mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
More cleanup
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8968 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
443d418eda
commit
63f3b609f7
@ -16,5 +16,5 @@
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect tcpflags,nosmurfs
|
||||
net eth0 detect tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
#
|
||||
# Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
|
||||
# Copyright (C) 2006 by the Shorewall Team
|
||||
# Shorewall6 version 4.0 - Sample Interfaces File for three-interface configuration.
|
||||
# Copyright (C) 2006,2008 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
@ -16,7 +16,7 @@
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
|
||||
loc eth1 detect tcpflags,nosmurfs
|
||||
net eth0 detect tcpflags
|
||||
loc eth1 detect tcpflags
|
||||
dmz eth2 detect
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
#
|
||||
# Shorewall version 4.0 - Sample Rules File for three-interface configuration.
|
||||
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||
# Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
|
||||
# Copyright (C) 2006,2007,2008 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
@ -47,9 +47,9 @@ Ping/ACCEPT loc dmz
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping/ACCEPT dmz net
|
||||
|
||||
ACCEPT $FW net icmp
|
||||
ACCEPT $FW loc icmp
|
||||
ACCEPT $FW dmz icmp
|
||||
ACCEPT $FW net ipv6-icmp
|
||||
ACCEPT $FW loc ipv6-icmp
|
||||
ACCEPT $FW dmz ipv6-icmp
|
||||
|
||||
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
|
||||
# the net zone to the dmz and loc
|
||||
|
@ -1,7 +1,6 @@
|
||||
s###############################################################################
|
||||
###############################################################################
|
||||
#
|
||||
# Shorewall version 4.0 - Sample shorewall.conf for three-interface
|
||||
# configuration.
|
||||
# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
|
||||
# Copyright (C) 2006 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
@ -15,7 +14,6 @@ s###############################################################################
|
||||
#
|
||||
# The manpage is also online at
|
||||
# http://shorewall.net/manpages/shorewall.conf.html
|
||||
#
|
||||
###############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
###############################################################################
|
||||
@ -28,13 +26,6 @@ STARTUP_ENABLED=No
|
||||
|
||||
VERBOSITY=1
|
||||
|
||||
###############################################################################
|
||||
# C O M P I L E R
|
||||
# (setting this to 'perl' requires installation of Shorewall-perl)
|
||||
###############################################################################
|
||||
|
||||
SHOREWALL_COMPILER=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
@ -57,21 +48,13 @@ LOGALLNEW=
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
###############################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
###############################################################################
|
||||
|
||||
IPTABLES=
|
||||
IP6TABLES=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
@ -81,12 +64,10 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||
CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6
|
||||
|
||||
RESTOREFILE=
|
||||
|
||||
IPSECFILE=zones
|
||||
|
||||
LOCKFILE=
|
||||
|
||||
###############################################################################
|
||||
@ -110,15 +91,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||
# F I R E W A L L O P T I O N S
|
||||
###############################################################################
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
RETAIN_ALIASES=No
|
||||
|
||||
TC_ENABLED=Internal
|
||||
TC_ENABLED=No
|
||||
|
||||
TC_EXPERT=No
|
||||
|
||||
@ -128,46 +101,20 @@ MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
RFC1918_STRICT=No
|
||||
|
||||
MACLIST_TABLE=filter
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
SAVE_IPSETS=No
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
FASTACCEPT=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
HIGH_ROUTE_MARKS=No
|
||||
|
||||
USE_ACTIONS=Yes
|
||||
|
||||
OPTIMIZE=1
|
||||
|
||||
EXPORTPARAMS=No
|
||||
@ -178,22 +125,20 @@ KEEP_RT_TABLES=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
MULTICAST=No
|
||||
|
||||
DONT_LOAD=
|
||||
|
||||
AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
@ -16,6 +16,6 @@
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
|
||||
loc eth1 detect tcpflags,nosmurfs
|
||||
net eth0 detect tcpflags
|
||||
loc eth1 detect tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,19 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4.0 - Sample Masq file for two-interface configuration.
