Remove 'LAST LINE' anachronisms

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 12:04:32 -08:00
parent b6af7a0ebb
commit 665381f194
8 changed files with 34 additions and 68 deletions

View File

@ -105,8 +105,7 @@
ACCEPT - - udp 135,445 ACCEPT - - udp 135,445
ACCEPT - - udp 137:139 ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137 ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445 ACCEPT - - tcp 135,139,445</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>If you wish to modify one of the standard actions, do not modify <para>If you wish to modify one of the standard actions, do not modify
the definition in <filename the definition in <filename

View File

@ -268,15 +268,13 @@
System A:</para> System A:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 134.28.54.2 ipsec net 134.28.54.2</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> <para><filename><filename>/etc/shorewall/tunnels</filename></filename>
System B:</para> System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9 ipsec net 206.162.148.9</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<note> <note>
@ -297,8 +295,7 @@ ipsec net 206.162.148.9
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
net ipv4 net ipv4
<emphasis role="bold">vpn ipv4</emphasis> <emphasis role="bold">vpn ipv4</emphasis></programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>Remember the assumption that both systems A and B have eth0 as their <para>Remember the assumption that both systems A and B have eth0 as their
@ -314,14 +311,12 @@ net ipv4
<para><filename>/etc/shorewall/hosts</filename> — System A</para> <para><filename>/etc/shorewall/hosts</filename> — System A</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis> vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/hosts</filename> — System B</para> <para><filename>/etc/shorewall/hosts</filename> — System B</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis> vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>Assuming that you want to give each local network free access to the <para>Assuming that you want to give each local network free access to the
@ -495,7 +490,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
net ipv4 net ipv4
<emphasis role="bold">vpn ipsec</emphasis> <emphasis role="bold">vpn ipsec</emphasis>
loc ipv4 loc ipv4
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> </programlisting>
</blockquote> </blockquote>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2 <para>In this instance, the mobile system (B) has IP address 134.28.54.2
@ -504,7 +499,7 @@ loc ipv4
following entry should be made:<blockquote> following entry should be made:<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 0.0.0.0/0 vpn ipsec net 0.0.0.0/0 vpn
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> </programlisting>
</blockquote></para> </blockquote></para>
<para><note> <para><note>
@ -521,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn
<para><filename>/etc/shorewall/hosts</filename> — System A:</para> <para><filename>/etc/shorewall/hosts</filename> — System A:</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0 vpn eth0:0.0.0.0/0</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>You will need to configure your <quote>through the tunnel</quote> <para>You will need to configure your <quote>through the tunnel</quote>
@ -536,20 +530,17 @@ vpn eth0:0.0.0.0/0
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
vpn ipsec vpn ipsec
net ipv4 net ipv4
loc ipv4 loc ipv4</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para> <para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsec net 206.162.148.9 vpn ipsec net 206.162.148.9 vpn</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/hosts</filename> - System B:</para> <para><filename>/etc/shorewall/hosts</filename> - System B:</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0 vpn eth0:0.0.0.0/0</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>On system A, here are the IPsec files:</para> <para>On system A, here are the IPsec files:</para>
@ -716,8 +707,7 @@ RACOON=/usr/sbin/racoon</programlisting>
et ipv4 et ipv4
vpn ipsec vpn ipsec
<emphasis role="bold">l2tp ipv4</emphasis> <emphasis role="bold">l2tp ipv4</emphasis>
loc ipv4 loc ipv4</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>Since the L2TP will require the use of pppd, you will end up with <para>Since the L2TP will require the use of pppd, you will end up with
@ -732,8 +722,7 @@ loc ipv4
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter net eth0 detect routefilter
loc eth1 192.168.1.255 loc eth1 192.168.1.255
l2tp ppp+ - l2tp ppp+ -</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>The next thing that must be done is to adjust the policy so that the <para>The next thing that must be done is to adjust the policy so that the
@ -779,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
l2tp net ACCEPT # Allows road warriors to connect to the Internet l2tp net ACCEPT # Allows road warriors to connect to the Internet
net all DROP info net all DROP info
# The FOLLOWING POLICY MUST BE LAST # The FOLLOWING POLICY MUST BE LAST
all all REJECT info all all REJECT info</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>The final step is to modify your rules file. There are three <para>The final step is to modify your rules file. There are three
@ -809,8 +797,7 @@ ACCEPT vpn $FW udp 1701
HTTP(ACCEPT) loc $FW HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW HTTPS(ACCEPT) l2tp $FW</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>

View File

@ -566,7 +566,6 @@ CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</pro
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
eth3 1.3mbit 384kbit eth3 1.3mbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth3 10 full full 1 tcp-ack,tos-minimize-delay eth3 10 full full 1 tcp-ack,tos-minimize-delay

