVEL If supplied, each connection handled under the default
|
||||||
|
# POLICY is logged at that level. If not supplied, no
|
||||||
|
# log message is generated. See syslog.conf(5) for a
|
||||||
|
# description of log levels.
|
||||||
|
#
|
||||||
|
# Beginning with Shorewall version 1.3.12, you may
|
||||||
|
# also specify ULOG (must be in upper case). This will
|
||||||
|
# log to the ULOG target and sent to a separate log
|
||||||
|
# through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
|
#
|
||||||
|
# If you don't want to log but need to specify the
|
||||||
|
# following column, place "-" here.
|
||||||
|
#
|
||||||
|
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||||
|
# and the size of an acceptable burst. If not specified,
|
||||||
|
# TCP connections are not limited.
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
loc net ACCEPT
|
||||||
|
# If you want open access to the Internet from your Firewall
|
||||||
|
# remove the comment from the following line.
|
||||||
|
#$FW net ACCEPT
|
||||||
|
# Also If You Wish To Open Up DMZ Access To The Internet
|
||||||
|
# remove the comment from the following line.
|
||||||
|
#dmz net ACCEPT
|
||||||
|
net all DROP info
|
||||||
|
# THE FOLLOWING POLICY MUST BE LAST
|
||||||
|
all all REJECT info
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
66
Shorewall/Samples/three-interfaces/routestopped
Normal file
66
Shorewall/Samples/three-interfaces/routestopped
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Routestopped File for three-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/routestopped
|
||||||
|
#
|
||||||
|
# This file is used to define the hosts that are accessible when the
|
||||||
|
# firewall is stopped or when it is in the process of being
|
||||||
|
# [re]started.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# INTERFACE - Interface through which host(s) communicate with
|
||||||
|
# the firewall
|
||||||
|
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||||
|
# addresses. If your kernel and iptables include
|
||||||
|
# iprange match support, IP address ranges are also
|
||||||
|
# allowed.
|
||||||
|
#
|
||||||
|
# If left empty or supplied as "-",
|
||||||
|
# 0.0.0.0/0 is assumed.
|
||||||
|
# OPTIONS - (Optional) A comma-separated list of
|
||||||
|
# options. The currently-supported options are:
|
||||||
|
#
|
||||||
|
# routeback - Set up a rule to ACCEPT traffic from
|
||||||
|
# these hosts back to themselves.
|
||||||
|
#
|
||||||
|
# source - Allow traffic from these hosts to ANY
|
||||||
|
# destination. Without this option or the 'dest'
|
||||||
|
# option, only traffic from this host to other
|
||||||
|
# listed hosts (and the firewall) is allowed. If
|
||||||
|
# 'source' is specified then 'routeback' is redundent.
|
||||||
|
#
|
||||||
|
# dest - Allow traffic to these hosts from ANY
|
||||||
|
# source. Without this option or the 'source'
|
||||||
|
# option, only traffic from this host to other
|
||||||
|
# listed hosts (and the firewall) is allowed. If
|
||||||
|
# 'dest' is specified then 'routeback' is redundent.
|
||||||
|
#
|
||||||
|
# critical - Allow traffic between the firewall and
|
||||||
|
# these hosts throughout '[re]start', 'stop' and
|
||||||
|
# 'clear'. Specifying 'critical' on one or more
|
||||||
|
# entries will cause your firewall to be "totally
|
||||||
|
# open" for a brief window during each of those
|
||||||
|
# operations.
|
||||||
|
#
|
||||||
|
# NOTE: The 'source' and 'dest' options work best when used
|
||||||
|
# in conjunction with ADMINISABSENTMINDED=Yes in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# INTERFACE HOST(S) OPTIONS
|
||||||
|
# eth2 192.168.1.0/24
|
||||||
|
# eth0 192.0.2.44
|
||||||
|
# br0 - routeback
|
||||||
|
# eth3 - source
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||||
|
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE HOST(S)
|
||||||
|
eth1 -
|
||||||
|
eth2 -
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
462
Shorewall/Samples/three-interfaces/rules
Executable file
462
Shorewall/Samples/three-interfaces/rules
Executable file
@ -0,0 +1,462 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Rules File for three-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/rules
|
||||||
|
#
|
||||||
|
# Rules in this file govern connection establishment. Requests and
|
||||||
|
# responses are automatically allowed using connection tracking. For any
|
||||||
|
# particular (source,dest) pair of zones, the rules are evaluated in the
|
||||||
|
# order in which they appear in this file and the first match is the one
|
||||||
|
# that determines the disposition of the request.
|
||||||
|
#
|
||||||
|
# In most places where an IP address or subnet is allowed, you
|
||||||
|
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||||
|
# indicate that the rule matches all addresses except the address/subnet
|
||||||
|
# given. Notice that no white space is permitted between "!" and the
|
||||||
|
# address/subnet.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
||||||
|
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||||
|
# that system. You *must* use a DNAT rule instead.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# The rules file is divided into sections. Each section is introduced by
|
||||||
|
# a "Section Header" which is a line beginning with SECTION followed by the
|
||||||
|
# section name.
|
||||||
|
#
|
||||||
|
# Sections are as follows and must appear in the order listed:
|
||||||
|
#
|
||||||
|
# ESTABLISHED Packets in the ESTABLISHED state are processed
|
||||||
|
# by rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# RELATED Packets in the RELATED state are processed by
|
||||||
|
# rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# NEW Packets in the NEW and INVALID states are
|
||||||
|
# processed by rules in this section.
|
||||||
|
#
|
||||||
|
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||||
|
# ESTABLISHED and RELATED sections must be empty.
|
||||||
|
#
|
||||||
|
# Note: If you are not familiar with Netfilter to the point where you are
|
||||||
|
# comfortable with the differences between the various connection
|
||||||
|
# tracking states, then I suggest that you omit the ESTABLISHED and
|
||||||
|
# RELATED sections and place all of your rules in the NEW section.
|
||||||
|
#
|
||||||
|
# You may omit any section that you don't need. If no Section Headers appear
|
||||||
|
# in the file then all rules are assumed to be in the NEW section.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||||
