mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Update one-interface sample with latest 3.0 changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2717 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
193632b084
commit
76ba9e63ff
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.6 - Interfaces File
|
||||
# Shorewall version 3.0 - Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
@ -8,8 +8,9 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Must match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
# ZONE Zone for this interface. Must match the name of a
|
||||
# zone defined in /etc/shorewall/zones. You may not
|
||||
# list the firewall zone in this column.
|
||||
#
|
||||
# If the interface serves multiple zones that will be
|
||||
# defined in the /etc/shorewall/hosts file, you should
|
||||
@ -193,7 +194,7 @@
|
||||
#
|
||||
# upnp - Incoming requests from this interface
|
||||
# may be remapped via UPNP (upnpd).
|
||||
#
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE.
|
||||
#
|
||||
|
@ -1,15 +1,23 @@
|
||||
#
|
||||
# Shorewall 2.2 -- Sample Policy File For One Interface
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
# Shorewall version 3.0 - Policy File
|
||||
#
|
||||
# THE ORDER OF ENTRYS IN THIS FILE IS IMPORTANT!
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/shorewall/rules file For each
|
||||
# source/destination pair, the file is processed in order until a
|
||||
# don't get a match from the /etc/shorewall/rules file . For each
|
||||
# source/destination pair, the file is processed in order until a
|
||||
# match is found ("all" will match any client or server).
|
||||
#
|
||||
# INTRA-ZONE POLICIES ARE PRE-DEFINED
|
||||
#
|
||||
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||
# the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||
# logging or TCP connection rate limiting but may be overridden by an
|
||||
# entry in this file. The overriding entry must be explicit (cannot use
|
||||
# "all" in the SOURCE or DEST).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Source zone. Must be the name of a zone defined
