extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-08 22:58:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove 'LAST LINE' anachronisms

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 12:04:32 -08:00
parent b6af7a0ebb
commit 665381f194
8 changed files with 34 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/Actions.xml
View File

@ -105,8 +105,7 @@
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
ACCEPT - - tcp 135,139,445</programlisting>
<para>If you wish to modify one of the standard actions, do not modify
the definition in <filename

43
docs/IPSEC-2.6.xml
View File

@ -268,15 +268,13 @@
System A:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 134.28.54.2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
ipsec net 134.28.54.2</programlisting>
<para><filename><filename>/etc/shorewall/tunnels</filename></filename>
System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
ipsec net 206.162.148.9</programlisting>
</blockquote>
<note>
@ -297,8 +295,7 @@ ipsec net 206.162.148.9
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
net ipv4
<emphasis role="bold">vpn ipv4</emphasis>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<emphasis role="bold">vpn ipv4</emphasis></programlisting>
</blockquote>
<para>Remember the assumption that both systems A and B have eth0 as their
@ -314,14 +311,12 @@ net ipv4
<para><filename>/etc/shorewall/hosts</filename> — System A</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
<para><filename>/etc/shorewall/hosts</filename> — System B</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
</blockquote>
<para>Assuming that you want to give each local network free access to the
@ -495,7 +490,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
net ipv4
<emphasis role="bold">vpn ipsec</emphasis>
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</programlisting>
</blockquote>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
@ -504,7 +499,7 @@ loc ipv4
following entry should be made:<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 0.0.0.0/0 vpn
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</programlisting>
</blockquote></para>
<para><note>
@ -521,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn
<para><filename>/etc/shorewall/hosts</filename> — System A:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:0.0.0.0/0</programlisting>
</blockquote>
<para>You will need to configure your <quote>through the tunnel</quote>
@ -536,20 +530,17 @@ vpn eth0:0.0.0.0/0
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipsec
net ipv4
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
loc ipv4</programlisting>
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9 vpn
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
ipsec net 206.162.148.9 vpn</programlisting>
<para><filename>/etc/shorewall/hosts</filename> - System B:</para>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
vpn eth0:0.0.0.0/0</programlisting>
</blockquote>
<para>On system A, here are the IPsec files:</para>
@ -716,8 +707,7 @@ RACOON=/usr/sbin/racoon</programlisting>
et ipv4
vpn ipsec
<emphasis role="bold">l2tp ipv4</emphasis>
loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
loc ipv4</programlisting>
</blockquote>
<para>Since the L2TP will require the use of pppd, you will end up with
@ -732,8 +722,7 @@ loc ipv4
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter
loc eth1 192.168.1.255
l2tp ppp+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
l2tp ppp+ -</programlisting>
</blockquote>
<para>The next thing that must be done is to adjust the policy so that the
@ -779,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
l2tp net ACCEPT # Allows road warriors to connect to the Internet
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
all all REJECT info</programlisting>
</blockquote>
<para>The final step is to modify your rules file. There are three
@ -809,8 +797,7 @@ ACCEPT vpn $FW udp 1701
HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
HTTPS(ACCEPT) l2tp $FW</programlisting>
</blockquote>
</section>

1
docs/PacketMarking.xml
View File

@ -566,7 +566,6 @@ CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</pro
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
eth3 1.3mbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth3 10 full full 1 tcp-ack,tos-minimize-delay

5
docs/Shorewall_and_Routing.xml
View File

@ -68,7 +68,7 @@
<para>The following diagram shows the relationship between routing
decisions and Netfilter.</para>
<graphic align="center" fileref="images/Netfilter.png" />
<graphic align="center" fileref="images/Netfilter.png"/>
<para>The light blue boxes indicate where routing decisions are made. Upon
exit from one of these boxes, if the packet is being sent to another
@ -208,8 +208,7 @@
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
206.124.146.177 eth1 eth0 No</programlisting>
<para>The above entry will cause Shorewall to execute the following
command:</para>

29
docs/XenMyWay-Routed.xml
View File

@ -526,9 +526,7 @@ net ipv4 #Internet
loc ipv4 #Local wired Zone
dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
wifi ipv4 #Local Wireless Zone</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
@ -547,8 +545,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG
all all REJECT $LOG
#LAST LINE -- DO NOT REMOVE</programlisting>
all all REJECT $LOG</programlisting>
<para><filename>Note that the firewall&lt;-&gt;local network interface
is wide open so from a security point of view, the firewall system is
@ -570,9 +567,7 @@ EXT_IF=eth0
WIFI_IF=eth2
TEST_IF=eth4
OMAK=&lt;IP address at our second home&gt;
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
OMAK=&lt;IP address at our second home&gt;</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para>
@ -596,8 +591,7 @@ vpn tun+ -
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
COMMENT One-to-one NAT
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to
@ -621,36 +615,31 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
COMMENT Masquerade Local Network
$EXT_IF 192.168.1.0/24 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
$EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes
192.168.1.7 $TEST_IF $INT_IF yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>

4
docs/XenMyWay.xml
View File

@ -571,9 +571,7 @@ DMZ_IF=eth1
EXT_IF=eth3
WIFI_IF=eth4
OMAK=&lt;IP address at our second home&gt;
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
OMAK=&lt;IP address at our second home&gt;</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para>

12
docs/bridge-Shorewall-perl.xml
View File

@ -571,8 +571,7 @@ rc-update add bridge boot
fw firewall
world ipv4
net:world bport
loc:world bport
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
loc:world bport</programlisting>
<para>The <emphasis>world</emphasis> zone can be used when defining rules
whose source zone is the firewall itself (remember that fw-&gt;&lt;BP
@ -584,8 +583,7 @@ loc:world bport
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
all all REJECT info</programlisting>
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@ -599,8 +597,7 @@ all all REJECT info
<programlisting>#ZONE INTERFACE OPTIONS
world br0 bridge
net br0:eth0
loc br0:eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
loc br0:eth1</programlisting>
<para>The <emphasis>world</emphasis> zone is associated with the bridge
itself which is defined with the <emphasis role="bold">bridge</emphasis>
@ -616,8 +613,7 @@ loc br0:eth1
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
<programlisting>#INTERFACE HOST(S) OPTIONS
br0 192.168.1.0/24 routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
br0 192.168.1.0/24 routeback</programlisting>
<para>The <filename>/etc/shorewall/rules</filename> file from the
two-interface sample is a good place to start for defining a set of

5
docs/configuration_file_basics.xml
View File

@ -1130,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE params.mgmt   
 
   # params unique to this host here
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
  
   ----- end params -----
   shorewall/rules.mgmt:
@ -1151,7 +1150,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE rules.mgmt    
 
   # rules unique to this host here
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  
   ----- end rules -----</programlisting>