|
# LOG, QUEUE or an <action>.
|
||||||
|
#
|
||||||
|
# ACCEPT -- allow the connection request
|
||||||
|
# ACCEPT+ -- like ACCEPT but also excludes the
|
||||||
|
# connection from any subsequent
|
||||||
|
# DNAT[-] or REDIRECT[-] rules
|
||||||
|
# NONAT -- Excludes the connection from any
|
||||||
|
# subsequent DNAT[-] or REDIRECT[-]
|
||||||
|
# rules but doesn't generate a rule
|
||||||
|
# to accept the traffic.
|
||||||
|
# DROP -- ignore the request
|
||||||
|
# REJECT -- disallow the request and return an
|
||||||
|
# icmp-unreachable or an RST packet.
|
||||||
|
# DNAT -- Forward the request to another
|
||||||
|
# system (and optionally another
|
||||||
|
# port).
|
||||||
|
# DNAT- -- Advanced users only.
|
||||||
|
# Like DNAT but only generates the
|
||||||
|
# DNAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
# SAME -- Similar to DNAT except that the
|
||||||
|
# port may not be remapped and when
|
||||||
|
# multiple server addresses are
|
||||||
|
# listed, all requests from a given
|
||||||
|
# remote system go to the same
|
||||||
|
# server.
|
||||||
|
# SAME- -- Advanced users only.
|
||||||
|
# Like SAME but only generates the
|
||||||
|
# NAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
# REDIRECT -- Redirect the request to a local
|
||||||
|
# port on the firewall.
|
||||||
|
# REDIRECT-
|
||||||
|
# -- Advanced users only.
|
||||||
|
# Like REDIRET but only generates the
|
||||||
|
# REDIRECT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
#
|
||||||
|
# CONTINUE -- (For experts only). Do not process
|
||||||
|
# any of the following rules for this
|
||||||
|
# (source zone,destination zone). If
|
||||||
|
# The source and/or destination IP
|
||||||
|
# address falls into a zone defined
|
||||||
|
# later in /etc/shorewall/zones, this
|
||||||
|
# connection request will be passed
|
||||||
|
# to the rules defined for that
|
||||||
|
# (those) zone(s).
|
||||||
|
# LOG -- Simply log the packet and continue.
|
||||||
|
# QUEUE -- Queue the packet to a user-space
|
||||||
|
# application such as ftwall
|
||||||
|
# (http://p2pwall.sf.net).
|
||||||
|
# <action> -- The name of an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std.
|
||||||
|
#
|
||||||
|
# <macro> -- The name of a macro defined in a
|
||||||
|
# file named macro.<macro-name>.
|
||||||
|
#
|
||||||
|
# The ACTION may optionally be followed
|
||||||
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||||
|
# DNAT:debug). This causes the packet to be
|
||||||
|
# logged at the specified level.
|
||||||
|
#
|
||||||
|
# If the ACTION names an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std then:
|
||||||
|
#
|
||||||
|
# - If the log level is followed by "!' then all rules
|
||||||
|
# in the action are logged at the log level.
|
||||||
|
#
|
||||||
|
# - If the log level is not followed by "!" then only
|
||||||
|
# those rules in the action that do not specify
|
||||||
|
# logging are logged at the specified level.
|
||||||
|
#
|
||||||
|
# - The special log level 'none!' suppresses logging
|
||||||
|
# by the action.
|
||||||
|
#
|
||||||
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
|
# log level.This will log to the ULOG target for routing
|
||||||
|
# to a separate log through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
|
#
|
||||||
|
# Actions specifying logging may be followed by a
|
||||||
|
# log tag (a string of alphanumeric characters)
|
||||||
|
# are appended to the string generated by the
|
||||||
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||||
|
#
|
||||||
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||||
|
# at the end of the log prefix generated by the
|
||||||
|
# LOGPREFIX setting.
|
||||||
|
#
|
||||||
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||||
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||||
|
# firewall itself, "all", "all+" or "none" If the ACTION
|
||||||
|
# is DNAT or REDIRECT, sub-zones of the specified zone
|
||||||
|
# may be excluded from the rule by following the zone
|
||||||
|
# name with "!' and a comma-separated list of sub-zone
|
||||||
|
# names.
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST
|
||||||
|
# column, the rule is ignored.
|
||||||
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
|
# used, intra-zone traffic is affected.
|
||||||
|
#
|
||||||
|
# Except when "all[+]" is specified, clients may be
|
||||||
|
# further restricted to a list of subnets and/or hosts by
|
||||||
|
# appending ":" and a comma-separated list of subnets
|
||||||
|
# and/or hosts. Hosts may be specified by IP or MAC
|
||||||
|
# address; mac addresses must begin with "~" and must use
|
||||||
|
# "-" as a separator.
|
||||||
|
#
|
||||||
|
# Hosts may be specified as an IP address range using the
|
||||||
|
# syntax <low address>-<high address>. This requires that
|
||||||
|
# your kernel and iptables contain iprange match support.
|
||||||
|
# If you kernel and iptables have ipset match support
|
||||||
|
# then you may give the name of an ipset prefaced by "+".
|
||||||
|
# The ipset name may be optionally followed by a number
|
||||||
|
# from 1 to 6 enclosed in square brackets ([]) to
|
||||||
|
# indicate the number of levels of source bindings to be
|
||||||
|
# matched.
|
||||||
|
#
|
||||||
|
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||||
|
#
|
||||||
|
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||||
|
# Internet
|
||||||
|
#
|
||||||
|
# loc:192.168.1.1,192.168.1.2
|
||||||
|
# Hosts 192.168.1.1 and
|
||||||
|
# 192.168.1.2 in the local zone.
|
||||||
|
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||||
|
# MAC address 00:A0:C9:15:39:78.
|
||||||
|
#
|
||||||
|
# net:192.0.2.11-192.0.2.17
|
||||||
|
# Hosts 192.0.2.11-192.0.2.17 in
|
||||||
|
# the net zone.
|
||||||
|
#
|
||||||
|
# Alternatively, clients may be specified by interface
|
||||||
|
# by appending ":" to the zone name followed by the
|
||||||
|
# interface name. For example, loc:eth1 specifies a
|
||||||
|
# client that communicates with the firewall system
|
||||||
|
# through eth1. This may be optionally followed by
|
||||||
|
# another colon (":") and an IP/MAC/subnet address
|
||||||
|
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||||
|
#
|
||||||
|
# DEST Location of Server. May be a zone defined in
|
||||||
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||||
|
# itself, "all". "all+" or "none".
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST
|
||||||
|
# column, the rule is ignored.
|
||||||
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
|
# used, intra-zone traffic is affected.
|
||||||
|
#
|
||||||
|
# Except when "all[+]" is specified, the server may be
|
||||||
|
# further restricted to a particular subnet, host or
|
||||||
|
# interface by appending ":" and the subnet, host or
|
||||||
|
# interface. See above.
|
||||||
|
#
|
||||||
|
# Restrictions:
|
||||||
|
#
|
||||||
|
# 1. MAC addresses are not allowed.
|
||||||
|
# 2. In DNAT rules, only IP addresses are
|
||||||
|
# allowed; no FQDNs or subnet addresses
|
||||||
|
# are permitted.
|
||||||
|
# 3. You may not specify both an interface and
|
||||||
|
# an address.
|
||||||
|
#
|
||||||
|
# Like in the SOURCE column, you may specify a range of
|
||||||
|
# up to 256 IP addresses using the syntax
|
||||||
|
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||||
|
# the connections will be assigned to addresses in the
|
||||||
|
# range in a round-robin fashion.
|
||||||
|
#
|
||||||
|
# If you kernel and iptables have ipset match support
|
||||||
|
# then you may give the name of an ipset prefaced by "+".
|
||||||
|
# The ipset name may be optionally followed by a number
|
||||||
|
# from 1 to 6 enclosed in square brackets ([]) to
|
||||||
|
# indicate the number of levels of destination bindings
|
||||||
|
# to be matched. Only one of the SOURCE and DEST columns
|
||||||
|
# may specify an ipset name.
|
||||||
|
#
|
||||||
|
# The port that the server is listening on may be
|
||||||
|
# included and separated from the server's IP address by
|
||||||
|
# ":". If omitted, the firewall will not modifiy the
|
||||||
|
# destination port. A destination port may only be
|
||||||
|
# included if the ACTION is DNAT or REDIRECT.
|
||||||
|
#
|
||||||
|
# Example: loc:192.168.1.3:3128 specifies a local
|
||||||
|
# server at IP address 192.168.1.3 and listening on port
|
||||||
|
# 3128. The port number MUST be specified as an integer
|
||||||
|
# and not as a name from /etc/services.
|
||||||
|
#
|
||||||
|
# if the ACTION is REDIRECT, this column needs only to
|
||||||
|
# contain the port number on the firewall that the
|
||||||
|
# request should be redirected to.
|
||||||
|
#
|
||||||
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
|
#
|
||||||
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
|
# names (from /etc/services), port numbers or port
|
||||||
|
# ranges; if the protocol is "icmp", this column is
|
||||||
|
# interpreted as the destination icmp-type(s).
|
||||||
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example
|
||||||
|
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
|
# A port range is expressed as <low port>:<high port>.
|
||||||
|
#
|
||||||
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
|
# entered if any of the following ields are supplied.
|
||||||
|
# In that case, it is suggested that this field contain
|
||||||
|
# "-"
|
||||||
|
#
|
||||||
|
# If your kernel contains multi-port match support, then
|
||||||
|
# only a single Netfilter rule will be generated if in
|
||||||
|
# this list and the CLIENT PORT(S) list below:
|
||||||
|
# 1. There are 15 or less ports listed.
|
||||||
|
# 2. No port ranges are included.
|
||||||
|
# Otherwise, a separate rule will be generated for each
|
||||||
|
# port.
|
||||||
|
#
|
||||||
|
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||||
|
# any source port is acceptable. Specified as a comma-
|
||||||
|
# separated list of port names, port numbers or port
|
