extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 17:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial revision

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1443 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-03 15:55:22 +00:00
parent 9fd5780f36
commit 75b911246b
68 changed files with 11517 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
LrpN/etc/init.d/shorewall Executable file
View File

@ -0,0 +1,74 @@
#!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41"
#
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
#
# On most distributions, this file should be called /etc/init.d/shorewall.
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
# If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped.
#
# Commands are:
#
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
#### BEGIN INIT INFO
# Provides: shorewall
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops the shorewall firewall
### END INIT INFO
# chkconfig: 2345 25 90
# description: Packet filtering firewall
#
################################################################################
# Give Usage Information #
################################################################################
usage() {
echo "Usage: $0 start|stop|restart|status"
exit 1
}
################################################################################
# E X E C U T I O N B E G I N S H E R E #
################################################################################
command="$1"
case "$command" in
stop|start|restart|status)
exec /sbin/shorewall $@
;;
*)
usage
;;
esac

73
LrpN/etc/shorewall/accounting Normal file
View File

@ -0,0 +1,73 @@
#
# Shorewall version 2.0 - Accounting File
#
# /etc/shorewall/accounting
#
# Accounting rules exist simply to count packets and bytes in categories
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
# Columns are:
#
# ACTION - What to do when a match is found.
#
# COUNT - Simply count the match and continue
# with the next rule
# DONE - Count the match and don't attempt
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
#
# DESTINATION - Packet Destination
#
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number.
#
# DEST PORT Destination Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# SOURCE PORT Source Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
# PORT PORT
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

27
LrpN/etc/shorewall/actions Normal file
View File

@ -0,0 +1,27 @@
#
# Shorewall 2.0 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
# be performed in an ACTION in
# /etc/shorewall/action.<action-name>.
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain
# name as well as the requirements for a Bourne Shell identifier
# (must begin with a letter and be composed of letters, digits
# and underscore characters).
#
# If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or
# ACCEPT policy respectively is enforced. If you specify ":DROP",
# ":REJECT" or ":ACCEPT" on more than one action then only the
# last such action will be taken.
#
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

43
LrpN/etc/shorewall/blacklist Normal file
View File

@ -0,0 +1,43 @@
#
# Shorewall 2.0 -- Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
LrpN/etc/shorewall/ecn Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall 2.0 - /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
#
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# That patch is included in kernels 2.4.21 and later.
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
##############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

128
LrpN/etc/shorewall/hosts Normal file
View File

@ -0,0 +1,128 @@
#
# Shorewall 2.0 - /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
# ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface defined in the
# /etc/shorewall/interfaces file followed by a colon (":") and
# a comma-separated list whose elements are either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
# c) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP.
# See http://www.shorewall.net/Bridge.html for details.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary if hosts in this group use the
# services of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This option only makes sense for ports
# on a bridge.
#
# This port should not accept
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see
# 'norfc1918' above).
#
# blacklist - This option only makes sense for ports
# on a bridge.
#
# Check packets arriving on this port
# against the /etc/shorewall/blacklist
# file.
#
# tcpflags - Packets arriving from these hosts are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

6
LrpN/etc/shorewall/init Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#

7
LrpN/etc/shorewall/initdone Normal file
View File

@ -0,0 +1,7 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#

195
LrpN/etc/shorewall/interfaces Normal file
View File

@ -0,0 +1,195 @@
#
# Shorewall 2.0 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# nobogons - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by IANA (this
# option does not cover those ranges
# reserved by RFC 1918 -- see above).
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

21
LrpN/etc/shorewall/maclist Normal file
View File

@ -0,0 +1,21 @@
#
# Shorewall 2.0 - MAC list file
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host. If the interface
# names a bridge, it may be optionally followed by
# a colon (":") and a physical port name (e.g.,
# br0:eth4).
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here
#
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses.
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

134
LrpN/etc/shorewall/masq Normal file
View File

@ -0,0 +1,134 @@
#
# Shorewall 2.0 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
# range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

21
LrpN/etc/shorewall/modules Normal file
View File

@ -0,0 +1,21 @@
##############################################################################
# Shorewall 2.0 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc

37
LrpN/etc/shorewall/nat Normal file
View File

@ -0,0 +1,37 @@
##############################################################################
#
# Shorewall 2.0 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
# This file is used to define one-to-one Network Address Translation
# (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns must be separated by white space and are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
# INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

25
LrpN/etc/shorewall/params Normal file
View File

@ -0,0 +1,25 @@
#
# Shorewall 2.0 /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

89
LrpN/etc/shorewall/policy Normal file
View File

@ -0,0 +1,89 @@
#
# Shorewall 2.0 -- Policy File
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT ULOG
#LAST LINE -- DO NOT REMOVE

44
LrpN/etc/shorewall/proxyarp Normal file
View File

@ -0,0 +1,44 @@
##############################################################################
#
# Shorewall 2.0 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
#
# ADDRESS IP Address
#
# INTERFACE Local interface where system is connected. If the
# local interface is obvious from the subnetting,
# you may enter "-" in this column.
#
# EXTERNAL External Interface to be used to access this system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty and Shorewall will add the route for
# you. If Shorewall adds the route,the route will be
# persistent if the PERSISTENT column contains Yes;
# otherwise, "shorewall stop" or "shorewall clear" will
# delete the route.
#
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
# column determines if the route added by Shorewall
# persists after a "shorewall stop" or a "shorewall
# clear". If this column contains "Yes" or "yes" then
# the route persists; If the column is empty or contains
# "No"or "no" then the route is deleted at "shorewall
# stop" or "shorewall clear".
#
# Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
##############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

31
LrpN/etc/shorewall/routestopped Normal file
View File

@ -0,0 +1,31 @@
##############################################################################
#
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped
#
# Columns must be separated by white space and are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# Example:
#
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
##############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

335
LrpN/etc/shorewall/rules Executable file
View File

@ -0,0 +1,335 @@
#
# Shorewall version 2.0 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT[-]) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address (list) may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Bering specific rules:
# allow loc to fw udp/53 for local/caching DNS servers to work
# allow loc to fw tcp/80 for weblet to work
# allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT loc fw udp 67,68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

643
LrpN/etc/shorewall/shorewall.conf Executable file
View File

@ -0,0 +1,643 @@
##############################################################################
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have built your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/shorewall.log
#
# LOG FORMAT
#
# Shell 'printf' Formatting template for the --log-prefix value in log messages
# generated by Shorewall to identify Shorewall log messages. The supplied
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
# LOGFORMAT="fp=%s:%d a=%s "
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
LOGFORMAT="Shorewall:%s:%s:"
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# For each logging rule, the first time the rule is reached, the packet
# will be logged; in fact, since the burst is 5, the first five packets
# will be logged. After this, it will be 6 seconds (1 minute divided by
# the rate of 10) before a message will be logged from the rule, regardless
# of how many packets reach it. Also, every 6 seconds which passes without
# matching a packet, one of the bursts will be regained; if no packets hit
# the rule for 30 seconds, the burst will be fully recharged; back where
# we started.
#
LOGRATE=
LOGBURST=
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beware of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this section for a description of log levels
#
BLACKLIST_LOGLEVEL=
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=ULOG
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=ULOG
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=ULOG
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=ULOG
#
# SMURF Log Level
#
# Specifies the logging level for smurf packets dropped by the
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
SMURF_LOG_LEVEL=ULOG
#
# BOGON Log Level
#
# Specifies the logging level for bogon packets dropped by the
#'nobogons' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
# in /usr/share/shorewall/bogons are logged at the 'info' level.
#
# See the comment at the top of this section for a description of log levels
#
BOGON_LOG_LEVEL=ULOG
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# SHELL
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
# use lock files, set this to "".
#
SUBSYSLOCK=/var/run/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/state/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
#
# CONFIGURATION SEARCH PATH
#
# This option holds a list of directory names separated by colons
# (":"). Shorewall will search each directory in turn when looking for a
# configuration file. When processing a 'try' command or a command
# containing the "-c" option, Shorewall will automatically add the
# directory specified in the command to the front of this list.
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
#
# RESTORE SCRIPT
#
# This option determines the script to be run in the following cases:
#
# shorewall -f start
# shorewall restore
# shorewall save
# shorewall forget
# Failure of shorewall start or shorewall restart
#
# The value of the option must be the name of an executable file in the
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
RESTOREFILE=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above.
#
TC_ENABLED=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS=No
#
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
ROUTE_FILTER=No
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
DETECT_DNAT_IPADDRS=No
#
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
MUTEX_TIMEOUT=60
#
# NEWNOTSYN
#
# TCP connections are established using the familiar three-way "handshake":
#
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
# A packet is said to be NEW if it is not part of or related to an already
# established connection.
#
# The NETNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
# logged before they are dropped.
#
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
# dropped but will pass through the normal rule/policy processing.
#
# Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
# connections because any network timeout during TCP session tear down
# results in retries being dropped (Netfilter has removed the
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
NEWNOTSYN=Yes
#
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
#
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
# administration be added to the firewall's /etc/shorewall/routestopped file.
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
# to and from hosts listed in /etc/shorewall/routestopped.
#
# If this variable is not set or it is set to the null value then
# ADMINISABSENTMINDED=No is assumed.
#
ADMINISABSENTMINDED=Yes
#
# BLACKLIST Behavior
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
# packet or for each new connection.
#
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
# requests
#
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
#
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
# MODULE NAME SUFFIX
#
# When loading a module named in /etc/shorewall/modules, Shorewall normally
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
# different naming convention then you can specify the suffix (extension) for
# module names in this variable.
#
# To see what suffix is used by your distribution:
#
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
#
# All of the file names listed should have the same suffix (extension). Set
# MODULE_SUFFIX to that suffix.
#
# Examples:
#
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
#
MODULE_SUFFIX=
#
# DISABLE IPV6
#
# Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed.
# Should be set to "No" for LEAF/LRP
DISABLE_IPV6=No
#
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
#
BRIDGING=No
#
# DYNAMIC ZONES
#
# If you need to be able to add and delete hosts from zones dynamically then
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the 'maclist' option and that are from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE

6
LrpN/etc/shorewall/start Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#

6
LrpN/etc/shorewall/stop Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#

6
LrpN/etc/shorewall/stopped Normal file
View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 2.0 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#

78
LrpN/etc/shorewall/tcrules Normal file
View File

@ -0,0 +1,78 @@
#
# Shorewall version 2.0 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Columns are:
#
#
# MARK The mark value which is an
# integer in the range 1-255
#
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain).
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# or "all".
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# USER This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective user and/or group.
#
# It may contain :
#
# [<user name or number>]:[<group name or number>]
#
# The colon is optionnal when specifying only a user.
# Examples : john: / john / :users / john:users
#
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

52
LrpN/etc/shorewall/tos Normal file
View File

@ -0,0 +1,52 @@
#
# Shorewall 2.0 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
# Columns are:
#
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address or a subnet specification
#
# Example: loc:192.168.2.3
#
# PROTOCOL Protocol.
#
# SOURCE PORTS Source port or port range. If all ports, use "-".
#
# DEST PORTS Destination port or port range. If all ports, use "-"
#
# TOS Type of service. Must be one of the following:
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp ftp-data - 8
all all tcp - ftp-data 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE

110
LrpN/etc/shorewall/tunnels Normal file
View File

@ -0,0 +1,110 @@
#
# Shorewall 2.0 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
# IPIP, GRE and OPENVPN tunnels must be configured on the
# firewall/gateway itself. IPSEC endpoints may be defined
# on the firewall/gateway or on an internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 5000 will be used
#
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC and generic tunnels.
#
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24. The tunnel does
# not use the AH protocol
#
# ipsec:noah net 4.33.99.124
#
# Example 2:
#
# Road Warrior (LapTop that may connect from anywhere)
# where the "gw" zone is used to represent the remote
# LapTop.
#
# ipsec net 0.0.0.0/0 gw
#
# Example 3:
#
# Host 4.33.99.124 is a standalone system connected
# via an ipsec tunnel to the firewall system. The host
# is in zone gw.
#
# ipsec net 4.33.99.124 gw
#
# Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
# openvpn uses port 7777.
#
# openvpn:7777 net 4.33.99.124
#
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

19
LrpN/etc/shorewall/zones Executable file
View File

@ -0,0 +1,19 @@
#
# Shorewall 2.0 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

