mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Remove 'LAST LINE' anachronisms
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b6af7a0ebb
commit
665381f194
@ -105,8 +105,7 @@
|
|||||||
ACCEPT - - udp 135,445
|
ACCEPT - - udp 135,445
|
||||||
ACCEPT - - udp 137:139
|
ACCEPT - - udp 137:139
|
||||||
ACCEPT - - udp 1024: 137
|
ACCEPT - - udp 1024: 137
|
||||||
ACCEPT - - tcp 135,139,445
|
ACCEPT - - tcp 135,139,445</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>If you wish to modify one of the standard actions, do not modify
|
<para>If you wish to modify one of the standard actions, do not modify
|
||||||
the definition in <filename
|
the definition in <filename
|
||||||
|
@ -268,15 +268,13 @@
|
|||||||
System A:</para>
|
System A:</para>
|
||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
ipsec net 134.28.54.2
|
ipsec net 134.28.54.2</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
|
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
|
||||||
System B:</para>
|
System B:</para>
|
||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
ipsec net 206.162.148.9
|
ipsec net 206.162.148.9</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
@ -297,8 +295,7 @@ ipsec net 206.162.148.9
|
|||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
net ipv4
|
net ipv4
|
||||||
<emphasis role="bold">vpn ipv4</emphasis>
|
<emphasis role="bold">vpn ipv4</emphasis></programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>Remember the assumption that both systems A and B have eth0 as their
|
<para>Remember the assumption that both systems A and B have eth0 as their
|
||||||
@ -314,14 +311,12 @@ net ipv4
|
|||||||
<para><filename>/etc/shorewall/hosts</filename> — System A</para>
|
<para><filename>/etc/shorewall/hosts</filename> — System A</para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS OPTIONS
|
<programlisting>#ZONE HOSTS OPTIONS
|
||||||
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis>
|
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/hosts</filename> — System B</para>
|
<para><filename>/etc/shorewall/hosts</filename> — System B</para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS OPTIONS
|
<programlisting>#ZONE HOSTS OPTIONS
|
||||||
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis>
|
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>Assuming that you want to give each local network free access to the
|
<para>Assuming that you want to give each local network free access to the
|
||||||
@ -495,7 +490,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
|||||||
net ipv4
|
net ipv4
|
||||||
<emphasis role="bold">vpn ipsec</emphasis>
|
<emphasis role="bold">vpn ipsec</emphasis>
|
||||||
loc ipv4
|
loc ipv4
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||||
@ -504,7 +499,7 @@ loc ipv4
|
|||||||
following entry should be made:<blockquote>
|
following entry should be made:<blockquote>
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
ipsec net 0.0.0.0/0 vpn
|
ipsec net 0.0.0.0/0 vpn
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
</blockquote></para>
|
</blockquote></para>
|
||||||
|
|
||||||
<para><note>
|
<para><note>
|
||||||
@ -521,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn
|
|||||||
<para><filename>/etc/shorewall/hosts</filename> — System A:</para>
|
<para><filename>/etc/shorewall/hosts</filename> — System A:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS OPTIONS
|
<programlisting>#ZONE HOSTS OPTIONS
|
||||||
vpn eth0:0.0.0.0/0
|
vpn eth0:0.0.0.0/0</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>You will need to configure your <quote>through the tunnel</quote>
|
<para>You will need to configure your <quote>through the tunnel</quote>
|
||||||
@ -536,20 +530,17 @@ vpn eth0:0.0.0.0/0
|
|||||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
vpn ipsec
|
vpn ipsec
|
||||||
net ipv4
|
net ipv4
|
||||||
loc ipv4
|
loc ipv4</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
|
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
|
||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
ipsec net 206.162.148.9 vpn
|
ipsec net 206.162.148.9 vpn</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/hosts</filename> - System B:</para>
|
<para><filename>/etc/shorewall/hosts</filename> - System B:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS OPTIONS
|
<programlisting>#ZONE HOSTS OPTIONS
|
||||||
vpn eth0:0.0.0.0/0
|
vpn eth0:0.0.0.0/0</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>On system A, here are the IPsec files:</para>
|
<para>On system A, here are the IPsec files:</para>
|
||||||