||||||
|
# ranges.
|
||||||
|
#
|
||||||
|
# If you don't want to restrict client ports but need to
|
||||||
|
# specify an ORIGINAL DEST in the next column, then
|
||||||
|
# place "-" in this column.
|
||||||
|
#
|
||||||
|
# If your kernel contains multi-port match support, then
|
||||||
|
# only a single Netfilter rule will be generated if in
|
||||||
|
# this list and the DEST PORT(S) list above:
|
||||||
|
# 1. There are 15 or less ports listed.
|
||||||
|
# 2. No port ranges are included.
|
||||||
|
# Otherwise, a separate rule will be generated for each
|
||||||
|
# port.
|
||||||
|
#
|
||||||
|
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
|
||||||
|
# then if included and different from the IP
|
||||||
|
# address given in the SERVER column, this is an address
|
||||||
|
# on some interface on the firewall and connections to
|
||||||
|
# that address will be forwarded to the IP and port
|
||||||
|
# specified in the DEST column.
|
||||||
|
#
|
||||||
|
# A comma-separated list of addresses may also be used.
|
||||||
|
# This is usually most useful with the REDIRECT target
|
||||||
|
# where you want to redirect traffic destined for
|
||||||
|
# particular set of hosts.
|
||||||
|
#
|
||||||
|
# Finally, if the list of addresses begins with "!" then
|
||||||
|
# the rule will be followed only if the original
|
||||||
|
# destination address in the connection request does not
|
||||||
|
# match any of the addresses listed.
|
||||||
|
#
|
||||||
|
# For other actions, this column may be included and may
|
||||||
|
# contain one or more addresses (host or network)
|
||||||
|
# separated by commas. Address ranges are not allowed.
|
||||||
|
# When this column is supplied, rules are generated
|
||||||
|
# that require that the original destination address
|
||||||
|
# matches one of the listed addresses. This feature is
|
||||||
|
# most useful when you want to generate a filter rule
|
||||||
|
# that corresponds to a DNAT- or REDIRECT- rule. In this
|
||||||
|
# usage, the list of addresses should not begin with "!".
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/PortKnocking.html for an
|
||||||
|
# example of using an entry in this column with a
|
||||||
|
# user-defined action rule.
|
||||||
|
#
|
||||||
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
|
# this colume:
|
||||||
|
#
|
||||||
|
# <rate>/<interval>[:<burst>]
|
||||||
|
#
|
||||||
|
# where <rate> is the number of connections per
|
||||||
|
# <interval> ("sec" or "min") and <burst> is the
|
||||||
|
# largest burst permitted. If no <burst> is given,
|
||||||
|
# a value of 5 is assumed. There may be no
|
||||||
|
# no whitespace embedded in the specification.
|
||||||
|
#
|
||||||
|
# Example: 10/sec:20
|
||||||
|
#
|
||||||
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||||
|
# the firewall itself.
|
||||||
|
#
|
||||||
|
# The column may contain:
|
||||||
|
#
|
||||||
|
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||||
|
#
|
||||||
|
# When this column is non-empty, the rule applies only
|
||||||
|
# if the program generating the output is running under
|
||||||
|
# the effective <user> and/or <group> specified (or is
|
||||||
|
# NOT running under that id if "!" is given).
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# joe #program must be run by joe
|
||||||
|
# :kids #program must be run by a member of
|
||||||
|
# #the 'kids' group
|
||||||
|
# !:kids #program must not be run by a member
|
||||||
|
# #of the 'kids' group
|
||||||
|
# +upnpd #program named 'upnpd'
|
||||||
|
#
|
||||||
|
# Example: Accept SMTP requests from the DMZ to the internet
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# ACCEPT dmz net tcp smtp
|
||||||
|
#
|
||||||
|
# Example: Forward all ssh and http connection requests from the
|
||||||
|
# internet to local system 192.168.1.3
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||||
|
#
|
||||||
|
# Example: Forward all http connection requests from the internet
|
||||||
|
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||||
|
# a maximum burst of 10
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
|
# # PORT PORT(S) DEST LIMIT
|
||||||
|
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||||
|
#
|
||||||
|
# Example: Redirect all locally-originating www connection requests to
|
||||||
|
# port 3128 on the firewall (Squid running on the firewall
|
||||||
|
# system) except when the destination address is 192.168.2.2
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||||
|
#
|
||||||
|
# Example: All http requests from the internet to address
|
||||||
|
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||||
|
#
|
||||||
|
# Example: You want to accept SSH connections to your firewall only
|
||||||
|
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||||
|
# tcp 22
|
||||||
|
#############################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#
|
||||||
|
# Accept DNS connections from the firewall to the Internet
|
||||||
|
#
|
||||||
|
DNS/ACCEPT $FW net
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Accept SSH connections from the local network to the firewall and DMZ
|
||||||
|
#
|
||||||
|
SSH/ACCEPT loc $FW
|
||||||
|
SSH/ACCEPT loc dmz
|
||||||
|
#
|
||||||
|
# DMZ DNS access to the Internet
|
||||||
|
#
|
||||||
|
DNS/ACCEPT dmz net
|
||||||
|
|
||||||
|
|
||||||
|
# Reject Ping from the "bad" net zone.
|
||||||
|
|
||||||
|
Ping/REJECT net $FW
|
||||||
|
|
||||||
|
#
|
||||||
|
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
|
||||||
|
# (assumes that the loc-> net policy is ACCEPT).
|
||||||
|
#
|
||||||
|
|
||||||
|
Ping/ACCEPT loc $FW
|
||||||
|
Ping/ACCEPT dmz $FW
|
||||||
|
Ping/ACCEPT loc dmz
|
||||||
|
Ping/ACCEPT dmz loc
|
||||||
|
Ping/ACCEPT dmz net
|
||||||
|
|
||||||
|
ACCEPT $FW net icmp
|
||||||
|
ACCEPT $FW loc icmp
|
||||||
|
ACCEPT $FW dmz icmp
|
||||||
|
|
||||||
|
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
|
||||||
|
# the net zone to the dmz and loc
|
||||||
|
|
||||||
|
#Ping/ACCEPT net dmz
|
||||||
|
#Ping/ACCEPT net loc
|
||||||
|
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
94
Shorewall/Samples/three-interfaces/zones
Normal file
94
Shorewall/Samples/three-interfaces/zones
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Zones File for three-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/zones
|
||||||
|
#
|
||||||
|
# This file determines your network zones.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ZONE Short name of the zone (5 Characters or less in length).
|
||||||
|
# The names "all" and "none" are reserved and may not be
|
||||||
|
# used as zone names.
|
||||||
|
#
|
||||||
|
# Where a zone is nested in one or more other zones,
|
||||||
|
# you may follow the (sub)zone name by ":" and a
|
||||||
|
# comma-separated list of the parent zones. The parent
|
||||||
|
# zones must have been defined in earlier records in this
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# #ZONE TYPE OPTIONS
|
||||||
|
# a ipv4
|
||||||
|
# b ipv4
|
||||||
|
# c:a,b ipv4
|
||||||
|
#
|
||||||
|
# Currently, Shorewall uses this information only to reorder the
|
||||||
|
# zone list so that parent zones appear after their subzones in
|
||||||
|
# the list. In the future, Shorewall may make more extensive use
|
||||||
|
# of that information.
|
||||||
|
#
|
||||||
|
# TYPE ipv4 - This is the standard Shorewall zone type and is the
|
||||||
|
# default if you leave this column empty or if you enter
|
||||||
|
# "-" in the column. Communication with some zone hosts
|
||||||
|
# may be encrypted. Encrypted hosts are designated using
|
||||||
|
# the 'ipsec'option in /etc/shorewall/hosts.
|
||||||
|
# ipsec - Communication with all zone hosts is encrypted
|
||||||
|
# Your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
# firewall
|
||||||
|
# - Designates the firewall itself. You must have
|
||||||
|
# exactly one 'firewall' zone. No options are
|
||||||
|
# permitted with a 'firewall' zone. The name that you
|
||||||
|
# enter in the ZONE column will be stored in the shell
|
||||||
|
# variable $FW which you may use in other configuration
|
||||||
|
# files to designate the firewall zone.
|
||||||
|
#
|
||||||
|
# OPTIONS, A comma-separated list of options as follows:
|
||||||
|
# IN OPTIONS,
|
||||||
|
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||||
|
# using setkey(8) using the 'unique:<number>
|
||||||
|
# option for the SPD level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the SPI of
|
||||||
|
# the SA used to encrypt/decrypt packets.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mss=<number> (sets the MSS field in TCP packets)
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match all rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be used with
|
||||||
|
# strict..
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# mode=transport,reqid=44
|
||||||
|
#
|
||||||
|
# The options in the OPTIONS column are applied to both incoming
|
||||||
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||||
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||||
|
# applied to outgoing traffic.
|
||||||
|
#
|
||||||
|
# If you wish to leave a column empty but need to make an entry
|
||||||
|
# in a following column, use "-".
|
||||||
|
#
|
||||||
|
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
|
# OPTIONS OPTIONS
|
||||||
|
fw firewall
|
||||||
|
net ipv4
|
||||||
|
loc ipv4
|
||||||
|
dmz ipv4
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
237
Shorewall/Samples/two-interfaces/interfaces
Executable file
237
Shorewall/Samples/two-interfaces/interfaces
Executable file
@ -0,0 +1,237 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Interfaces File for two-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/interfaces
|
||||||
|
#
|
||||||
|
# You must add an entry in this file for each network interface on your
|
||||||
|
# firewall system.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ZONE Zone for this interface. Must match the name of a
