From 5d2c8551279bdb120f025d624342133a32763cbe Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 25 Jul 2002 19:01:17 +0000 Subject: [PATCH] Changes for 1.3.5 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@159 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 26 +++- Samples/one-interface/rules | 170 --------------------------- Samples/one-interface/shorewall.conf | 47 ++++++++ Samples/three-interfaces/interfaces | 13 ++ Samples/three-interfaces/rules | 7 +- Samples/three-interfaces/zones | 2 - Samples/two-interfaces/interfaces | 26 +++- Samples/two-interfaces/rules | 7 +- Samples/two-interfaces/zones | 2 - 9 files changed, 116 insertions(+), 184 deletions(-) delete mode 100755 Samples/one-interface/rules diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 21bd089a7..9c42048f8 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -48,6 +48,11 @@ # requests. 'filterping' takes # precedence over 'noping' if both are # given. +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# When the firewall is stopped, allow +# and route traffic to and from this +# interface. # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 @@ -68,6 +73,19 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your @@ -75,19 +93,21 @@ # it's IP address via DHCP from subnet # 206.191.149.192/27 and you want pings from the internet # to be ignored. You interface a DMZ with subnet -# 192.168.2.0/24 using eth2. +# 192.168.2.0/24 using eth2. You want to be able to +# access the firewall from the local network when the +# firewall is stopped. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 noping,dhcp -# local eth1 192.168.1.255 +# local eth1 192.168.1.255 routestopped # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # # net eth0 detect noping,dhcp -# loc eth1 detect +# loc eth1 detect routestopped # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules deleted file mode 100755 index 274648997..000000000 --- a/Samples/one-interface/rules +++ /dev/null @@ -1,170 +0,0 @@ -# -# Shorewall version 1.3 - Rules File -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -# -# Columns are: -# -# -# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT -# -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# -# May optionally be followed by ":" and a syslog log -# level (e.g, REJECT:info). This causes the packet to be -# logged at the specified level. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones or $FW to indicate the -# firewall itself. If the ACTION is DNAT or REDIRECT, -# sub-zones of the specified zone may be excluded from -# the rule by following the zone name with "!' and a -# comma-separated list of sub-zone names. -# -# Clients may be further restricted to a list of subnets -# and/or hosts by appending ":" and a comma-separated -# list of subnets and/or hosts. Hosts may be specified -# by IP or MAC address; mac addresses must begin with -# "~" and must use "-" as a separator. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# Alternatively, clients may be specified by interface -# by appending ":" followed by the interface name. For -# example, loc:eth1 specifies a client that -# communicates with the firewall system through eth1. -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones or $FW to indicate the firewall -# itself. -# -# The server may be further restricted to a particular -# subnet, host or interface by appending ":" and the -# subnet, host or interface. See above. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the RESULT is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# "all" or "related". If "related", the remainder of the -# entry must be omitted and connection requests that are -# related to existing requests will be accepted. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. -# -# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or -# REDIRECT) If included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# The address may optionally be followed by -# a colon (":") and a second IP address. This causes -# Shorewall to use the second IP address as the source -# address in forwarded packets. See the Shorewall -# documentation for restrictions concerning this feature. -# If no source IP address is given, the original source -# address is not altered. -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index c9d0affdd..7587c6e33 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -259,4 +259,51 @@ MULTIPORT=No DETECT_DNAT_IPADDRS=No +# Merge Hosts File +# +# The traditional behavior of the /etc/shorewall/hosts file has been that +# if that file has ANY entry for a zone then the zone must be defined +# entirely in the hosts file. This is counter-intuitive and has caused +# people some problems. +# +# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file +# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file +# are added to the contents described in the /etc/shorewall/interfaces file. +# +# Example: Suppose that we have the following interfaces and hosts files: +# +# Interfaces: +# +# net eth0 +# loc eth1 +# - ppp+ +# +# Hosts: +# +# loc ppp+:192.168.1.0/24 +# wrk ppp+:!192.168.1.0/24 +# +# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just +# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be +# ppp+:192.168.1.0 and eth1:0.0.0.0/0 +# +# If this variable is not set or is set to the empty value, "No" is assumed. + +MERGE_HOSTS=Yes + +# +# Mutex Timeout +# +# The value of this variable determines the number of seconds that programs +# will wait for exclusive access to the Shorewall lock file. After the number +# of seconds corresponding to the value of this variable, programs will assume +# that the last program to hold the lock died without releasing the lock. +# +# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. +# +# An appropriate value for this parameter would be twice the length of time +# that it takes your firewall system to process a "shorewall restart" command. + +MUTEX_TIMEOUT=60 + #LAST LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 66e76340b..7217b1ebb 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -73,6 +73,19 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index dec4f7c20..d5bdedffa 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -71,14 +71,15 @@ # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the -# destination port. +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. # # Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port # 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# if the RESULT is REDIRECT, this column needs only to +# if the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # @@ -92,6 +93,8 @@ # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # +# A port range is expressed as :. +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index a12cdbba8..85823961a 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -7,8 +7,6 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # -# $ is not permitted in this file. -# #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 00dea382e..16ad36c80 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -48,6 +48,11 @@ # requests. 'filterping' takes # precedence over 'noping' if both are # given. +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# When the firewall is stopped, allow +# and route traffic to and from this +# interface. # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 @@ -68,6 +73,19 @@ # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your @@ -75,19 +93,21 @@ # it's IP address via DHCP from subnet # 206.191.149.192/27 and you want pings from the internet # to be ignored. You interface a DMZ with subnet -# 192.168.2.0/24 using eth2. +# 192.168.2.0/24 using eth2. You want to be able to +# access the firewall from the local network when the +# firewall is stopped. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 noping,dhcp -# local eth1 192.168.1.255 +# local eth1 192.168.1.255 routestopped # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # # net eth0 detect noping,dhcp -# loc eth1 detect +# loc eth1 detect routestopped # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 83b406df3..f66742e48 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -71,14 +71,15 @@ # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the -# destination port. +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. # # Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port # 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# if the RESULT is REDIRECT, this column needs only to +# if the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # @@ -92,6 +93,8 @@ # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # +# A port range is expressed as :. +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index 64eb03eec..c289cd9c3 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -7,8 +7,6 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # -# $ is not permitted in this file. -# #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks