Changes for 1.3.5

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@159 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -48,6 +48,11 @@
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
+#			routestopped - (Deprecated -- use 
+#				       /etc/shorewall/routestopped)
+#				       When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
 #			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
@@ -68,6 +73,19 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			proxyarp     - 
+#				Sets 
+#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+#				Do NOT use this option if you are
+#				employing Proxy ARP through entries in
+#				/etc/shorewall/proxyarp. This option is
+#				intended soley for use with Proxy ARP
+#				sub-networking as described at:
+#				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
+#			
+#			The order in which you list the options is not
+#			significant but the list should have no embedded white
+#			space.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
@@ -75,19 +93,21 @@
 #			it's IP address via DHCP from subnet
 #			206.191.149.192/27 and you want pings from the internet
 #			to be ignored. You interface a DMZ with subnet
-#			192.168.2.0/24 using eth2.
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
 #			net	eth0	206.191.149.223	noping,dhcp
-#			local	eth1	192.168.1.255
+#			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
 #			net	eth0	detect		noping,dhcp
-#			loc	eth1	detect
+#			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet

Samples/one-interface/rules

@@ -1,170 +0,0 @@
-#
-# Shorewall version 1.3 - Rules File
-#
-# /etc/shorewall/rules
-#
-#	Rules in this file govern connection establishment. Requests and
-#	responses are automatically allowed using connection tracking.
-#
-#	In most places where an IP address or subnet is allowed, you
-#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
-#	indicate that the rule matches all addresses except the address/subnet
-#	given. Notice that no white space is permitted between "!" and the
-#	address/subnet.
-#
-# Columns are:
-#
-#
-#	ACTION		ACCEPT, DROP, REJECT, DNAT or REDIRECT
-#
-#				ACCEPT   -- allow the connection request
-#				DROP     -- ignore the request
-#				REJECT   -- disallow the request and return an
-#					    icmp-unreachable or an RST packet.
-#				DNAT     -- Forward the request to another
-#					    system (and optionally another
-#					    port).
-#				REDIRECT -- Redirect the request to a local
-#					    port on the firewall.
-#
-#			May optionally be followed by ":" and a syslog log
-#			level (e.g, REJECT:info). This causes the packet to be
-#			logged at the specified level.
-#
-#	SOURCE		Source hosts to which the rule applies. May be a zone
-#                       defined in /etc/shorewall/zones or $FW to indicate the
-#			firewall itself. If the ACTION is DNAT or REDIRECT,
-#			sub-zones of the specified zone may be excluded from
-#			the rule by following the zone name with "!' and a
-#			comma-separated list of sub-zone names.
-#
-#			Clients may be further restricted to a list of subnets
-#			and/or hosts by appending ":" and a comma-separated
-#			list of subnets and/or hosts. Hosts may be specified
-#			by IP or MAC address; mac addresses must begin with
-#			"~" and must use "-" as a separator.
-#
-#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
-#
-#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
-#						Internet
-#
-#			loc:192.168.1.1,192.168.1.2
-#						Hosts 192.168.1.1 and
-#						192.168.1.2 in the local zone.
-#			loc:~00-A0-C9-15-39-78  Host in the local zone with
-#                                               MAC address 00:A0:C9:15:39:78.
-#
-#			Alternatively, clients may be specified by interface
-#			by appending ":" followed by the interface name. For
-#			example, loc:eth1 specifies a client that
-#			communicates with the firewall system through eth1.
-#
-#	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or $FW to indicate the firewall
-#			itself.
-#
-#			The server may be further restricted to a particular
-#			subnet, host or interface by appending ":" and the
-#			subnet, host or interface. See above.
-#
-#			The port that the server is listening on may be
-#			included and separated from the server's IP address by
-#			":". If omitted, the firewall will not modifiy the
-#			destination port.
-#
-#			Example: loc:192.168.1.3:3128 specifies a local
-#			server at IP address 192.168.1.3 and listening on port
-#			3128. The port number MUST be specified as an integer
-#			and not as a name from /etc/services.
-#
-#			if the RESULT is REDIRECT, this column needs only to
-#			contain the port number on the firewall that the
-#			request should be redirected to.
-#
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
-#			"all" or "related". If "related", the remainder of the
-#			entry must be omitted and connection requests that are
-#			related to existing requests will be accepted.
-#
-#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
-#			names (from /etc/services), port numbers or port
-#			ranges; if the protocol is "icmp", this column is
-#			interpreted as the destination icmp-type(s).
-#
-#			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following ields are supplied.
-#			In that case, it is suggested that this field contain
-#			 "-"
-#
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
-#			only a single Netfilter rule will be generated if in
-#			this list and the CLIENT PORT(S) list below:
-#			1. There are 15 or less ports listed.
-#			2. No port ranges are included.
-#			Otherwise, a separate rule will be generated for each
-#			port.
-#
-#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
-#			any source port is acceptable. Specified as a comma-
-#			separated list of port names, port numbers or port
-#			ranges.
-#
-#			If you don't want to restrict client ports but need to
-#			specify an ADDRESS in the next column, then place "-"
-#			in this column.
-#
-#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
-#			only a single Netfilter rule will be generated if in
-#			this list and the DEST PORT(S) list above:
-#			1. There are 15 or less ports listed.
-#			2. No port ranges are included.
-#			Otherwise, a separate rule will be generated for each
-#			port.
-#
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or 
-#                       REDIRECT) If included and different from the IP
-#			address given in the SERVER column, this is an address
-#			on some interface on the firewall and connections to
-#			that address will be forwarded to the IP and port
-#			specified in the DEST column.
-#
-#			The address may optionally be followed by
-#			a colon (":") and a second IP address. This causes
-#			Shorewall to use the second IP address as the source
-#			address in forwarded packets. See the Shorewall
-#			documentation for restrictions concerning this feature.
-#			If no source IP address is given, the original source
-#			address is not altered.
-#
-#	Example: Accept SMTP requests from the DMZ to the internet
-#
-#	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
-#	#                               PORT    PORT(S) DEST
-#	ACCEPT	dmz	net	  tcp	smtp
-#
-#	Example: Forward all ssh and http connection requests from the internet
-#		 to local system 192.168.1.3
-#
-#	#ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
-#	#                                       PORT    PORT(S) DEST
-#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
-#
-#	Example: Redirect all locally-originating www connection requests to
-#		 port 3128 on the firewall (Squid running on the firewall
-#		 system) except when the destination address is 192.168.2.2
-#
-#	#ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL
-#	#                               PORT    PORT(S) DEST
-#	REDIRECT loc	3128      tcp	www	 -	!192.168.2.2
-#
-#	Example: All http requests from the internet to address
-#                130.252.100.69 are to be forwarded to 192.168.1.3
-#
-#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
-#	#                               	PORT    PORT(S) DEST
-#	DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69
-##############################################################################
-#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
-#                       	        	PORT    PORT(S)    DEST
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/one-interface/shorewall.conf

@@ -259,4 +259,51 @@ MULTIPORT=No
 
 DETECT_DNAT_IPADDRS=No
 
+# Merge Hosts File
+#
+# The traditional behavior of the /etc/shorewall/hosts file has been that
+# if that file has ANY entry for a zone then the zone must be defined 
+# entirely in the hosts file. This is counter-intuitive and has caused 
+# people some problems.
+#
+# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
+# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
+# are added to the contents described in the /etc/shorewall/interfaces file.
+#
+# Example: Suppose that we have the following interfaces and hosts files:
+#
+# Interfaces:
+#
+#	net	eth0
+#	loc	eth1	
+#	-	ppp+
+#
+# Hosts:
+#
+#	loc	ppp+:192.168.1.0/24
+#	wrk	ppp+:!192.168.1.0/24
+#
+# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
+# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
+# ppp+:192.168.1.0 and eth1:0.0.0.0/0
+#
+# If this variable is not set or is set to the empty value, "No" is assumed.
+
+MERGE_HOSTS=Yes
+
+#
+# Mutex Timeout
+#
+# The value of this variable determines the number of seconds that programs
+# will wait for exclusive access to the Shorewall lock file. After the number
+# of seconds corresponding to the value of this variable, programs will assume
+# that the last program to hold the lock died without releasing the lock.
+#
+# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
+#
+# An appropriate value for this parameter would be twice the length of time
+# that it takes your firewall system to process a "shorewall restart" command.
+
+MUTEX_TIMEOUT=60
+
 #LAST LINE -- DO NOT REMOVE

Samples/three-interfaces/interfaces

@@ -73,6 +73,19 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			proxyarp     - 
+#				Sets 
+#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+#				Do NOT use this option if you are
+#				employing Proxy ARP through entries in
+#				/etc/shorewall/proxyarp. This option is
+#				intended soley for use with Proxy ARP
+#				sub-networking as described at:
+#				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
+#			
+#			The order in which you list the options is not
+#			significant but the list should have no embedded white
+#			space.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your

Samples/three-interfaces/rules

@@ -71,14 +71,15 @@
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
-#			destination port.
+#			destination port. A destination port may only be
+#			included if the ACTION is DNAT or REDIRECT.
 #
 #			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
 #			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
-#			if the RESULT is REDIRECT, this column needs only to
+#			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
@@ -92,6 +93,8 @@
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			A port range is expressed as <low port>:<high port>.
+#			
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain

Samples/three-interfaces/zones

@@ -7,8 +7,6 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
-# $<variable-name> is not permitted in this file.
-#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 loc	Local		Local networks

Samples/two-interfaces/interfaces

@@ -48,6 +48,11 @@
 #				       requests. 'filterping' takes 
 #				       precedence over 'noping' if both are
 #				       given.
+#			routestopped - (Deprecated -- use 
+#				       /etc/shorewall/routestopped)
+#				       When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
 #			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
@@ -68,6 +73,19 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
+#			proxyarp     - 
+#				Sets 
+#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+#				Do NOT use this option if you are
+#				employing Proxy ARP through entries in
+#				/etc/shorewall/proxyarp. This option is
+#				intended soley for use with Proxy ARP
+#				sub-networking as described at:
+#				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
+#			
+#			The order in which you list the options is not
+#			significant but the list should have no embedded white
+#			space.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
@@ -75,19 +93,21 @@
 #			it's IP address via DHCP from subnet
 #			206.191.149.192/27 and you want pings from the internet
 #			to be ignored. You interface a DMZ with subnet
-#			192.168.2.0/24 using eth2.
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
 #			net	eth0	206.191.149.223	noping,dhcp
-#			local	eth1	192.168.1.255
+#			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
 #			net	eth0	detect		noping,dhcp
-#			loc	eth1	detect
+#			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet

Samples/two-interfaces/rules

@@ -71,14 +71,15 @@
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
-#			destination port.
+#			destination port. A destination port may only be
+#			included if the ACTION is DNAT or REDIRECT.
 #
 #			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
 #			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
-#			if the RESULT is REDIRECT, this column needs only to
+#			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
@@ -92,6 +93,8 @@
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			A port range is expressed as <low port>:<high port>.
+#			
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain

Samples/two-interfaces/zones

@@ -7,8 +7,6 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
-# $<variable-name> is not permitted in this file.
-#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 loc	Local		Local networks