|
||||||
|
# zone defined in /etc/shorewall/zones. You may not
|
||||||
|
# list the firewall zone in this column.
|
||||||
|
#
|
||||||
|
# If the interface serves multiple zones that will be
|
||||||
|
# defined in the /etc/shorewall/hosts file, you should
|
||||||
|
# place "-" in this column.
|
||||||
|
#
|
||||||
|
# INTERFACE Name of interface. Each interface may be listed only
|
||||||
|
# once in this file. You may NOT specify the name of
|
||||||
|
# an alias (e.g., eth0:0) here; see
|
||||||
|
# http://www.shorewall.net/FAQ.htm#faq18
|
||||||
|
#
|
||||||
|
# You may specify wildcards here. For example, if you
|
||||||
|
# want to make an entry that applies to all PPP
|
||||||
|
# interfaces, use 'ppp+'.
|
||||||
|
#
|
||||||
|
# There is no need to define the loopback interface (lo)
|
||||||
|
# in this file.
|
||||||
|
#
|
||||||
|
# BROADCAST The broadcast address for the subnetwork to which the
|
||||||
|
# interface belongs. For P-T-P interfaces, this
|
||||||
|
# column is left blank.If the interface has multiple
|
||||||
|
# addresses on multiple subnets then list the broadcast
|
||||||
|
# addresses as a comma-separated list.
|
||||||
|
#
|
||||||
|
# If you use the special value "detect", the firewall
|
||||||
|
# will detect the broadcast address for you. If you
|
||||||
|
# select this option, the interface must be up before
|
||||||
|
# the firewall is started, you must have iproute
|
||||||
|
# installed.
|
||||||
|
#
|
||||||
|
# If you don't want to give a value for this column but
|
||||||
|
# you want to enter a value in the OPTIONS column, enter
|
||||||
|
# "-" in this column.
|
||||||
|
#
|
||||||
|
# OPTIONS A comma-separated list of options including the
|
||||||
|
# following:
|
||||||
|
#
|
||||||
|
# dhcp - Specify this option when any of
|
||||||
|
# the following are true:
|
||||||
|
# 1. the interface gets its IP address
|
||||||
|
# via DHCP
|
||||||
|
# 2. the interface is used by
|
||||||
|
# a DHCP server running on the firewall
|
||||||
|
# 3. you have a static IP but are on a LAN
|
||||||
|
# segment with lots of Laptop DHCP
|
||||||
|
# clients.
|
||||||
|
# 4. the interface is a bridge with
|
||||||
|
# a DHCP server on one port and DHCP
|
||||||
|
# clients on another port.
|
||||||
|
#
|
||||||
|
# norfc1918 - This interface should not receive
|
||||||
|
# any packets whose source is in one
|
||||||
|
# of the ranges reserved by RFC 1918
|
||||||
|
# (i.e., private or "non-routable"
|
||||||
|
# addresses. If packet mangling or
|
||||||
|
# connection-tracking match is enabled in
|
||||||
|
# your kernel, packets whose destination
|
||||||
|
# addresses are reserved by RFC 1918 are
|
||||||
|
# also rejected.
|
||||||
|
#
|
||||||
|
# routefilter - turn on kernel route filtering for this
|
||||||
|
# interface (anti-spoofing measure). This
|
||||||
|
# option can also be enabled globally in
|
||||||
|
# the /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# logmartians - turn on kernel martian logging (logging
|
||||||
|
# of packets with impossible source
|
||||||
|
# addresses. It is suggested that if you
|
||||||
|
# set routefilter on an interface that
|
||||||
|
# you also set logmartians. This option
|
||||||
|
# may also be enabled globally in the
|
||||||
|
# /etc/shorewall/shorewall.conf file.
|
||||||
|
#
|
||||||
|
# blacklist - Check packets arriving on this interface
|
||||||
|
# against the /etc/shorewall/blacklist
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# maclist - Connection requests from this interface
|
||||||
|
# are compared against the contents of
|
||||||
|
# /etc/shorewall/maclist. If this option
|
||||||
|
# is specified, the interface must be
|
||||||
|
# an ethernet NIC and must be up before
|
||||||
|
# Shorewall is started.
|
||||||
|
#
|
||||||
|
# tcpflags - Packets arriving on this interface are
|
||||||
|
# checked for certain illegal combinations
|
||||||
|
# of TCP flags. Packets found to have
|
||||||
|
# such a combination of flags are handled
|
||||||
|
# according to the setting of
|
||||||
|
# TCP_FLAGS_DISPOSITION after having been
|
||||||
|
# logged according to the setting of
|
||||||
|
# TCP_FLAGS_LOG_LEVEL.
|
||||||
|
#
|
||||||
|
# proxyarp -
|
||||||
|
# Sets
|
||||||
|
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||||
|
# Do NOT use this option if you are
|
||||||
|
# employing Proxy ARP through entries in
|
||||||
|
# /etc/shorewall/proxyarp. This option is
|
||||||
|
# intended soley for use with Proxy ARP
|
||||||
|
# sub-networking as described at:
|
||||||
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||||
|
#
|
||||||
|
# newnotsyn - TCP packets that don't have the SYN
|
||||||
|
# flag set and which are not part of an
|
||||||
|
# established connection will be accepted
|
||||||
|
# from this interface, even if
|
||||||
|
# NEWNOTSYN=No has been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf. In other
|
||||||
|
# words, packets coming in on this
|
||||||
|
# interface are processed as if
|
||||||
|
# NEWNOTSYN=Yes had been specified in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
|
# This option has no effect if
|
||||||
|
# NEWNOTSYN=Yes.
|
||||||
|
#
|
||||||
|
# It is the opinion of the author that
|
||||||
|
# NEWNOTSYN=No creates more problems than
|
||||||
|
# it solves and I recommend against using
|
||||||
|
# that setting in shorewall.conf (hence
|
||||||
|
# making the use of the 'newnotsyn'
|
||||||
|
# interface option unnecessary).
|
||||||
|
#
|
||||||
|
# routeback - If specified, indicates that Shorewall
|
||||||
|
# should include rules that allow
|
||||||
|
# filtering traffic arriving on this
|
||||||
|
# interface back out that same interface.
|
||||||
|
#
|
||||||
|
# arp_filter - If specified, this interface will only
|
||||||
|
# respond to ARP who-has requests for IP
|
||||||
|
# addresses configured on the interface.
|
||||||
|
# If not specified, the interface can
|
||||||
|
# respond to ARP who-has requests for
|
||||||
|
# IP addresses on any of the firewall's
|
||||||
|
# interface. The interface must be up
|
||||||
|
# when Shorewall is started.
|
||||||
|
#
|
||||||
|
# arp_ignore[=<number>]
|
||||||
|
# - If specified, this interface will
|
||||||
|
# respond to arp requests based on the
|
||||||
|
# value of <number>.
|
||||||
|
#
|
||||||
|
# 1 - reply only if the target IP address
|
||||||
|
# is local address configured on the
|
||||||
|
# incoming interface
|
||||||
|
#
|
||||||
|
# 2 - reply only if the target IP address
|
||||||
|
# is local address configured on the
|
||||||
|
# incoming interface and both with the
|
||||||
|
# sender's IP address are part from same
|
||||||
|
# subnet on this interface
|
||||||
|
#
|
||||||
|
# 3 - do not reply for local addresses
|
||||||
|
# configured with scope host, only
|
||||||
|
# resolutions for global and link
|
||||||
|
# addresses are replied
|
||||||
|
#
|
||||||
|
# 4-7 - reserved
|
||||||
|
#
|
||||||
|
# 8 - do not reply for all local
|
||||||
|
# addresses
|
||||||
|
#
|
||||||
|
# If no <number> is given then the value
|
||||||
|
# 1 is assumed
|
||||||
|
#
|
||||||
|
# WARNING -- DO NOT SPECIFY arp_ignore
|
||||||
|
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
|
||||||
|
#
|
||||||
|
# nosmurfs - Filter packets for smurfs
|
||||||
|
# (packets with a broadcast
|
||||||
|
# address as the source).
|
||||||
|
#
|
||||||
|
# Smurfs will be optionally logged based
|
||||||
|
# on the setting of SMURF_LOG_LEVEL in
|
||||||
|
# shorewall.conf. After logging, the
|
||||||
|
# packets are dropped.
|
||||||
|
#
|
||||||
|
# detectnets - Automatically taylors the zone named
|
||||||
|
# in the ZONE column to include only those
|
||||||
|
# hosts routed through the interface.
|
||||||
|
#
|
||||||
|
# upnp - Incoming requests from this interface
|
||||||
|
# may be remapped via UPNP (upnpd).
|
||||||
|
#
|
||||||
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||||
|
# INTERNET INTERFACE.
|
||||||
|
#
|
||||||
|
# The order in which you list the options is not
|
||||||
|
# significant but the list should have no embedded white
|
||||||
|
# space.
|
||||||
|
#
|
||||||
|
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||||
|
# eth1 connected to your local network and that your
|
||||||
|
# local subnet is 192.168.1.0/24. The interface gets
|
||||||
|
# it's IP address via DHCP from subnet
|
||||||
|
# 206.191.149.192/27. You have a DMZ with subnet
|
||||||
|
# 192.168.2.0/24 using eth2.
|
||||||
|
#
|
||||||
|
# Your entries for this setup would look like:
|
||||||
|
#
|
||||||
|
# net eth0 206.191.149.223 dhcp
|
||||||
|
# local eth1 192.168.1.255
|
||||||
|
# dmz eth2 192.168.2.255
|
||||||
|
#
|
||||||
|
# Example 2: The same configuration without specifying broadcast
|
||||||
|
# addresses is:
|
||||||
|
#
|
||||||
|
# net eth0 detect dhcp
|
||||||
|
# loc eth1 detect
|
||||||
|
# dmz eth2 detect
|
||||||
|
#
|
||||||
|
# Example 3: You have a simple dial-in system with no ethernet
|
||||||
|
# connections.
|
||||||
|
#
|
||||||
|
# net ppp0 -
|
||||||
|
#
|
||||||
|
# For additional information, see
|
||||||
|
# http://shorewall.net/Documentation.htm#Interfaces
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
|
||||||
|
loc eth1 detect tcpflags,detectnets,nosmurfs
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
221
Shorewall/Samples/two-interfaces/masq
Executable file
221
Shorewall/Samples/two-interfaces/masq
Executable file
@ -0,0 +1,221 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Masq file for two-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/masq