|
||||
# Copyright (C) 2006 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
# License as published by the Free Software Foundation; either
|
||||
# version 2.1 of the License, or (at your option) any later version.
|
||||
#
|
||||
# See the file README.txt for further details.
|
||||
#------------------------------------------------------------------------------
|
||||
# For information about entries in this file, type "man shorewall-masq"
|
||||
#
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
eth0 eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
@ -35,8 +35,8 @@ Ping/ACCEPT loc $FW
|
||||
|
||||
Ping/DROP net $FW
|
||||
|
||||
ACCEPT $FW loc icmp
|
||||
ACCEPT $FW net icmp
|
||||
ACCEPT $FW loc ipv6-icmp
|
||||
ACCEPT $FW net ipv6-icmp
|
||||
#
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,7 +1,7 @@
|
||||
###############################################################################
|
||||
#
|
||||
# Shorewall version 4.0 - Sample shorewall.conf for two-interface configuration.
|
||||
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||
# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
|
||||
# Copyright (C) 2006 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
@ -26,13 +26,6 @@ STARTUP_ENABLED=No
|
||||
|
||||
VERBOSITY=1
|
||||
|
||||
###############################################################################
|
||||
# C O M P I L E R
|
||||
# (setting this to 'perl' requires installation of Shorewall-perl)
|
||||
###############################################################################
|
||||
|
||||
SHOREWALL_COMPILER=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
@ -55,21 +48,13 @@ LOGALLNEW=
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
MACLIST_LOG_LEVEL=info
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
###############################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
###############################################################################
|
||||
|
||||
IPTABLES=
|
||||
IP6TABLES=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
@ -79,12 +64,10 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||
CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6
|
||||
|
||||
RESTOREFILE=
|
||||
|
||||
IPSECFILE=zones
|
||||
|
||||
LOCKFILE=
|
||||
|
||||
###############################################################################
|
||||
@ -108,15 +91,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||
# F I R E W A L L O P T I O N S
|
||||
###############################################################################
|
||||
|
||||
IP_FORWARDING=On
|
||||
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
RETAIN_ALIASES=No
|
||||
|
||||
TC_ENABLED=Internal
|
||||
TC_ENABLED=No
|
||||
|
||||
TC_EXPERT=No
|
||||
|
||||
@ -126,74 +101,44 @@ MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
MUTEX_TIMEOUT=60
|
||||
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
RFC1918_STRICT=No
|
||||
|
||||
MACLIST_TABLE=filter
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
SAVE_IPSETS=No
|
||||
|
||||
MAPOLDACTIONS=No
|
||||
|
||||
FASTACCEPT=No
|
||||
|
||||
IMPLICIT_CONTINUE=No
|
||||
|
||||
HIGH_ROUTE_MARKS=No
|
||||
|
||||
USE_ACTIONS=Yes
|
||||
|
||||
OPTIMIZE=1
|
||||
|
||||
EXPORTPARAMS=No
|
||||
|
||||
EXPAND_POLICIES=No
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
MULTICAST=No
|
||||
|
||||
DONT_LOAD=
|
||||
|
||||
AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
@ -17,7 +17,7 @@
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
net ipv6
|
||||
loc ipv6
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
@ -949,14 +949,17 @@ sub compiler {
|
||||
#
|
||||
# /proc stuff
|
||||
#
|
||||
setup_arp_filtering;
|
||||
setup_route_filtering;
|
||||
setup_martian_logging;
|
||||
if ( $family == F_IPV4 ) {
|
||||
setup_arp_filtering;
|
||||
setup_route_filtering;
|
||||
setup_martian_logging;
|
||||
}
|
||||
|
||||
setup_source_routing;
|
||||
#
|
||||
# Proxy Arp
|
||||
#
|
||||
setup_proxy_arp;
|
||||
setup_proxy_arp if $family == F_IPV4;
|
||||
#
|
||||
# Handle MSS setings in the zones file
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user