1155
LrpN/sbin/shorewall Executable file
View File

File diff suppressed because it is too large Load Diff

10
LrpN/usr/share/shorewall/action.AllowAuth Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
#
# This action accepts Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowDNS Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
#
# This action accepts DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 53
ACCEPT - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowFTP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
#
# This action accepts FTP traffic. See
# http://www.shorewall.net/FTP.html for additional considerations.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowIMAP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
#
# This action accepts IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 143 #Unsecure IMAP
ACCEPT - - tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowNNTP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowNNTP
#
# This action accepts NNTP traffic (Usenet).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 119
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowNTP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
#
# This action accepts NTP traffic (ntpd).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowPCA Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
#
# This action accepts PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5631
ACCEPT - - tcp 5632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowPOP3 Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
#
# This action accepts POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT - - tcp 110 #Unsecure POP3
ACCEPT - - tcp 995 #Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowPing Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowPing
#
# This action accepts 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowRdate Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
#
# This action accepts remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
LrpN/usr/share/shorewall/action.AllowSMB Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 135,445
ACCEPT - - udp 137:139
ACCEPT - - udp 1024: 137
ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
LrpN/usr/share/shorewall/action.AllowSMTP Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
#
# This action accepts SMTP (email) traffic.
#
# Note: This action allows traffic between an MUA (Email client)
# and an MTA (mail server) or between MTAs. It does not enable
# reading of email via POP3 or IMAP. For those you need to use
# the AllowPOP3 or AllowIMAP actions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowSNMP Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
#
# This action accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 161:162
ACCEPT - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowSSH Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
#
# This action accepts secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowTelnet Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
#
# This action accepts Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowTrcrt Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
#
# This action accepts Traceroute (for up to 20 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 33434:33454 #UDP Traceroute
ACCEPT - - icmp 8 #ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowVNC Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
#
# This action accepts VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.AllowVNCL Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
#
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
LrpN/usr/share/shorewall/action.AllowWeb Normal file
View File

@ -0,0 +1,11 @@
#
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
#
# This action accepts WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
ACCEPT - - tcp 80
ACCEPT - - TCP 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
LrpN/usr/share/shorewall/action.Drop Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.Drop
#
# The default DROP common rules
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
DropSMB
DropUPnP
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.DropDNSrep Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
#
# This action silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.DropPing Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropPing
#
# This action silently drops 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
LrpN/usr/share/shorewall/action.DropSMB Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropSMB
#
# This action silently drops Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 135
DROP - - udp 137:139
DROP - - udp 445
DROP - - tcp 135
DROP - - tcp 139
DROP - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.DropUPnP Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
#
# This action silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
LrpN/usr/share/shorewall/action.Reject Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.Reject
#
# The default REJECT action common rules
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
RejectAuth
dropBcast
RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
LrpN/usr/share/shorewall/action.RejectAuth Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
#
# This action silently rejects Auth (tcp 113) traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
LrpN/usr/share/shorewall/action.RejectSMB Normal file
View File

@ -0,0 +1,15 @@
#
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
#
# This action silently rejects Microsoft SMB traffic
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
REJECT - - udp 135
REJECT - - udp 137:139
REJECT - - udp 445
REJECT - - tcp 135
REJECT - - tcp 139
REJECT - - tcp 445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

160
LrpN/usr/share/shorewall/action.template Normal file
View File

@ -0,0 +1,160 @@
#
# Shorewall 2.0 /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall/actions
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Columns are:
#
#
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Discontinue processing this action
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# ACCEPT:debugging). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# 192.168.2.2 Host 192.168.2.2
#
# 155.186.235.0/24 Subnet 155.186.235.0/24
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of Server. Same as above with the exception that
# MAC addresses are not allowed.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this column:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

49
LrpN/usr/share/shorewall/actions.std Normal file
View File

@ -0,0 +1,49 @@
#
# Shorewall 2.0 /usr/share/shorewall/actions.std
#
#
# Builtin Actions are:
#
# dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets
# logNonSyn #Log Non-syn TCP packets with disposition LOG
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
#
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
# shorewall.conf. If that option isn't specified then 'info' is used.
#
#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
AllowFTP #Accept FTP
AllowDNS #Accept DNS
AllowSSH #Accept SSH
AllowWeb #Allow Web Browsing
AllowSMB #Allow MS Networking
AllowAuth #Allow Auth (identd)
AllowSMTP #Allow SMTP (Email)
AllowPOP3 #Allow reading mail via POP3
AllowIMAP #Allow reading mail via IMAP
AllowTelnet #Allow Telnet Access (not recommended for use over the
#Internet)
AllowVNC #Allow VNC viewer->server, Displays 0-9
AllowVNCL #Allow VNC server->viewer in listening mode
AllowNTP #Allow Network Time Protocol (ntpd)
AllowRdate #Allow remote time (rdate).
AllowNNTP #Allow network news (Usenet).
AllowTrcrt #Allows Traceroute (20 hops)
AllowSNMP #Allows SNMP (including traps)
AllowPCA #Allows PCAnywhere (tm)
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

69
LrpN/usr/share/shorewall/bogons Normal file
View File

@ -0,0 +1,69 @@
#
# Shorewall 2.0-- Bogons File
#
# /etc/shorewall/bogons
#
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
#
# The default list includes those those ip ADDRESSES listed
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
# reserved for use in documentation and examples.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
#
# The following are generated with the help of the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
71.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
173.0.0.0/8 logdrop # Reserved
174.0.0.0/7 logdrop # Reserved
176.0.0.0/5 logdrop # Reserved
184.0.0.0/6 logdrop # Reserved
189.0.0.0/8 logdrop # Reserved
190.0.0.0/8 logdrop # Reserved
197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
LrpN/usr/share/shorewall/configpath Normal file
View File

@ -0,0 +1,7 @@
#
# Shorewall version 2.0 - Default Config Path
#
# /usr/share/shorewall/configpath
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

6400
LrpN/usr/share/shorewall/firewall Executable file
View File

File diff suppressed because it is too large Load Diff

769
LrpN/usr/share/shorewall/functions Normal file
View File

@ -0,0 +1,769 @@
#!/bin/sh
#
# Shorewall 2.0 -- /usr/share/shorewall/functions
#
# Search a list looking for a match -- returns zero if a match found
# 1 otherwise
#
list_search() # $1 = element to search for , $2-$n = list
{
local e=$1
while [ $# -gt 1 ]; do
shift
[ "x$e" = "x$1" ] && return 0
done
return 1
}
#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
list_count1 $(separate_list $1)
}
#
# Conditionally produce message
#
progress_message() # $* = Message
{
[ -n "$QUIET" ] || echo "$@"
}
#
# Suppress all output for a command
#
qt()
{
"$@" >/dev/null 2>&1
}
#
# Perform variable substitution on the passed argument and echo the result
#
expand() # $1 = contents of variable which may be the name of another variable
{
eval echo \"$1\"
}
#
# Perform variable substitition on the values of the passed list of variables
#
expandv() # $* = list of variable names
{
local varval
while [ $# -gt 0 ]; do
eval varval=\$${1}
eval $1=\"$varval\"
shift
done
}
#
# Replace all leading "!" with "! " in the passed argument list
#
fix_bang() {
local i;
for i in $@; do
case $i in
!*)
echo "! ${i#!}"
;;
*)
echo $i
;;
esac
done
}
#
# Set default config path
#
ensure_config_path() {
local F=/usr/share/shorewall/configpath
if [ -z "$CONFIG_PATH" ]; then
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
. $F
fi
}
#
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
#
find_file()
{
local saveifs= directory
case $1 in
/*)
echo $1
;;
*)
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
echo $SHOREWALL_DIR/$1
else
saveifs=$IFS
IFS=:
for directory in $CONFIG_PATH; do
if [ -f $directory/$1 ]; then
echo $directory/$1
IFS=$saveifs
return
fi
done
IFS=$saveifs
echo /etc/shorewall/$1
fi
;;
esac
}
#
# Replace commas with spaces and echo the result
#
separate_list() {
local list
local part
local newlist
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'terminator' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$@" in
*,|,*|*,,*|*[[:space:]]*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
esac
list="$@"
part="${list%%,*}"
newlist="$part"
while [ "x$part" != "x$list" ]; do
list="${list#*,}";
part="${list%%,*}";
newlist="$newlist $part";
done
echo "$newlist"
}
#
# Load a Kernel Module
#
loadmodule() # $1 = module name, $2 - * arguments
{
local modulename=$1
local modulefile
local suffix
moduleloader=modprobe
if ! qt which modprobe; then
moduleloader=insmod
fi
if [ -z "$(lsmod | grep $modulename)" ]; then
shift
for suffix in $MODULE_SUFFIX ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then
case $moduleloader in
insmod)
insmod $modulefile $*
;;
*)
modprobe $modulename $*
;;
esac
return
fi
done
fi
}
#
# Reload the Modules
#
reload_kernel_modules() {
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
while read command; do
eval $command
done
}
#
# Find the zones
#
find_zones() # $1 = name of the zone file
{
while read zone display comments; do
[ -n "$zone" ] && case "$zone" in
\#*)
;;
$FW)
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
;;
*)
echo $zone
;;
esac
done < $1
}
find_display() # $1 = zone, $2 = name of the zone file
{
grep ^$1 $2 | while read z display comments; do
[ "x$1" = "x$z" ] && echo $display
done
}
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
determine_zones()
{
local zonefile=$(find_file zones)
multi_display=Multi-zone
strip_file zones $zonefile
zones=$(find_zones $TMP_DIR/zones)
zones=$(echo $zones) # Remove extra trash
for zone in $zones; do
dsply=$(find_display $zone $TMP_DIR/zones)
eval ${zone}_display=\$dsply
done
}
#
# The following functions may be used by apps that wish to ensure that
# the state of Shorewall isn't changing
#
# This function loads the STATEDIR variable (directory where Shorewall is to
# store state files). If your application supports alternate Shorewall
# configurations then the name of the alternate configuration directory should
# be in $SHOREWALL_DIR at the time of the call.
#
# If the shorewall.conf file does not exist, this function does not return
#
get_statedir()
{
MUTEX_TIMEOUT=
local config=$(find_file shorewall.conf)
if [ -f $config ]; then
. $config
else
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
}
#
# Call this function to assert MUTEX with Shorewall. If you invoke the
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
# the first argument. Example "shorewall nolock refresh"
#
# This function uses the lockfile utility from procmail if it exists.
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
# behavior of lockfile.
#
mutex_on()
{
local try=0
local lockf=$STATEDIR/lock
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
if [ $MUTEX_TIMEOUT -gt 0 ]; then
[ -d $STATEDIR ] || mkdir -p $STATEDIR
if qt which lockfile; then
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
else
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
sleep 1
try=$((${try} + 1))
done
if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
# Create the lockfile
echo $$ > ${lockf}
else
echo "Giving up on lock file ${lockf}" >&2
fi
fi
fi
}
#
# Call this function to release MUTEX
#
mutex_off()
{
rm -f $STATEDIR/lock
}
#
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