|
||||||
|
#
|
||||||
|
# Use this file to define dynamic NAT (Masquerading) and to define
|
||||||
|
# Source NAT (SNAT).
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||||
|
# interface. If ADD_SNAT_ALIASES=Yes in
|
||||||
|
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||||
|
# a digit to indicate that you want the alias added with
|
||||||
|
# that name (e.g., eth0:0). This will allow the alias to
|
||||||
|
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||||
|
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||||
|
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||||
|
#
|
||||||
|
# This may be qualified by adding the character
|
||||||
|
# ":" followed by a destination host or subnet.
|
||||||
|
#
|
||||||
|
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
||||||
|
# for this entry then include the ":" but omit the digit:
|
||||||
|
#
|
||||||
|
# eth0:
|
||||||
|
# eth2::192.0.2.32/27
|
||||||
|
#
|
||||||
|
# Normally Masq/SNAT rules are evaluated after those for
|
||||||
|
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
||||||
|
# the rule to be applied before one-to-one NAT rules,
|
||||||
|
# prefix the interface name with "+":
|
||||||
|
#
|
||||||
|
# +eth0
|
||||||
|
# +eth0:192.0.2.32/27
|
||||||
|
# +eth0:2
|
||||||
|
#
|
||||||
|
# This feature should only be required if you need to
|
||||||
|
# insert rules in this file that preempt entries in
|
||||||
|
# /etc/shorewall/nat.
|
||||||
|
#
|
||||||
|
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||||
|
# a subnet or as an interface. If you give the name of an
|
||||||
|
# interface, you must have iproute installed and the interface
|
||||||
|
# must be up before you start the firewall.
|
||||||
|
#
|
||||||
|
# In order to exclude a subset of the specified SUBNET, you
|
||||||
|
# may append "!" and a comma-separated list of IP addresses
|
||||||
|
# and/or subnets that you wish to exclude.
|
||||||
|
#
|
||||||
|
# Example: eth1!192.168.1.4,192.168.32.0/27
|
||||||
|
#
|
||||||
|
# In that example traffic from eth1 would be masqueraded unless
|
||||||
|
# it came from 192.168.1.4 or 196.168.32.0/27
|
||||||
|
#
|
||||||
|
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||||
|
# used and this will be the source address. If
|
||||||
|
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||||
|
# /etc/shorewall/shorewall.conf then Shorewall
|
||||||
|
# will automatically add this address to the
|
||||||
|
# INTERFACE named in the first column.
|
||||||
|
#
|
||||||
|
# You may also specify a range of up to 256
|
||||||
|
# IP addresses if you want the SNAT address to
|
||||||
|
# be assigned from that range in a round-robin
|
||||||
|
# range by connection. The range is specified by
|
||||||
|
# <first ip in range>-<last ip in range>.
|
||||||
|
#
|
||||||
|
# Example: 206.124.146.177-206.124.146.180
|
||||||
|
#
|
||||||
|
# Finally, you may also specify a comma-separated
|
||||||
|
# list of ranges and/or addresses in this column.
|
||||||
|
#
|
||||||
|
# This column may not contain DNS Names.
|
||||||
|
#
|
||||||
|
# Normally, Netfilter will attempt to retain
|
||||||
|
# the source port number. You may cause
|
||||||
|
# netfilter to remap the source port by following
|
||||||
|
# an address or range (if any) by ":" and
|
||||||
|
# a port range with the format <low port>-
|
||||||
|
# <high port>. If this is done, you must
|
||||||
|
# specify "tcp" or "udp" in the PROTO column.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# 192.0.2.4:5000-6000
|
||||||
|
# :4000-5000
|
||||||
|
#
|
||||||
|
# You can invoke the SAME target using the
|
||||||
|
# following in this column:
|
||||||
|
#
|
||||||
|
# SAME:[nodst:]<address-range>[,<address-range>...]
|
||||||
|
#
|
||||||
|
# The <address-ranges> may be single addresses.
|
||||||
|
#
|
||||||
|
# SAME works like SNAT with the exception that
|
||||||
|
# the same local IP address is assigned to each
|
||||||
|
# connection from a local address to a given
|
||||||
|
# remote address.
|
||||||
|
#
|
||||||
|
# If the 'nodst:' option is included, then the
|
||||||
|
# same source address is used for a given
|
||||||
|
# internal system regardless of which remote
|
||||||
|
# system is involved.
|
||||||
|
#
|
||||||
|
# If you want to leave this column empty
|
||||||
|
# but you need to specify the next column then
|
||||||
|
# place a hyphen ("-") here.
|
||||||
|
#
|
||||||
|
# PROTO -- (Optional) If you wish to restrict this entry to a
|
||||||
|
# particular protocol then enter the protocol
|
||||||
|
# name (from /etc/protocols) or number here.
|
||||||
|
#
|
||||||
|
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
|
||||||
|
# or UDP (protocol 17) then you may list one
|
||||||
|
# or more port numbers (or names from
|
||||||
|
# /etc/services) separated by commas or you
|
||||||
|
# may list a single port range
|
||||||
|
# (<low port>:<high port>).
|
||||||
|
#
|
||||||
|
# Where a comma-separated list is given, your
|
||||||
|
# kernel and iptables must have multiport match
|
||||||
|
# support and a maximum of 15 ports may be
|
||||||
|
# listed.
|
||||||
|
#
|
||||||
|
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||||
|
# column, you must be running kernel 2.6 and
|
||||||
|
# your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
#
|
||||||
|
# Comma-separated list of options from the
|
||||||
|
# following. Only packets that will be encrypted
|
||||||
|
# via an SA that matches these options will have
|
||||||
|
# their source address changed.
|
||||||
|
#
|
||||||
|
# Yes or yes -- must be the only option
|
||||||
|
# listed and matches all outbound
|
||||||
|
# traffic that will be encrypted.
|
||||||
|
#
|
||||||
|
# reqid=<number> where <number> is
|
||||||
|
# specified using setkey(8) using the
|
||||||
|
# 'unique:<number> option for the SPD
|
||||||
|
# level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the
|
||||||
|
# SPI of the SA.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match
|
||||||
|
# all rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be
|
||||||
|
# used with strict..
|
||||||
|
#
|
||||||
|
# Example 1:
|
||||||
|
#
|
||||||
|
# You have a simple masquerading setup where eth0 connects to
|
||||||
|
# a DSL or cable modem and eth1 connects to your local network
|
||||||
|
# with subnet 192.168.0.0/24.
|
||||||
|
#
|
||||||
|
# Your entry in the file can be either:
|
||||||
|
#
|
||||||
|
# eth0 eth1
|
||||||
|
#
|
||||||
|
# or
|
||||||
|
#
|
||||||
|
# eth0 192.168.0.0/24
|
||||||
|
#
|
||||||
|
# Example 2:
|
||||||
|
#
|
||||||
|
# You add a router to your local network to connect subnet
|
||||||
|
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||||
|
# add a second entry for eth0 to this file:
|
||||||
|
#
|
||||||
|
# eth0 192.168.1.0/24
|
||||||
|
#
|
||||||
|
# Example 3:
|
||||||
|
#
|
||||||
|
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||||
|
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||||
|
# these packets are destined for hosts in 10.1.1.0/24:
|
||||||
|
#
|
||||||
|
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||||
|
#
|
||||||
|
# Example 4:
|
||||||
|
#
|
||||||
|
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||||
|
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||||
|
# primary address of eth0. You want 206.124.146.176 added to
|
||||||
|
# be added to eth0 with name eth0:0.
|
||||||
|
#
|
||||||
|
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||||
|
#
|
||||||
|
# Example 5:
|
||||||
|
#
|
||||||
|
# You want all outgoing SMTP traffic entering the firewall
|
||||||
|
# on eth1 to be sent from eth0 with source IP address
|
||||||
|
# 206.124.146.177. You want all other outgoing traffic
|
||||||
|
# from eth1 to be sent from eth0 with source IP address
|
||||||
|
# 206.124.146.176.
|
||||||
|
#
|
||||||
|
# eth0 eth1 206.124.146.177 tcp smtp
|
||||||
|
# eth0 eth1 206.124.146.176
|
||||||
|
#
|
||||||
|
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||||
|
#
|
||||||
|
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||||
|
eth0 eth1
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
93
Shorewall/Samples/two-interfaces/policy
Normal file
93
Shorewall/Samples/two-interfaces/policy
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Policy File for two-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/policy
|
||||||
|
#
|
||||||
|
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
||||||
|
#
|
||||||
|
# This file determines what to do with a new connection request if we
|
||||||
|
# don't get a match from the /etc/shorewall/rules file . For each
|
||||||
|
# source/destination pair, the file is processed in order until a
|
||||||
|
# match is found ("all" will match any client or server).
|
||||||
|
#
|
||||||
|
# INTRA-ZONE POLICIES ARE PRE-DEFINED
|
||||||
|
#
|
||||||
|
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||||
|
# the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||||
|
# logging or TCP connection rate limiting but may be overridden by an
|
||||||
|
# entry in this file. The overriding entry must be explicit (cannot use
|
||||||
|
# "all" in the SOURCE or DEST).
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# SOURCE Source zone. Must be the name of a zone defined