@ -716,8 +707,7 @@ RACOON=/usr/sbin/racoon</programlisting>
|
|||||||
et ipv4
|
et ipv4
|
||||||
vpn ipsec
|
vpn ipsec
|
||||||
<emphasis role="bold">l2tp ipv4</emphasis>
|
<emphasis role="bold">l2tp ipv4</emphasis>
|
||||||
loc ipv4
|
loc ipv4</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>Since the L2TP will require the use of pppd, you will end up with
|
<para>Since the L2TP will require the use of pppd, you will end up with
|
||||||
@ -732,8 +722,7 @@ loc ipv4
|
|||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net eth0 detect routefilter
|
net eth0 detect routefilter
|
||||||
loc eth1 192.168.1.255
|
loc eth1 192.168.1.255
|
||||||
l2tp ppp+ -
|
l2tp ppp+ -</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>The next thing that must be done is to adjust the policy so that the
|
<para>The next thing that must be done is to adjust the policy so that the
|
||||||
@ -779,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
|
|||||||
l2tp net ACCEPT # Allows road warriors to connect to the Internet
|
l2tp net ACCEPT # Allows road warriors to connect to the Internet
|
||||||
net all DROP info
|
net all DROP info
|
||||||
# The FOLLOWING POLICY MUST BE LAST
|
# The FOLLOWING POLICY MUST BE LAST
|
||||||
all all REJECT info
|
all all REJECT info</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>The final step is to modify your rules file. There are three
|
<para>The final step is to modify your rules file. There are three
|
||||||
@ -809,8 +797,7 @@ ACCEPT vpn $FW udp 1701
|
|||||||
HTTP(ACCEPT) loc $FW
|
HTTP(ACCEPT) loc $FW
|
||||||
HTTP(ACCEPT) l2tp $FW
|
HTTP(ACCEPT) l2tp $FW
|
||||||
HTTPS(ACCEPT) loc $FW
|
HTTPS(ACCEPT) loc $FW
|
||||||
HTTPS(ACCEPT) l2tp $FW
|
HTTPS(ACCEPT) l2tp $FW</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -566,7 +566,6 @@ CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</pro
|
|||||||
|
|
||||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||||
eth3 1.3mbit 384kbit
|
eth3 1.3mbit 384kbit
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
|
|
||||||
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||||
eth3 10 full full 1 tcp-ack,tos-minimize-delay
|
eth3 10 full full 1 tcp-ack,tos-minimize-delay
|
||||||
|
@ -68,7 +68,7 @@
|
|||||||
<para>The following diagram shows the relationship between routing
|
<para>The following diagram shows the relationship between routing
|
||||||
decisions and Netfilter.</para>
|
decisions and Netfilter.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Netfilter.png" />
|
<graphic align="center" fileref="images/Netfilter.png"/>
|
||||||
|
|
||||||
<para>The light blue boxes indicate where routing decisions are made. Upon
|
<para>The light blue boxes indicate where routing decisions are made. Upon
|
||||||
exit from one of these boxes, if the packet is being sent to another
|
exit from one of these boxes, if the packet is being sent to another
|
||||||
@ -208,8 +208,7 @@
|
|||||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
206.124.146.177 eth1 eth0 No
|
206.124.146.177 eth1 eth0 No</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>The above entry will cause Shorewall to execute the following
|
<para>The above entry will cause Shorewall to execute the following
|
||||||
command:</para>
|
command:</para>
|
||||||
|
@ -526,9 +526,7 @@ net ipv4 #Internet
|
|||||||
loc ipv4 #Local wired Zone
|
loc ipv4 #Local wired Zone
|
||||||
dmz ipv4 #DMZ
|
dmz ipv4 #DMZ
|
||||||
vpn ipv4 #Open VPN clients
|
vpn ipv4 #Open VPN clients
|
||||||
wifi ipv4 #Local Wireless Zone
|
wifi ipv4 #Local Wireless Zone</programlisting>
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
||||||
</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||||
|
|
||||||
@ -547,8 +545,7 @@ net $FW DROP $LOG 1/sec:2
|
|||||||
net loc DROP $LOG 2/sec:4
|
net loc DROP $LOG 2/sec:4
|
||||||
net dmz DROP $LOG 8/sec:30
|
net dmz DROP $LOG 8/sec:30
|
||||||
net vpn DROP $LOG
|
net vpn DROP $LOG
|
||||||
all all REJECT $LOG
|
all all REJECT $LOG</programlisting>
|
||||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>Note that the firewall<->local network interface
|
<para><filename>Note that the firewall<->local network interface
|
||||||
is wide open so from a security point of view, the firewall system is
|
is wide open so from a security point of view, the firewall system is
|
||||||
@ -570,9 +567,7 @@ EXT_IF=eth0
|
|||||||
WIFI_IF=eth2
|
WIFI_IF=eth2
|
||||||
TEST_IF=eth4
|
TEST_IF=eth4
|
||||||
|
|
||||||
OMAK=<IP address at our second home>
|
OMAK=<IP address at our second home></programlisting>
|
||||||