#
# None - No mktemp
# BSD - BSD mktemp (Mandrake)
# STD - mktemp.org mktemp
#
find_mktemp() {
local mktemp=`which mktemp 2> /dev/null`
if [ -n "$mktemp" ]; then
if qt mktemp -V ; then
MKTEMP=STD
else
MKTEMP=BSD
fi
else
MKTEMP=None
fi
}
#
# create a temporary file. If a directory name is passed, the file will be created in
# that directory. Otherwise, it will be created in a temporary directory.
#
mktempfile() {
[ -z "$MKTEMP" ] && find_mktemp
if [ $# -gt 0 ]; then
case "$MKTEMP" in
BSD)
mktemp $1/shorewall.XXXXXX
;;
STD)
mktemp -p $1 shorewall.XXXXXX
;;
None)
> $1/shorewall-$$ && echo $1/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
;;
esac
else
case "$MKTEMP" in
BSD)
mktemp /tmp/shorewall.XXXXXX
;;
STD)
mktemp -t shorewall.XXXXXX
;;
None)
rm -f /tmp/shorewall-$$
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempfile"
;;
esac
fi
}
#
# create a temporary directory
#
mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in
STD)
mktemp -td shorewall.XXXXXX
;;
None|BSD)
#
# Not all versions of the BSD mktemp support the -d option under Linux
#
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
;;
*)
echo " ERROR:Internal error in mktempdir"
;;
esac
}
#
# Read a file and handle "INCLUDE" directives
#
read_file() # $1 = file name, $2 = nest count
{
local first rest
if [ -f $1 ]; then
while read first rest; do
if [ "x$first" = "xINCLUDE" ]; then
if [ $2 -lt 4 ]; then
read_file $(find_file ${rest%#*}) $(($2 + 1))
else
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
fi
else
echo "$first $rest"
fi
done < $1
else
[ -n "$terminator" ] && $terminator "No such file: $1"
echo "Warning -- No such file: $1"
fi
}
#
# Function for including one file into another
#
INCLUDE() {
. $(find_file $@)
}
#
# Strip comments and blank lines from a file and place the result in the
# temporary directory
#
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
{
local fname
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
if [ -f $fname ]; then
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
else
> $TMP_DIR/$1
fi
}
#
# Note: The following set of IP address manipulation functions have anomalous
# behavior when the shell only supports 32-bit signed arithmatic and
# the IP address is 128.0.0.0 or 128.0.0.1.
#
#
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
#
LEFTSHIFT='<<'
#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
local x
local temp=0
local ifs=$IFS
IFS=.
for x in $1; do
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
done
echo $temp
IFS=$ifs
}
#
# convert an integer to dot quad format
#
encodeaddr() {
addr=$1
local x
local y=$(($addr & 255))
for x in 1 2 3 ; do
addr=$(($addr >> 8))
y=$(($addr & 255)).$y
done
echo $y
}
#
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
#
ip_range() {
local first last l x y z vlsm
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
l=$(( $last + 1 ))
while [ $first -le $last ]; do
vlsm=
x=31
y=2
z=1
while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
vlsm=/$x
x=$(( $x - 1 ))
z=$y
y=$(( $y * 2 ))
done
echo $(encodeaddr $first)$vlsm
first=$(($first + $z))
done
}
ip_range_explicit() {
local first last
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=$(decodeaddr ${1%-*})
last=$(decodeaddr ${1#*-})
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo $(encodeaddr $first)
first=$(($first + 1))
done
}
#
# Netmask from CIDR
#
ip_netmask() {
local vlsm=${1#*/}
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}
#
# Network address from CIDR
#
ip_network() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
echo $(encodeaddr $(($decodedaddr & $netmask)))
}
#
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
ip_broadcast() {
local x=$(( 32 - ${1#*/} ))
[ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
}
#
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=$(decodeaddr ${1%/*})
local netmask=$(ip_netmask $1)
local broadcast=$(ip_broadcast $1)
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
}
#
# Test for network membership
#
in_network() # $1 = IP address, $2 = CIDR network
{
local netmask=$(ip_netmask $2)
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
}
#
# Netmask to VLSM
#
ip_vlsm() {
local mask=$(decodeaddr $1)
local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
vlsm=$(($vlsm + 1))
done
if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
echo "Invalid net mask: $1" >&2
else
echo $vlsm
fi
}
#
# Chain name base for an interface -- replace all periods with underscores in the passed name.
# The result is echoed (less trailing "+").
#
chain_base() #$1 = interface
{
local c=${1%%+}
while true; do
case $c in
*.*)
c="${c%.*}_${c##*.}"
;;
*-*)
c="${c%-*}_${c##*-}"
;;
*)
echo ${c:=common}
return
;;
esac
done
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Full interface name - may also end in "+"
{
local pattern=${1%+}
case $1 in
*+)
#
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
# variable expansion :-(
#
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
;;
*)
test "x$1" = "x$2"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_network ${1%/*} $addr && echo $(find_device $rest)
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo $(find_device $rest)
fi
;;
esac
done
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo $(find_device $rest) && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="$(find_rt_interface $1)"
local first rest
[ -z "$dev" ] && dev=$(find_default_interface)
[ -n "$dev" ] && echo $dev
}