|
||||||
|
# in /etc/shorewall/zones, $FW or "all".
|
||||||
|
#
|
||||||
|
# DEST Destination zone. Must be the name of a zone defined
|
||||||
|
# in /etc/shorewall/zones, $FW or "all"
|
||||||
|
#
|
||||||
|
# POLICY Policy if no match from the rules file is found. Must
|
||||||
|
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||||
|
#
|
||||||
|
# ACCEPT - Accept the connection
|
||||||
|
# DROP - Ignore the connection request
|
||||||
|
# REJECT - For TCP, send RST. For all other,
|
||||||
|
# send "port unreachable" ICMP.
|
||||||
|
# QUEUE - Send the request to a user-space
|
||||||
|
# application using the QUEUE target.
|
||||||
|
# CONTINUE - Pass the connection request past
|
||||||
|
# any other rules that it might also
|
||||||
|
# match (where the source or
|
||||||
|
# destination zone in those rules is
|
||||||
|
# a superset of the SOURCE or DEST
|
||||||
|
# in this policy).
|
||||||
|
# NONE - Assume that there will never be any
|
||||||
|
# packets from this SOURCE
|
||||||
|
# to this DEST. Shorewall will not set
|
||||||
|
# up any infrastructure to handle such
|
||||||
|
# packets and you may not have any
|
||||||
|
# rules with this SOURCE and DEST in
|
||||||
|
# the /etc/shorewall/rules file. If
|
||||||
|
# such a packet _is_ received, the
|
||||||
|
# result is undefined. NONE may not be
|
||||||
|
# used if the SOURCE or DEST columns
|
||||||
|
# contain the firewall zone ($FW) or
|
||||||
|
# "all".
|
||||||
|
#
|
||||||
|
# If this column contains ACCEPT, DROP or REJECT and a
|
||||||
|
# corresponding common action is defined in
|
||||||
|
# /etc/shorewall/actions (or
|
||||||
|
# /usr/share/shorewall/actions.std) then that action
|
||||||
|
# will be invoked before the policy named in this column
|
||||||
|
# is enforced.
|
||||||
|
#
|
||||||
|
# LOG LEVEL If supplied, each connection handled under the default
|
||||||
|
# POLICY is logged at that level. If not supplied, no
|
||||||
|
# log message is generated. See syslog.conf(5) for a
|
||||||
|
# description of log levels.
|
||||||
|
#
|
||||||
|
# Beginning with Shorewall version 1.3.12, you may
|
||||||
|
# also specify ULOG (must be in upper case). This will
|
||||||
|
# log to the ULOG target and sent to a separate log
|
||||||
|
# through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
|
#
|
||||||
|
# If you don't want to log but need to specify the
|
||||||
|
# following column, place "-" here.
|
||||||
|
#
|
||||||
|
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||||
|
# and the size of an acceptable burst. If not specified,
|
||||||
|
# TCP connections are not limited.
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
|
loc net ACCEPT
|
||||||
|
# If you want open access to the Internet from your Firewall
|
||||||
|
# remove the comment from the following line.
|
||||||
|
#$FW net ACCEPT
|
||||||
|
net all DROP info
|
||||||
|
# THE FOLLOWING POLICY MUST BE LAST
|
||||||
|
all all REJECT info
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
65
Shorewall/Samples/two-interfaces/routestopped
Normal file
65
Shorewall/Samples/two-interfaces/routestopped
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Routestopped File for two-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/routestopped
|
||||||
|
#
|
||||||
|
# This file is used to define the hosts that are accessible when the
|
||||||
|
# firewall is stopped or when it is in the process of being
|
||||||
|
# [re]started.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# INTERFACE - Interface through which host(s) communicate with
|
||||||
|
# the firewall
|
||||||
|
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||||
|
# addresses. If your kernel and iptables include
|
||||||
|
# iprange match support, IP address ranges are also
|
||||||
|
# allowed.
|
||||||
|
#
|
||||||
|
# If left empty or supplied as "-",
|
||||||
|
# 0.0.0.0/0 is assumed.
|
||||||
|
# OPTIONS - (Optional) A comma-separated list of
|
||||||
|
# options. The currently-supported options are:
|
||||||
|
#
|
||||||
|
# routeback - Set up a rule to ACCEPT traffic from
|
||||||
|
# these hosts back to themselves.
|
||||||
|
#
|
||||||
|
# source - Allow traffic from these hosts to ANY
|
||||||
|
# destination. Without this option or the 'dest'
|
||||||
|
# option, only traffic from this host to other
|
||||||
|
# listed hosts (and the firewall) is allowed. If
|
||||||
|
# 'source' is specified then 'routeback' is redundent.
|
||||||
|
#
|
||||||
|
# dest - Allow traffic to these hosts from ANY
|
||||||
|
# source. Without this option or the 'source'
|
||||||
|
# option, only traffic from this host to other
|
||||||
|
# listed hosts (and the firewall) is allowed. If
|
||||||
|
# 'dest' is specified then 'routeback' is redundent.
|
||||||
|
#
|
||||||
|
# critical - Allow traffic between the firewall and
|
||||||
|
# these hosts throughout '[re]start', 'stop' and
|
||||||
|
# 'clear'. Specifying 'critical' on one or more
|
||||||
|
# entries will cause your firewall to be "totally
|
||||||
|
# open" for a brief window during each of those
|
||||||
|
# operations.
|
||||||
|
#
|
||||||
|
# NOTE: The 'source' and 'dest' options work best when used
|
||||||
|
# in conjunction with ADMINISABSENTMINDED=Yes in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# INTERFACE HOST(S) OPTIONS
|
||||||
|
# eth2 192.168.1.0/24
|
||||||
|
# eth0 192.0.2.44
|
||||||
|
# br0 - routeback
|
||||||
|
# eth3 - source
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||||
|
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
##############################################################################
|
||||||
|
#INTERFACE HOST(S) OPTIONS
|
||||||
|
eth1 -
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
445
Shorewall/Samples/two-interfaces/rules
Executable file
445
Shorewall/Samples/two-interfaces/rules
Executable file
@ -0,0 +1,445 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Rules File for two-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/rules
|
||||||
|
#
|
||||||
|
# Rules in this file govern connection establishment. Requests and
|
||||||
|
# responses are automatically allowed using connection tracking. For any
|
||||||
|
# particular (source,dest) pair of zones, the rules are evaluated in the
|
||||||
|
# order in which they appear in this file and the first match is the one
|
||||||
|
# that determines the disposition of the request.
|
||||||
|
#
|
||||||
|
# In most places where an IP address or subnet is allowed, you
|
||||||
|
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||||
|
# indicate that the rule matches all addresses except the address/subnet
|
||||||
|
# given. Notice that no white space is permitted between "!" and the
|
||||||
|
# address/subnet.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
||||||
|
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||||
|
# that system. You *must* use a DNAT rule instead.
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# The rules file is divided into sections. Each section is introduced by
|
||||||
|
# a "Section Header" which is a line beginning with SECTION followed by the
|
||||||
|
# section name.
|
||||||
|
#
|
||||||
|
# Sections are as follows and must appear in the order listed:
|
||||||
|
#
|
||||||
|
# ESTABLISHED Packets in the ESTABLISHED state are processed
|
||||||
|
# by rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# RELATED Packets in the RELATED state are processed by
|
||||||
|
# rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# NEW Packets in the NEW and INVALID states are
|
||||||
|
# processed by rules in this section.
|
||||||
|
#
|
||||||
|
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||||
|
# ESTABLISHED and RELATED sections must be empty.
|
||||||
|
#
|
||||||
|
# Note: If you are not familiar with Netfilter to the point where you are
|
||||||
|
# comfortable with the differences between the various connection
|
||||||
|
# tracking states, then I suggest that you omit the ESTABLISHED and
|
||||||
|
# RELATED sections and place all of your rules in the NEW section.
|
||||||
|
#
|
||||||
|
# You may omit any section that you don't need. If no Section Headers appear
|
||||||
|
# in the file then all rules are assumed to be in the NEW section.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||||
