From 665381f1943327a747f3a9d692cd8e5d91fdbe66 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Feb 2016 12:04:32 -0800 Subject: [PATCH] Remove 'LAST LINE' anachronisms Signed-off-by: Tom Eastep --- docs/Actions.xml | 3 +-- docs/IPSEC-2.6.xml | 43 +++++++++++------------------- docs/PacketMarking.xml | 1 - docs/Shorewall_and_Routing.xml | 5 ++-- docs/XenMyWay-Routed.xml | 29 +++++++------------- docs/XenMyWay.xml | 4 +-- docs/bridge-Shorewall-perl.xml | 12 +++------ docs/configuration_file_basics.xml | 5 ++-- 8 files changed, 34 insertions(+), 68 deletions(-) diff --git a/docs/Actions.xml b/docs/Actions.xml index 615dfd4ff..b6471ef63 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -105,8 +105,7 @@ ACCEPT - - udp 135,445 ACCEPT - - udp 137:139 ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +ACCEPT - - tcp 135,139,445 If you wish to modify one of the standard actions, do not modify the definition in #TYPE ZONE GATEWAY GATEWAY_ZONE -ipsec net 134.28.54.2 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +ipsec net 134.28.54.2 /etc/shorewall/tunnels — System B: #TYPE ZONE GATEWAY GATEWAY_ZONE -ipsec net 206.162.148.9 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +ipsec net 206.162.148.9 @@ -297,8 +295,7 @@ ipsec net 206.162.148.9 #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS net ipv4 -vpn ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn ipv4 Remember the assumption that both systems A and B have eth0 as their @@ -314,14 +311,12 @@ net ipv4 /etc/shorewall/hosts — System A #ZONE HOSTS OPTIONS -vpn eth0:10.0.0.0/8,134.28.54.2 ipsec -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:10.0.0.0/8,134.28.54.2 ipsec /etc/shorewall/hosts — System B #ZONE HOSTS OPTIONS -vpn eth0:192.168.1.0/24,206.162.148.9 ipsec -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:192.168.1.0/24,206.162.148.9 ipsec Assuming that you want to give each local network free access to the @@ -495,7 +490,7 @@ sec ipsec mode=tunnel mss=1400vpn ipsec loc ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + In this instance, the mobile system (B) has IP address 134.28.54.2 @@ -504,7 +499,7 @@ loc ipv4 following entry should be made:
#TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 0.0.0.0/0 vpn -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
@@ -521,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn /etc/shorewall/hosts — System A: #ZONE HOSTS OPTIONS -vpn eth0:0.0.0.0/0 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:0.0.0.0/0 You will need to configure your through the tunnel @@ -536,20 +530,17 @@ vpn eth0:0.0.0.0/0 #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipsec net ipv4 -loc ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +loc ipv4 /etc/shorewall/tunnels - System B: #TYPE ZONE GATEWAY GATEWAY_ZONE -ipsec net 206.162.148.9 vpn -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +ipsec net 206.162.148.9 vpn /etc/shorewall/hosts - System B: #ZONE HOSTS OPTIONS -vpn eth0:0.0.0.0/0 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:0.0.0.0/0 On system A, here are the IPsec files: @@ -716,8 +707,7 @@ RACOON=/usr/sbin/racoon et ipv4 vpn ipsec l2tp ipv4 -loc ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +loc ipv4 Since the L2TP will require the use of pppd, you will end up with @@ -732,8 +722,7 @@ loc ipv4 #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter loc eth1 192.168.1.255 -l2tp ppp+ - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +l2tp ppp+ - The next thing that must be done is to adjust the policy so that the @@ -779,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca l2tp net ACCEPT # Allows road warriors to connect to the Internet net all DROP info # The FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +all all REJECT info The final step is to modify your rules file. There are three @@ -809,8 +797,7 @@ ACCEPT vpn $FW udp 1701 HTTP(ACCEPT) loc $FW HTTP(ACCEPT) l2tp $FW HTTPS(ACCEPT) loc $FW -HTTPS(ACCEPT) l2tp $FW -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +HTTPS(ACCEPT) l2tp $FW diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 96d86e75c..ead31475b 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -566,7 +566,6 @@ CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873#INTERFACE IN_BANDWITH OUT_BANDWIDTH eth3 1.3mbit 384kbit -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth3 10 full full 1 tcp-ack,tos-minimize-delay diff --git a/docs/Shorewall_and_Routing.xml b/docs/Shorewall_and_Routing.xml index d42da77e8..ee8de8021 100644 --- a/docs/Shorewall_and_Routing.xml +++ b/docs/Shorewall_and_Routing.xml @@ -68,7 +68,7 @@ The following diagram shows the relationship between routing decisions and Netfilter. - + The light blue boxes indicate where routing decisions are made. Upon exit from one of these boxes, if the packet is being sent to another @@ -208,8 +208,7 @@ /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -206.124.146.177 eth1 eth0 No -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +206.124.146.177 eth1 eth0 No The above entry will cause Shorewall to execute the following command: diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml index 3a21ba8f9..9dd672580 100644 --- a/docs/XenMyWay-Routed.xml +++ b/docs/XenMyWay-Routed.xml @@ -526,9 +526,7 @@ net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ vpn ipv4 #Open VPN clients -wifi ipv4 #Local Wireless Zone -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - +wifi ipv4 #Local Wireless Zone /etc/shorewall/policy: @@ -547,8 +545,7 @@ net $FW DROP $LOG 1/sec:2 net loc DROP $LOG 2/sec:4 net dmz DROP $LOG 8/sec:30 net vpn DROP $LOG -all all REJECT $LOG -#LAST LINE -- DO NOT REMOVE +all all REJECT $LOG Note that the firewall<->local network interface is wide open so from a security point of view, the firewall system is @@ -570,9 +567,7 @@ EXT_IF=eth0 WIFI_IF=eth2 TEST_IF=eth4 -OMAK=<IP address at our second home> - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +OMAK=<IP address at our second home> /etc/shorewall/init: @@ -596,8 +591,7 @@ vpn tun+ - #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL COMMENT One-to-one NAT 206.124.146.178 $EXT_IF:0 192.168.1.3 No No -206.124.146.180 $EXT_IF:2 192.168.1.6 No No -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +206.124.146.180 $EXT_IF:2 192.168.1.6 No No /etc/shorewall/masq (Note the cute trick here and in the following proxyarp file that allows me to @@ -621,36 +615,31 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98 COMMENT Masquerade Local Network -$EXT_IF 192.168.1.0/24 206.124.146.179 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +$EXT_IF 192.168.1.0/24 206.124.146.179 /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.1.1 $EXT_IF $INT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes -192.168.1.7 $TEST_IF $INT_IF yes -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +192.168.1.7 $TEST_IF $INT_IF yes /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access -openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server /etc/shorewall/actions: #ACTION -Mirrors # Accept traffic from Shorewall Mirrors -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +Mirrors # Accept traffic from Shorewall Mirrors /etc/shorewall/action.Mirrors: #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT -ACCEPT $MIRRORS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +ACCEPT $MIRRORS /etc/shorewall/rules: diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 5a8017d6e..f704f00dd 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -571,9 +571,7 @@ DMZ_IF=eth1 EXT_IF=eth3 WIFI_IF=eth4 -OMAK=<IP address at our second home> - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +OMAK=<IP address at our second home> /etc/shorewall/init: diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml index 6be9ea228..fc2440045 100644 --- a/docs/bridge-Shorewall-perl.xml +++ b/docs/bridge-Shorewall-perl.xml @@ -571,8 +571,7 @@ rc-update add bridge boot fw firewall world ipv4 net:world bport -loc:world bport -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +loc:world bport The world zone can be used when defining rules whose source zone is the firewall itself (remember that fw-><BP @@ -584,8 +583,7 @@ loc:world bport #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info -all all REJECT info -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +all all REJECT info In /etc/shorewall/shorewall.conf: @@ -599,8 +597,7 @@ all all REJECT info #ZONE INTERFACE OPTIONS world br0 bridge net br0:eth0 -loc br0:eth1 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +loc br0:eth1 The world zone is associated with the bridge itself which is defined with the bridge @@ -616,8 +613,7 @@ loc br0:eth1 /etc/shorewall/routestopped: #INTERFACE HOST(S) OPTIONS -br0 192.168.1.0/24 routeback -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +br0 192.168.1.0/24 routeback The /etc/shorewall/rules file from the two-interface sample is a good place to start for defining a set of diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 9fda6a8cc..d58f93895 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -1130,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123