310
LrpN/usr/share/shorewall/help Executable file
View File

@ -0,0 +1,310 @@
#!/bin/sh
#
# Shorewall help subsystem - V2.0 - 2/14/2004
#
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
# Steve Herber (herber@thing.com)
#
# This file should be placed in /usr/share/shorewall/help
#
# Shorewall documentation is available at http://shorewall.sourceforge.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################
case $1 in
add)
echo "add: add <interface>[:<host>] <zone>
Adds a host or subnet to a dynamic zone usually used with VPN's.
shorewall add interface[:host] zone - Adds the specified interface
(and host if included) to the specified zone.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host)
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24"
;;
allow)
echo "allow: allow <address> ...
Re-enables receipt of packets from hosts previously blacklisted
by a drop or reject command.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
check)
echo "check: check [ -c <configuration-directory> ]
Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. Use this if you are unsure of any edits
you have made to the shorewall configuration. See the try command
examples for a recommended way to make changes."
;;
clear)
echo "clear: clear
Clear will remove all rules and chains installed by Shoreline.
The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems."
;;
debug)
echo "debug: debug
If you include the keyword debug as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall debug start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'trace' is a synonym for 'debug'."
;;
delete)
echo "delete: delete <interface>[:<host>] <zone>
Deletes a host or subnet from a dynamic zone usually used with VPN's.
shorewall delete interface[:host] zone - Deletes the specified
interface (and host if included) from the specified zone.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
forget)
echo "forget: forget [ <file name> ]
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
the file specified by RESTOREFILE in shorewall.conf is removed.
See also \"help save\""
;;
help)
echo "help: help [<command> | host | address ]
Display helpful information about the shorewall commands."
;;
hits)
echo "hits: hits
Produces several reports about the Shorewall packet log messages
in the current /var/log/messages file."
;;
ipcalc)
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the input[s]."
;;
iprange)
echo "iprange: iprange address1-address2
Iprange decomposes the specified range of IP addresses into the
equivalent list of network/host addresses."
;;
logwatch)
echo "logwatch: logwatch [<refresh interval>]
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged."
;;
monitor)
echo "monitor: monitor [<refresh_interval>]
shorewall [-x] monitor [<refresh_interval>]
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
refresh)
echo "refresh: [ -q ] refresh
The rules involving the broadcast addresses of firewall interfaces,
the black list, traffic control rules and ECN control rules are recreated
to reflect any changes made. Existing connections are untouched
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
reject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help address\""
;;
reset)
echo "reset: reset
All the packet and byte counters in the firewall are reset."
;;
restart)
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
Restart is the same as a shorewall stop && shorewall start.
Existing connections are maintained.
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
;;
restore)
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
See also \"help save\" and \"help forget\""
;;
save)
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
show)
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
(iptables -L chain -n -v)
shorewall [-x] show nat - produce a verbose report about the nat table.
(iptables -t nat -L -n -v)
shorewall [-x] show tos - produce a verbose report about the mangle table.
(iptables -t mangle -L -n -v)
shorewall show log - display the last 20 packet log entries.
shorewall show connections - displays the IP connections currently
being tracked by the firewall.
shorewall show tc - displays information about the traffic
control/shaping configuration.
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
start)
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
Start shorewall. Existing connections through shorewall managed
interfaces are untouched. New connections will be allowed only
if they are allowed by the firewall rules or policies.
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
in shorewall.conf will be restored if that saved configuration exists"
;;
stop)
echo "stop: stop
Stops the firewall. All existing connections, except those
listed in /etc/shorewall/routestopped, are taken down.
The only new traffic permitted through the firewall
is from systems listed in /etc/shorewall/routestopped."
;;
status)
echo "status: status
shorewall [-x] status
Produce a verbose report about the firewall.
(iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
;;
trace)
echo "trace: trace
If you include the keyword trace as the first argument to any
of these commands:
start|stop|restart|reset|clear|refresh|check|add|delete
then a shell trace of the command is produced. For example:
shorewall trace start 2> /tmp/trace
The above command would trace the 'start' command and
place the trace information in the file /tmp/trace.
The word 'debug' is a synonym for 'trace'."
;;
try)
echo "try: try <configuration-directory> [ <timeout> ]
Restart shorewall using the specified configuration. If an error
occurs during the restart, then another shorewall restart is performed
using the default configuration. If a timeout is specified then
the restart is always performed after the timeout occurs and uses
the default configuration."
;;
version)
echo "version: version
Show the current shorewall version which is: $version"
;;
*)
echo "$1: $1 is not recognized by the help command"
;;
esac
exit 0 # always ok