View File

@ -68,7 +68,7 @@
<para>The following diagram shows the relationship between routing <para>The following diagram shows the relationship between routing
decisions and Netfilter.</para> decisions and Netfilter.</para>
<graphic align="center" fileref="images/Netfilter.png" /> <graphic align="center" fileref="images/Netfilter.png"/>
<para>The light blue boxes indicate where routing decisions are made. Upon <para>The light blue boxes indicate where routing decisions are made. Upon
exit from one of these boxes, if the packet is being sent to another exit from one of these boxes, if the packet is being sent to another
@ -208,8 +208,7 @@
<para><filename>/etc/shorewall/proxyarp</filename>:</para> <para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
206.124.146.177 eth1 eth0 No 206.124.146.177 eth1 eth0 No</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The above entry will cause Shorewall to execute the following <para>The above entry will cause Shorewall to execute the following
command:</para> command:</para>

View File

@ -526,9 +526,7 @@ net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
dmz ipv4 #DMZ dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone wifi ipv4 #Local Wireless Zone</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
@ -547,8 +545,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4 net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30 net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG net vpn DROP $LOG
all all REJECT $LOG all all REJECT $LOG</programlisting>
#LAST LINE -- DO NOT REMOVE</programlisting>
<para><filename>Note that the firewall&lt;-&gt;local network interface <para><filename>Note that the firewall&lt;-&gt;local network interface
is wide open so from a security point of view, the firewall system is is wide open so from a security point of view, the firewall system is
@ -570,9 +567,7 @@ EXT_IF=eth0
WIFI_IF=eth2 WIFI_IF=eth2
TEST_IF=eth4 TEST_IF=eth4
OMAK=&lt;IP address at our second home&gt; OMAK=&lt;IP address at our second home&gt;</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para> <para><filename>/etc/shorewall/init</filename>:</para>
@ -596,8 +591,7 @@ vpn tun+ -
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
COMMENT One-to-one NAT COMMENT One-to-one NAT
206.124.146.178 $EXT_IF:0 192.168.1.3 No No 206.124.146.178 $EXT_IF:0 192.168.1.3 No No
206.124.146.180 $EXT_IF:2 192.168.1.6 No No 206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in <para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to the <filename>following proxyarp</filename> file that allows me to
@ -621,36 +615,31 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
COMMENT Masquerade Local Network COMMENT Masquerade Local Network
$EXT_IF 192.168.1.0/24 206.124.146.179 $EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para> <para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes 192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes
192.168.1.7 $TEST_IF $INT_IF yes 192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para> <para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION <programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para> <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT # PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS ACCEPT $MIRRORS</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>

View File

@ -571,9 +571,7 @@ DMZ_IF=eth1
EXT_IF=eth3 EXT_IF=eth3
WIFI_IF=eth4 WIFI_IF=eth4
OMAK=&lt;IP address at our second home&gt; OMAK=&lt;IP address at our second home&gt;</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/init</filename>:</para> <para><filename>/etc/shorewall/init</filename>:</para>

View File

@ -571,8 +571,7 @@ rc-update add bridge boot
fw firewall fw firewall
world ipv4 world ipv4
net:world bport net:world bport
loc:world bport loc:world bport</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>The <emphasis>world</emphasis> zone can be used when defining rules <para>The <emphasis>world</emphasis> zone can be used when defining rules
whose source zone is the firewall itself (remember that fw-&gt;&lt;BP whose source zone is the firewall itself (remember that fw-&gt;&lt;BP
@ -584,8 +583,7 @@ loc:world bport
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info all all REJECT info</programlisting>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para> <para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
@ -599,8 +597,7 @@ all all REJECT info
<programlisting>#ZONE INTERFACE OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
world br0 bridge world br0 bridge
net br0:eth0 net br0:eth0
loc br0:eth1 loc br0:eth1</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The <emphasis>world</emphasis> zone is associated with the bridge <para>The <emphasis>world</emphasis> zone is associated with the bridge
itself which is defined with the <emphasis role="bold">bridge</emphasis> itself which is defined with the <emphasis role="bold">bridge</emphasis>
@ -616,8 +613,7 @@ loc br0:eth1
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para> <filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
<programlisting>#INTERFACE HOST(S) OPTIONS <programlisting>#INTERFACE HOST(S) OPTIONS
br0 192.168.1.0/24 routeback br0 192.168.1.0/24 routeback</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The <filename>/etc/shorewall/rules</filename> file from the <para>The <filename>/etc/shorewall/rules</filename> file from the
two-interface sample is a good place to start for defining a set of two-interface sample is a good place to start for defining a set of

View File

@ -1130,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE params.mgmt       INCLUDE params.mgmt   
   
   # params unique to this host here    # params unique to this host here
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE   
   ----- end params -----    ----- end params -----
   shorewall/rules.mgmt:    shorewall/rules.mgmt:
@ -1151,7 +1150,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
   INCLUDE rules.mgmt        INCLUDE rules.mgmt    
   
   # rules unique to this host here    # rules unique to this host here
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE   
   ----- end rules -----</programlisting>    ----- end rules -----</programlisting>