|
# LOG, QUEUE or an <action>.
|
||||||
|
#
|
||||||
|
# ACCEPT -- allow the connection request
|
||||||
|
# ACCEPT+ -- like ACCEPT but also excludes the
|
||||||
|
# connection from any subsequent
|
||||||
|
# DNAT[-] or REDIRECT[-] rules
|
||||||
|
# NONAT -- Excludes the connection from any
|
||||||
|
# subsequent DNAT[-] or REDIRECT[-]
|
||||||
|
# rules but doesn't generate a rule
|
||||||
|
# to accept the traffic.
|
||||||
|
# DROP -- ignore the request
|
||||||
|
# REJECT -- disallow the request and return an
|
||||||
|
# icmp-unreachable or an RST packet.
|
||||||
|
# DNAT -- Forward the request to another
|
||||||
|
# system (and optionally another
|
||||||
|
# port).
|
||||||
|
# DNAT- -- Advanced users only.
|
||||||
|
# Like DNAT but only generates the
|
||||||
|
# DNAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
# SAME -- Similar to DNAT except that the
|
||||||
|
# port may not be remapped and when
|
||||||
|
# multiple server addresses are
|
||||||
|
# listed, all requests from a given
|
||||||
|
# remote system go to the same
|
||||||
|
# server.
|
||||||
|
# SAME- -- Advanced users only.
|
||||||
|
# Like SAME but only generates the
|
||||||
|
# NAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
# REDIRECT -- Redirect the request to a local
|
||||||
|
# port on the firewall.
|
||||||
|
# REDIRECT-
|
||||||
|
# -- Advanced users only.
|
||||||
|
# Like REDIRET but only generates the
|
||||||
|
# REDIRECT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
|
#
|
||||||
|
# CONTINUE -- (For experts only). Do not process
|
||||||
|
# any of the following rules for this
|
||||||
|
# (source zone,destination zone). If
|
||||||
|
# The source and/or destination IP
|
||||||
|
# address falls into a zone defined
|
||||||
|
# later in /etc/shorewall/zones, this
|
||||||
|
# connection request will be passed
|
||||||
|
# to the rules defined for that
|
||||||
|
# (those) zone(s).
|
||||||
|
# LOG -- Simply log the packet and continue.
|
||||||
|
# QUEUE -- Queue the packet to a user-space
|
||||||
|
# application such as ftwall
|
||||||
|
# (http://p2pwall.sf.net).
|
||||||
|
# <action> -- The name of an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std.
|
||||||
|
#
|
||||||
|
# <macro> -- The name of a macro defined in a
|
||||||
|
# file named macro.<macro-name>.
|
||||||
|
#
|
||||||
|
# The ACTION may optionally be followed
|
||||||
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||||
|
# DNAT:debug). This causes the packet to be
|
||||||
|
# logged at the specified level.
|
||||||
|
#
|
||||||
|
# If the ACTION names an action defined in
|
||||||
|
# /etc/shorewall/actions or in
|
||||||
|
# /usr/share/shorewall/actions.std then:
|
||||||
|
#
|
||||||
|
# - If the log level is followed by "!' then all rules
|
||||||
|
# in the action are logged at the log level.
|
||||||
|
#
|
||||||
|
# - If the log level is not followed by "!" then only
|
||||||
|
# those rules in the action that do not specify
|
||||||
|
# logging are logged at the specified level.
|
||||||
|
#
|
||||||
|
# - The special log level 'none!' suppresses logging
|
||||||
|
# by the action.
|
||||||
|
#
|
||||||
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
|
# log level.This will log to the ULOG target for routing
|
||||||
|
# to a separate log through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
|
#
|
||||||
|
# Actions specifying logging may be followed by a
|
||||||
|
# log tag (a string of alphanumeric characters)
|
||||||
|
# are appended to the string generated by the
|
||||||
|
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||||
|
#
|
||||||
|
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||||
|
# at the end of the log prefix generated by the
|
||||||
|
# LOGPREFIX setting.
|
||||||
|
#
|
||||||
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||||
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||||
|
# firewall itself, "all", "all+" or "none" If the ACTION
|
||||||
|
# is DNAT or REDIRECT, sub-zones of the specified zone
|
||||||
|
# may be excluded from the rule by following the zone
|
||||||
|
# name with "!' and a comma-separated list of sub-zone
|
||||||
|
# names.
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST
|
||||||
|
# column, the rule is ignored.
|
||||||
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
|
# used, intra-zone traffic is affected.
|
||||||
|
#
|
||||||
|
# Except when "all[+]" is specified, clients may be
|
||||||
|
# further restricted to a list of subnets and/or hosts by
|
||||||
|
# appending ":" and a comma-separated list of subnets
|
||||||
|
# and/or hosts. Hosts may be specified by IP or MAC
|
||||||
|
# address; mac addresses must begin with "~" and must use
|
||||||
|
# "-" as a separator.
|
||||||
|
#
|
||||||
|
# Hosts may be specified as an IP address range using the
|
||||||
|
# syntax <low address>-<high address>. This requires that
|
||||||
|
# your kernel and iptables contain iprange match support.
|
||||||
|
# If you kernel and iptables have ipset match support
|
||||||
|
# then you may give the name of an ipset prefaced by "+".
|
||||||
|
# The ipset name may be optionally followed by a number
|
||||||
|
# from 1 to 6 enclosed in square brackets ([]) to
|
||||||
|
# indicate the number of levels of source bindings to be
|
||||||
|
# matched.
|
||||||
|
#
|
||||||
|
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||||
|
#
|
||||||
|
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||||
|
# Internet
|
||||||
|
#
|
||||||
|
# loc:192.168.1.1,192.168.1.2
|
||||||
|
# Hosts 192.168.1.1 and
|
||||||
|
# 192.168.1.2 in the local zone.
|
||||||
|
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||||
|
# MAC address 00:A0:C9:15:39:78.
|
||||||
|
#
|
||||||
|
# net:192.0.2.11-192.0.2.17
|
||||||
|
# Hosts 192.0.2.11-192.0.2.17 in
|
||||||
|
# the net zone.
|
||||||
|
#
|
||||||
|
# Alternatively, clients may be specified by interface
|
||||||
|
# by appending ":" to the zone name followed by the
|
||||||
|
# interface name. For example, loc:eth1 specifies a
|
||||||
|
# client that communicates with the firewall system
|
||||||
|
# through eth1. This may be optionally followed by
|
||||||
|
# another colon (":") and an IP/MAC/subnet address
|
||||||
|
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||||
|
#
|
||||||
|
# DEST Location of Server. May be a zone defined in
|
||||||
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||||
|
# itself, "all". "all+" or "none".
|
||||||
|
#
|
||||||
|
# When "none" is used either in the SOURCE or DEST
|
||||||
|
# column, the rule is ignored.
|
||||||
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. When "all+" is
|
||||||
|
# used, intra-zone traffic is affected.
|
||||||
|
#
|
||||||
|
# Except when "all[+]" is specified, the server may be
|
||||||
|
# further restricted to a particular subnet, host or
|
||||||
|
# interface by appending ":" and the subnet, host or
|
||||||
|
# interface. See above.
|
||||||
|
#
|
||||||
|
# Restrictions:
|
||||||
|
#
|
||||||
|
# 1. MAC addresses are not allowed.
|
||||||
|
# 2. In DNAT rules, only IP addresses are
|
||||||
|
# allowed; no FQDNs or subnet addresses
|
||||||
|
# are permitted.
|
||||||
|
# 3. You may not specify both an interface and
|
||||||
|
# an address.
|
||||||
|
#
|
||||||
|
# Like in the SOURCE column, you may specify a range of
|
||||||
|
# up to 256 IP addresses using the syntax
|
||||||
|
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||||
|
# the connections will be assigned to addresses in the
|
||||||
|
# range in a round-robin fashion.
|
||||||
|
#
|
||||||
|
# If you kernel and iptables have ipset match support
|
||||||
|
# then you may give the name of an ipset prefaced by "+".
|
||||||
|
# The ipset name may be optionally followed by a number
|
||||||
|
# from 1 to 6 enclosed in square brackets ([]) to
|
||||||
|
# indicate the number of levels of destination bindings
|
||||||
|
# to be matched. Only one of the SOURCE and DEST columns
|
||||||
|
# may specify an ipset name.
|
||||||
|
#
|
||||||
|
# The port that the server is listening on may be
|
||||||
|
# included and separated from the server's IP address by
|
||||||
|
# ":". If omitted, the firewall will not modifiy the
|
||||||
|
# destination port. A destination port may only be
|
||||||
|
# included if the ACTION is DNAT or REDIRECT.
|
||||||
|
#
|
||||||
|
# Example: loc:192.168.1.3:3128 specifies a local
|
||||||
|
# server at IP address 192.168.1.3 and listening on port
|
||||||
|
# 3128. The port number MUST be specified as an integer
|
||||||
|
# and not as a name from /etc/services.
|
||||||
|
#
|
||||||
|
# if the ACTION is REDIRECT, this column needs only to
|
||||||
|
# contain the port number on the firewall that the
|
||||||
|
# request should be redirected to.
|
||||||
|
#
|
||||||
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
|
#
|
||||||
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
|
# names (from /etc/services), port numbers or port
|
||||||
|
# ranges; if the protocol is "icmp", this column is
|
||||||
|
# interpreted as the destination icmp-type(s).
|
||||||
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example
|
||||||
|
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
|
# A port range is expressed as <low port>:<high port>.
|
||||||
|
#
|
||||||
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
|
# entered if any of the following ields are supplied.
|
||||||
|
# In that case, it is suggested that this field contain
|
||||||
|
# "-"
|
||||||
|
#
|
||||||
|
# If your kernel contains multi-port match support, then
|
||||||
|
# only a single Netfilter rule will be generated if in
|
||||||
|
# this list and the CLIENT PORT(S) list below:
|
||||||
|
# 1. There are 15 or less ports listed.
|
||||||
|
# 2. No port ranges are included.
|
||||||
|
# Otherwise, a separate rule will be generated for each
|
||||||
|
# port.
|
||||||
|
#
|
||||||
|
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||||
|
# any source port is acceptable. Specified as a comma-
|
||||||
|
# separated list of port names, port numbers or port
|
||||||
|
# ranges.
|
||||||
|
#
|
||||||
|
# If you don't want to restrict client ports but need to
|
||||||
|
# specify an ORIGINAL DEST in the next column, then
|
||||||
|
# place "-" in this column.
|
||||||
|
#
|
||||||
|
# If your kernel contains multi-port match support, then
|
||||||
|
# only a single Netfilter rule will be generated if in
|
||||||
|
# this list and the DEST PORT(S) list above:
|
||||||
|
# 1. There are 15 or less ports listed.
|
||||||
|
# 2. No port ranges are included.
|
||||||
|
# Otherwise, a separate rule will be generated for each
|
||||||
|
# port.
|
||||||
|
#
|
||||||
|
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
|
||||||
|
