mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Changes for 1.3.5
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@159 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7e54769ec5
commit
5d2c855127
@ -48,6 +48,11 @@
|
||||
# requests. 'filterping' takes
|
||||
# precedence over 'noping' if both are
|
||||
# given.
|
||||
# routestopped - (Deprecated -- use
|
||||
# /etc/shorewall/routestopped)
|
||||
# When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
@ -68,6 +73,19 @@
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# Do NOT use this option if you are
|
||||
# employing Proxy ARP through entries in
|
||||
# /etc/shorewall/proxyarp. This option is
|
||||
# intended soley for use with Proxy ARP
|
||||
# sub-networking as described at:
|
||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
@ -75,19 +93,21 @@
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2.
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# loc eth1 detect
|
||||
# loc eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
|
@ -1,170 +0,0 @@
|
||||
#
|
||||
# Shorewall version 1.3 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
#
|
||||
# In most places where an IP address or subnet is allowed, you
|
||||
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
||||
# indicate that the rule matches all addresses except the address/subnet
|
||||
# given. Notice that no white space is permitted between "!" and the
|
||||
# address/subnet.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones or $FW to indicate the
|
||||
# firewall itself. If the ACTION is DNAT or REDIRECT,
|
||||
# sub-zones of the specified zone may be excluded from
|
||||
# the rule by following the zone name with "!' and a
|
||||
# comma-separated list of sub-zone names.
|
||||
#
|
||||
# Clients may be further restricted to a list of subnets
|
||||
# and/or hosts by appending ":" and a comma-separated
|
||||
# list of subnets and/or hosts. Hosts may be specified
|
||||
# by IP or MAC address; mac addresses must begin with
|
||||
# "~" and must use "-" as a separator.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# loc:192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2 in the local zone.
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" followed by the interface name. For
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or $FW to indicate the firewall
|
||||
# itself.
|
||||
#
|
||||
# The server may be further restricted to a particular
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
#
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# if the RESULT is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all" or "related". If "related", the remainder of the
|
||||
# entry must be omitted and connection requests that are
|
||||
# related to existing requests will be accepted.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
|
||||
# REDIRECT) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the DEST column.
|
||||
#
|
||||
# The address may optionally be followed by
|
||||
# a colon (":") and a second IP address. This causes
|
||||
# Shorewall to use the second IP address as the source
|
||||
# address in forwarded packets. See the Shorewall
|
||||
# documentation for restrictions concerning this feature.
|
||||
# If no source IP address is given, the original source
|
||||
# address is not altered.
|
||||
#
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# ACCEPT dmz net tcp smtp
|
||||
#
|
||||
# Example: Forward all ssh and http connection requests from the internet
|
||||
# to local system 192.168.1.3
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
# system) except when the destination address is 192.168.2.2
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||
#
|
||||
# Example: All http requests from the internet to address
|
||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||
##############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
@ -259,4 +259,51 @@ MULTIPORT=No
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
# Merge Hosts File
|
||||
#
|
||||
# The traditional behavior of the /etc/shorewall/hosts file has been that
|
||||
# if that file has ANY entry for a zone then the zone must be defined
|
||||
# entirely in the hosts file. This is counter-intuitive and has caused
|
||||
# people some problems.
|
||||
#
|
||||
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
|
||||
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
|
||||
# are added to the contents described in the /etc/shorewall/interfaces file.
|
||||
#
|
||||
# Example: Suppose that we have the following interfaces and hosts files:
|
||||
#
|
||||
# Interfaces:
|
||||
#
|
||||
# net eth0
|
||||
# loc eth1
|
||||
# - ppp+
|
||||
#
|
||||
# Hosts:
|
||||
#
|
||||
# loc ppp+:192.168.1.0/24
|
||||
# wrk ppp+:!192.168.1.0/24
|
||||
#
|
||||
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
|
||||
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
|
||||
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
|
||||
MERGE_HOSTS=Yes
|
||||
|
||||
#
|
||||
# Mutex Timeout
|
||||
#
|
||||
# The value of this variable determines the number of seconds that programs
|
||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
||||
# of seconds corresponding to the value of this variable, programs will assume
|
||||
# that the last program to hold the lock died without releasing the lock.
|
||||
#
|
||||
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
|
||||
#
|
||||
# An appropriate value for this parameter would be twice the length of time
|
||||
# that it takes your firewall system to process a "shorewall restart" command.
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -73,6 +73,19 @@
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# Do NOT use this option if you are
|
||||
# employing Proxy ARP through entries in
|
||||
# /etc/shorewall/proxyarp. This option is
|
||||
# intended soley for use with Proxy ARP
|
||||
# sub-networking as described at:
|
||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
|
@ -71,14 +71,15 @@
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
# destination port. A destination port may only be
|
||||
# included if the ACTION is DNAT or REDIRECT.
|
||||
#
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# if the RESULT is REDIRECT, this column needs only to
|
||||
# if the ACTION is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
@ -92,6 +93,8 @@
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
|
@ -7,8 +7,6 @@
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
# $<variable-name> is not permitted in this file.
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
|
@ -48,6 +48,11 @@
|
||||
# requests. 'filterping' takes
|
||||
# precedence over 'noping' if both are
|
||||
# given.
|
||||
# routestopped - (Deprecated -- use
|
||||
# /etc/shorewall/routestopped)
|
||||
# When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
@ -68,6 +73,19 @@
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# Do NOT use this option if you are
|
||||
# employing Proxy ARP through entries in
|
||||
# /etc/shorewall/proxyarp. This option is
|
||||
# intended soley for use with Proxy ARP
|
||||
# sub-networking as described at:
|
||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
@ -75,19 +93,21 @@
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2.
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# loc eth1 detect
|
||||
# loc eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
|
@ -71,14 +71,15 @@
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
# destination port. A destination port may only be
|
||||
# included if the ACTION is DNAT or REDIRECT.
|
||||
#
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# if the RESULT is REDIRECT, this column needs only to
|
||||
# if the ACTION is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
@ -92,6 +93,8 @@
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
|
@ -7,8 +7,6 @@
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
# $<variable-name> is not permitted in this file.
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
|
Loading…
Reference in New Issue
Block a user