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||||
|
|
||||||
@ -596,8 +591,7 @@ vpn tun+ -
|
|||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||||
COMMENT One-to-one NAT
|
COMMENT One-to-one NAT
|
||||||
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
|
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
|
||||||
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
|
206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||||
the <filename>following proxyarp</filename> file that allows me to
|
the <filename>following proxyarp</filename> file that allows me to
|
||||||
@ -621,36 +615,31 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
|
|||||||
|
|
||||||
COMMENT Masquerade Local Network
|
COMMENT Masquerade Local Network
|
||||||
|
|
||||||
$EXT_IF 192.168.1.0/24 206.124.146.179
|
$EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
192.168.1.1 $EXT_IF $INT_IF yes
|
192.168.1.1 $EXT_IF $INT_IF yes
|
||||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
206.124.146.177 $DMZ_IF $EXT_IF yes
|
||||||
192.168.1.7 $TEST_IF $INT_IF yes
|
192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION
|
<programlisting>#ACTION
|
||||||
Mirrors # Accept traffic from Shorewall Mirrors
|
Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
# PORT PORT(S) DEST LIMIT
|
# PORT PORT(S) DEST LIMIT
|
||||||
ACCEPT $MIRRORS
|
ACCEPT $MIRRORS</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
|
@ -571,9 +571,7 @@ DMZ_IF=eth1
|
|||||||
EXT_IF=eth3
|
EXT_IF=eth3
|
||||||
WIFI_IF=eth4
|
WIFI_IF=eth4
|
||||||
|
|
||||||
OMAK=<IP address at our second home>
|
OMAK=<IP address at our second home></programlisting>
|
||||||
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||||
|
|
||||||
|
@ -571,8 +571,7 @@ rc-update add bridge boot
|
|||||||
fw firewall
|
fw firewall
|
||||||
world ipv4
|
world ipv4
|
||||||
net:world bport
|
net:world bport
|
||||||
loc:world bport
|
loc:world bport</programlisting>
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>The <emphasis>world</emphasis> zone can be used when defining rules
|
<para>The <emphasis>world</emphasis> zone can be used when defining rules
|
||||||
whose source zone is the firewall itself (remember that fw-><BP
|
whose source zone is the firewall itself (remember that fw-><BP
|
||||||
@ -584,8 +583,7 @@ loc:world bport
|
|||||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
net all DROP info
|
net all DROP info
|
||||||
all all REJECT info
|
all all REJECT info</programlisting>
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
||||||
|
|
||||||
@ -599,8 +597,7 @@ all all REJECT info
|
|||||||
<programlisting>#ZONE INTERFACE OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
world br0 bridge
|
world br0 bridge
|
||||||
net br0:eth0
|
net br0:eth0
|
||||||
loc br0:eth1
|
loc br0:eth1</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>The <emphasis>world</emphasis> zone is associated with the bridge
|
<para>The <emphasis>world</emphasis> zone is associated with the bridge
|
||||||
itself which is defined with the <emphasis role="bold">bridge</emphasis>
|
itself which is defined with the <emphasis role="bold">bridge</emphasis>
|
||||||
@ -616,8 +613,7 @@ loc br0:eth1
|
|||||||
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
|
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE HOST(S) OPTIONS
|
<programlisting>#INTERFACE HOST(S) OPTIONS
|
||||||
br0 192.168.1.0/24 routeback
|
br0 192.168.1.0/24 routeback</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>The <filename>/etc/shorewall/rules</filename> file from the
|
<para>The <filename>/etc/shorewall/rules</filename> file from the
|
||||||
two-interface sample is a good place to start for defining a set of
|
two-interface sample is a good place to start for defining a set of
|
||||||
|
@ -1130,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
|||||||
INCLUDE params.mgmt
|
INCLUDE params.mgmt
|
||||||
|
|
||||||
# params unique to this host here
|
# params unique to this host here
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
||||||
|
|
||||||
----- end params -----
|
----- end params -----
|
||||||
|
|
||||||
shorewall/rules.mgmt:
|
shorewall/rules.mgmt:
|
||||||
@ -1151,7 +1150,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
|||||||
INCLUDE rules.mgmt
|
INCLUDE rules.mgmt
|
||||||
|
|
||||||
# rules unique to this host here
|
# rules unique to this host here
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
|
|
||||||
----- end rules -----</programlisting>
|
----- end rules -----</programlisting>
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user