# then if included and different from the IP
|
||||||
|
# address given in the SERVER column, this is an address
|
||||||
|
# on some interface on the firewall and connections to
|
||||||
|
# that address will be forwarded to the IP and port
|
||||||
|
# specified in the DEST column.
|
||||||
|
#
|
||||||
|
# A comma-separated list of addresses may also be used.
|
||||||
|
# This is usually most useful with the REDIRECT target
|
||||||
|
# where you want to redirect traffic destined for
|
||||||
|
# particular set of hosts.
|
||||||
|
#
|
||||||
|
# Finally, if the list of addresses begins with "!" then
|
||||||
|
# the rule will be followed only if the original
|
||||||
|
# destination address in the connection request does not
|
||||||
|
# match any of the addresses listed.
|
||||||
|
#
|
||||||
|
# For other actions, this column may be included and may
|
||||||
|
# contain one or more addresses (host or network)
|
||||||
|
# separated by commas. Address ranges are not allowed.
|
||||||
|
# When this column is supplied, rules are generated
|
||||||
|
# that require that the original destination address
|
||||||
|
# matches one of the listed addresses. This feature is
|
||||||
|
# most useful when you want to generate a filter rule
|
||||||
|
# that corresponds to a DNAT- or REDIRECT- rule. In this
|
||||||
|
# usage, the list of addresses should not begin with "!".
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/PortKnocking.html for an
|
||||||
|
# example of using an entry in this column with a
|
||||||
|
# user-defined action rule.
|
||||||
|
#
|
||||||
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
|
# this colume:
|
||||||
|
#
|
||||||
|
# <rate>/<interval>[:<burst>]
|
||||||
|
#
|
||||||
|
# where <rate> is the number of connections per
|
||||||
|
# <interval> ("sec" or "min") and <burst> is the
|
||||||
|
# largest burst permitted. If no <burst> is given,
|
||||||
|
# a value of 5 is assumed. There may be no
|
||||||
|
# no whitespace embedded in the specification.
|
||||||
|
#
|
||||||
|
# Example: 10/sec:20
|
||||||
|
#
|
||||||
|
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||||
|
# the firewall itself.
|
||||||
|
#
|
||||||
|
# The column may contain:
|
||||||
|
#
|
||||||
|
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||||
|
#
|
||||||
|
# When this column is non-empty, the rule applies only
|
||||||
|
# if the program generating the output is running under
|
||||||
|
# the effective <user> and/or <group> specified (or is
|
||||||
|
# NOT running under that id if "!" is given).
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# joe #program must be run by joe
|
||||||
|
# :kids #program must be run by a member of
|
||||||
|
# #the 'kids' group
|
||||||
|
# !:kids #program must not be run by a member
|
||||||
|
# #of the 'kids' group
|
||||||
|
# +upnpd #program named 'upnpd'
|
||||||
|
#
|
||||||
|
# Example: Accept SMTP requests from the DMZ to the internet
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# ACCEPT dmz net tcp smtp
|
||||||
|
#
|
||||||
|
# Example: Forward all ssh and http connection requests from the
|
||||||
|
# internet to local system 192.168.1.3
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||||
|
#
|
||||||
|
# Example: Forward all http connection requests from the internet
|
||||||
|
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||||
|
# a maximum burst of 10
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
|
# # PORT PORT(S) DEST LIMIT
|
||||||
|
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||||
|
#
|
||||||
|
# Example: Redirect all locally-originating www connection requests to
|
||||||
|
# port 3128 on the firewall (Squid running on the firewall
|
||||||
|
# system) except when the destination address is 192.168.2.2
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||||
|
#
|
||||||
|
# Example: All http requests from the internet to address
|
||||||
|
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||||
|
#
|
||||||
|
# Example: You want to accept SSH connections to your firewall only
|
||||||
|
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
||||||
|
#
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
|
# # PORT PORT(S) DEST
|
||||||
|
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||||
|
# tcp 22
|
||||||
|
#############################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
#
|
||||||
|
# Accept DNS connections from the firewall to the network
|
||||||
|
#
|
||||||
|
DNS/ACCEPT $FW net
|
||||||
|
#
|
||||||
|
# Accept SSH connections from the local network for administration
|
||||||
|
#
|
||||||
|
SSH/ACCEPT loc $FW
|
||||||
|
#
|
||||||
|
# Allow Ping from the local network
|
||||||
|
#
|
||||||
|
Ping/ACCEPT loc $FW
|
||||||
|
|
||||||
|
#
|
||||||
|
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||||
|
#
|
||||||
|
|
||||||
|
Ping/REJECT net $FW
|
||||||
|
|
||||||
|
ACCEPT $FW loc icmp
|
||||||
|
ACCEPT $FW net icmp
|
||||||
|
#
|
||||||
|
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
94
Shorewall/Samples/two-interfaces/zones
Normal file
94
Shorewall/Samples/two-interfaces/zones
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
#
|
||||||
|
# Shorewall version 3.0 - Sample Zones File for two-interface configuration.
|
||||||
|
#
|
||||||
|
# /etc/shorewall/zones
|
||||||
|
#
|
||||||
|
# This file determines your network zones.
|
||||||
|
#
|
||||||
|
# Columns are:
|
||||||
|
#
|
||||||
|
# ZONE Short name of the zone (5 Characters or less in length).
|
||||||
|
# The names "all" and "none" are reserved and may not be
|
||||||
|
# used as zone names.
|
||||||
|
#
|
||||||
|
# Where a zone is nested in one or more other zones,
|
||||||
|
# you may follow the (sub)zone name by ":" and a
|
||||||
|
# comma-separated list of the parent zones. The parent
|
||||||
|
# zones must have been defined in earlier records in this
|
||||||
|
# file.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# #ZONE TYPE OPTIONS
|
||||||
|
# a ipv4
|
||||||
|
# b ipv4
|
||||||
|
# c:a,b ipv4
|
||||||
|
#
|
||||||
|
# Currently, Shorewall uses this information only to reorder the
|
||||||
|
# zone list so that parent zones appear after their subzones in
|
||||||
|
# the list. In the future, Shorewall may make more extensive use
|
||||||
|
# of that information.
|
||||||
|
#
|
||||||
|
# TYPE ipv4 - This is the standard Shorewall zone type and is the
|
||||||
|
# default if you leave this column empty or if you enter
|
||||||
|
# "-" in the column. Communication with some zone hosts
|
||||||
|
# may be encrypted. Encrypted hosts are designated using
|
||||||
|
# the 'ipsec'option in /etc/shorewall/hosts.
|
||||||
|
# ipsec - Communication with all zone hosts is encrypted
|
||||||
|
# Your kernel and iptables must include policy
|
||||||
|
# match support.
|
||||||
|
# firewall
|
||||||
|
# - Designates the firewall itself. You must have
|
||||||
|
# exactly one 'firewall' zone. No options are
|
||||||
|
# permitted with a 'firewall' zone. The name that you
|
||||||
|
# enter in the ZONE column will be stored in the shell
|
||||||
|
# variable $FW which you may use in other configuration
|
||||||
|
# files to designate the firewall zone.
|
||||||
|
#
|
||||||
|
# OPTIONS, A comma-separated list of options as follows:
|
||||||
|
# IN OPTIONS,
|
||||||
|
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||||
|
# using setkey(8) using the 'unique:<number>
|
||||||
|
# option for the SPD level.
|
||||||
|
#
|
||||||
|
# spi=<number> where <number> is the SPI of
|
||||||
|
# the SA used to encrypt/decrypt packets.
|
||||||
|
#
|
||||||
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mss=<number> (sets the MSS field in TCP packets)
|
||||||
|
#
|
||||||
|
# mode=transport|tunnel
|
||||||
|
#
|
||||||
|
# tunnel-src=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# tunnel-dst=<address>[/<mask>] (only
|
||||||
|
# available with mode=tunnel)
|
||||||
|
#
|
||||||
|
# strict Means that packets must match all rules.
|
||||||
|
#
|
||||||
|
# next Separates rules; can only be used with
|
||||||
|
# strict..
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# mode=transport,reqid=44
|
||||||
|
#
|
||||||
|
# The options in the OPTIONS column are applied to both incoming
|
||||||
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||||
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||||
|
# applied to outgoing traffic.
|
||||||
|
#
|
||||||
|
# If you wish to leave a column empty but need to make an entry
|
||||||
|
# in a following column, use "-".
|
||||||
|
#
|
||||||
|
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
|
# OPTIONS OPTIONS
|
||||||
|
fw firewall
|
||||||
|
net ipv4
|
||||||
|
loc ipv4
|
||||||
|
|
||||||
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
@ -4,6 +4,9 @@ Changes in 3.0.0 RC 2.
|
|||||||
|
|
||||||
2) Correct cut-and-paste error in 'arp_ignore' processing.
|
2) Correct cut-and-paste error in 'arp_ignore' processing.
|
||||||
|
|
||||||
|
3) Add 'src' to gateway routes. Make 'find_first_interface_address' look for
|
||||||
|
global addresses only.
|
||||||
|
|
||||||
Changes in 3.0.0 RC 1.
|
Changes in 3.0.0 RC 1.
|
||||||
|
|
||||||
1) Correct spelling of MACLIST_TABLE in shorewall.conf.
|
1) Correct spelling of MACLIST_TABLE in shorewall.conf.
|
||||||
|
@ -1315,7 +1315,7 @@ setup_providers()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route replace $gateway dev $interface table $number"
|
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route replace $gateway src $(find_first_interface_address $interface) dev $interface table $number"
|
||||||
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route add default via $gateway dev $interface table $number"
|
ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route add default via $gateway dev $interface table $number"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -1696,7 +1696,7 @@ find_first_interface_address() # $1 = interface
|
|||||||
#
|
#
|
||||||
# get the line of output containing the first IP address
|
# get the line of output containing the first IP address
|
||||||
#
|
#
|
||||||
addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1)
|
addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
|
||||||
#
|
#
|
||||||
# If there wasn't one, bail out now
|
# If there wasn't one, bail out now
|
||||||
#
|
#
|
||||||
|
@ -154,7 +154,7 @@ fi
|
|||||||
%attr(0600,root,root) /usr/share/shorewall/rfc1918
|
%attr(0600,root,root) /usr/share/shorewall/rfc1918
|
||||||
%attr(0600,root,root) /usr/share/shorewall/configpath
|
%attr(0600,root,root) /usr/share/shorewall/configpath
|
||||||
|
|
||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Oct 17 2005 Tom Eastep tom@shorewall.net
|
* Mon Oct 17 2005 Tom Eastep tom@shorewall.net
|
||||||
|
Loading…
Reference in New Issue
Block a user