More cleanup

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8968 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-10 02:07:09 +00:00
parent 443d418eda
commit 63f3b609f7
10 changed files with 37 additions and 163 deletions

View File

@ -16,5 +16,5 @@
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,nosmurfs
net eth0 detect tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,6 +1,6 @@
#
# Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
# Shorewall6 version 4.0 - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006,2008 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@ -16,7 +16,7 @@
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
net eth0 detect tcpflags
loc eth1 detect tcpflags
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,6 +1,6 @@
#
# Shorewall version 4.0 - Sample Rules File for three-interface configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
# Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
# Copyright (C) 2006,2007,2008 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@ -47,9 +47,9 @@ Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
ACCEPT $FW net ipv6-icmp
ACCEPT $FW loc ipv6-icmp
ACCEPT $FW dmz ipv6-icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc

View File

@ -1,7 +1,6 @@
s###############################################################################
###############################################################################
#
# Shorewall version 4.0 - Sample shorewall.conf for three-interface
# configuration.
# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
@ -15,7 +14,6 @@ s###############################################################################
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
@ -28,13 +26,6 @@ STARTUP_ENABLED=No
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=
###############################################################################
# L O G G I N G
###############################################################################
@ -57,21 +48,13 @@ LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
IP6TABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -81,12 +64,10 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
@ -110,15 +91,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_ENABLED=No
TC_EXPERT=No
@ -128,46 +101,20 @@ MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=No
@ -178,22 +125,20 @@ KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
USE_DEFAULT_RT=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

View File

@ -16,6 +16,6 @@
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
net eth0 detect tcpflags
loc eth1 detect tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,19 +0,0 @@
#
# Shorewall version 4.0 - Sample Masq file for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -35,8 +35,8 @@ Ping/ACCEPT loc $FW
Ping/DROP net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
ACCEPT $FW loc ipv6-icmp
ACCEPT $FW net ipv6-icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,7 +1,7 @@
###############################################################################
#
# Shorewall version 4.0 - Sample shorewall.conf for two-interface configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@ -26,13 +26,6 @@ STARTUP_ENABLED=No
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=
###############################################################################
# L O G G I N G
###############################################################################
@ -55,21 +48,13 @@ LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
IP6TABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -79,12 +64,10 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
@ -108,15 +91,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_ENABLED=No
TC_EXPERT=No
@ -126,74 +101,44 @@ MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=No
EXPAND_POLICIES=No
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
USE_DEFAULT_RT=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

View File

@ -17,7 +17,7 @@
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
net ipv6
loc ipv6
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -949,14 +949,17 @@ sub compiler {
#
# /proc stuff
#
setup_arp_filtering;
setup_route_filtering;
setup_martian_logging;
if ( $family == F_IPV4 ) {
setup_arp_filtering;
setup_route_filtering;
setup_martian_logging;
}
setup_source_routing;
#
# Proxy Arp
#
setup_proxy_arp;
setup_proxy_arp if $family == F_IPV4;
#
# Handle MSS setings in the zones file
#