26
LrpN/usr/share/shorewall/rfc1918 Normal file
View File

@ -0,0 +1,26 @@
#
# Shorewall 2.0-- RFC1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
#
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

1
LrpN/usr/share/shorewall/version Normal file
View File

@ -0,0 +1 @@
2.0.3c

24
LrpN/var/lib/lrpkg/shorwall.conf Normal file
View File

@ -0,0 +1,24 @@
/etc/shorewall/params Params Assign parameter values
/etc/shorewall/zones Zones Partition the network into Zones
/etc/shorewall/interfaces Ifaces Shorewall Networking Interfaces
/etc/shorewall/hosts Hosts Define specific zones
/etc/shorewall/policy Policy Firewall high-level policy
/etc/shorewall/rules Rules Exceptions to policy
/etc/shorewall/maclist Maclist MAC Verification
/etc/shorewall/masq Masq Internal MASQ Server Configuration
/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration
/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop'
/etc/shorewall/nat Nat Static NAT Configuration
/etc/shorewall/tunnels Tunnels Tunnel Definition (ipsec)
/etc/shorewall/tcrules TCRules FWMark Rules
/etc/shorewall/shorewall.conf Config Shorewall Global Parameters
/etc/shorewall/modules Modules Netfilter modules to load
/etc/shorewall/tos TOS Type of Service policy
/etc/shorewall/blacklist Blacklist Blacklisted hosts
/etc/shorewall/ecn ECN Disable ECN to hosts and networks
/etc/shorewall/init Init Commands executed before [re]start
/etc/shorewall/start Start Commands executed after [re]start
/etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop
/etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/actions Actions Define user actions

1
LrpN/var/lib/lrpkg/shorwall.exclude.list Normal file
View File

@ -0,0 +1 @@
var/lib/shorewall/*

3
LrpN/var/lib/lrpkg/shorwall.help Normal file
View File

@ -0,0 +1,3 @@
Shoreline Firewall (Shorewall)
Homepage: http://www.shorewall.net
Requires: iptables.lrp

6
LrpN/var/lib/lrpkg/shorwall.list Normal file
View File

@ -0,0 +1,6 @@
etc/init.d/shorewall
etc/shorewall
sbin/shorewall
usr/share/shorewall
var/lib/shorewall
var/lib/lrpkg/shorwall.*

1
LrpN/var/lib/lrpkg/shorwall.version Normal file
View File

@ -0,0 +1 @@
2.0.2c