|
||||
@ -19,38 +27,39 @@
|
||||
# in /etc/shorewall/zones, $FW or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE"
|
||||
#
|
||||
# ACCEPT
|
||||
# Accept the connection
|
||||
# DROP
|
||||
# Ignore the connection request.
|
||||
# REJECT
|
||||
# For TCP, send RST. For all other, send
|
||||
# "port unreachable" ICMP.
|
||||
# CONTINUE
|
||||
# Pass the connection request past
|
||||
# any other rules that it might also
|
||||
# match (where the source or destination
|
||||
# zone in those rules is a superset of
|
||||
# the SOURCE or DEST in this policy)
|
||||
# NONE
|
||||
# Assume that there will never be any
|
||||
# packets from this SOURCE to this
|
||||
# DEST. Shorewall will not set up any
|
||||
# infrastructure to handle such packets
|
||||
# and you may not have any rules with
|
||||
# this SOURCE and DEST in the /etc/shorewall/rules
|
||||
# file. If such a packet is received the result
|
||||
# is undefined. NONE may not be used if the
|
||||
# SOURCE or DEST columns contain the firewall
|
||||
# zone ($FW) or "all".
|
||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||
#
|
||||
# ACCEPT - Accept the connection
|
||||
# DROP - Ignore the connection request
|
||||
# REJECT - For TCP, send RST. For all other,
|
||||
# send "port unreachable" ICMP.
|
||||
# QUEUE - Send the request to a user-space
|
||||
# application using the QUEUE target.
|
||||
# CONTINUE - Pass the connection request past
|
||||
# any other rules that it might also
|
||||
# match (where the source or
|
||||
# destination zone in those rules is
|
||||
# a superset of the SOURCE or DEST
|
||||
# in this policy).
|
||||
# NONE - Assume that there will never be any
|
||||
# packets from this SOURCE
|
||||
# to this DEST. Shorewall will not set
|
||||
# up any infrastructure to handle such
|
||||
# packets and you may not have any
|
||||
# rules with this SOURCE and DEST in
|
||||
# the /etc/shorewall/rules file. If
|
||||
# such a packet _is_ received, the
|
||||
# result is undefined. NONE may not be
|
||||
# used if the SOURCE or DEST columns
|
||||
# contain the firewall zone ($FW) or
|
||||
# "all".
|
||||
#
|
||||
# If this column contains ACCEPT, DROP or REJECT and a
|
||||
# corresonding common action is defined in
|
||||
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
|
||||
# then that action will be invoked before the policy named in
|
||||
# this column is inforced.
|
||||
# corresponding common action is defined in
|
||||
# /etc/shorewall/actions (or
|
||||
# /usr/share/shorewall/actions.std) then that action
|
||||
# will be invoked before the policy named in this column
|
||||
# is enforced.
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
@ -60,22 +69,18 @@
|
||||
# Beginning with Shorewall version 1.3.12, you may
|
||||
# also specify ULOG (must be in upper case). This will
|
||||
# log to the ULOG target and sent to a separate log
|
||||
# through use of ulogd (http://www.gnumonks.org/projects/ulogd).
|
||||
# through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# If you don't want to log but need to specify the
|
||||
# following column, place "_" here.
|
||||
# following column, place "-" here.
|
||||
#
|
||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||
# and the size of an acceptable burst. If not specified,
|
||||
# TCP connections are not limited.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||
#
|
||||
# a) All connections from the Firewall to the Internet are allowed
|
||||
# b) All connections from the Internet are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.6 - Rules File
|
||||
# Shorewall version 3.0 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
@ -19,6 +19,45 @@
|
||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||
# that system. You *must* use a DNAT rule instead.
|
||||
#------------------------------------------------------------------------------
|
||||
#
|
||||
# The rules file is divided into sections. Each section is introduced by
|
||||
# a "Section Header" which is a line beginning with SECTION followed by the
|
||||
# section name.
|
||||
#
|
||||
# Sections are as follows and must appear in the order listed:
|
||||
#
|
||||
# ESTABLISHED Packets in the ESTABLISHED state are processed
|
||||
# by rules in this section.
|
||||
#
|
||||
# The only ACTIONs allowed in this section are
|
||||
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||
#
|
||||
# There is an implicit ACCEPT rule inserted
|
||||
# at the end of this section.
|
||||
#
|
||||
# RELATED Packets in the RELATED state are processed by
|
||||
# rules in this section.
|
||||
#
|
||||
# The only ACTIONs allowed in this section are
|
||||
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||
#
|
||||
# There is an implicit ACCEPT rule inserted
|
||||
# at the end of this section.
|
||||
#
|
||||
# NEW Packets in the NEW and INVALID states are
|
||||
# processed by rules in this section.
|
||||
#
|
||||
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||
# ESTABLISHED and RELATED sections must be empty.
|
||||
#
|
||||
# Note: If you are not familiar with Netfilter to the point where you are
|
||||
# comfortable with the differences between the various connection
|
||||
# tracking states, then I suggest that you omit the ESTABLISHED and
|
||||
# RELATED sections and place all of your rules in the NEW section.
|
||||
#
|
||||
# You may omit any section that you don't need. If no Section Headers appear
|
||||
# in the file then all rules are assumed to be in the NEW section.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
@ -77,6 +116,9 @@
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std.
|
||||
#
|
||||
# <macro> -- The name of a macro defined in a
|
||||
# file named macro.<macro-name>.
|
||||
#
|
||||
# The ACTION may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# DNAT:debug). This causes the packet to be
|
||||
@ -219,14 +261,20 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example
|
||||
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
@ -288,7 +336,7 @@
|
||||
#
|
||||
# See http://shorewall.net/PortKnocking.html for an
|
||||
# example of using an entry in this column with a
|
||||
# user-defined action rule.
|
||||
# user-defined action rule.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
@ -305,7 +353,7 @@
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
@ -368,15 +416,15 @@
|
||||
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
||||
# tcp 22
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
Ping/REJECT:none! net $FW
|
||||
Ping/REJECT net $FW
|
||||
|
||||
# Permit all ICMP traffic FROM the firewall TO the net zone
|
||||
|
||||
ACCEPT $FW net icmp
|
||||
ACCEPT $FW net icmp
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.6 - Zones File
|
||||
# Shorewall version 3.0 - Zones File
|
||||
#
|
||||
# /etc/shorewall/zones
|
||||
#
|
||||
@ -38,9 +38,9 @@
|
||||
# Your kernel and iptables must include policy
|
||||
# match support.
|
||||
# firewall
|
||||
# - Designates the firewall itself. You must have
|
||||
# - Designates the firewall itself. You must have
|
||||
# exactly one 'firewall' zone. No options are
|
||||
# permitted with a 'firewall' zone. The name that you
|
||||
# permitted with a 'firewall' zone. The name that you
|
||||
# enter in the ZONE column will be stored in the shell
|
||||
# variable $FW which you may use in other configuration
|
||||
# files to designate the firewall zone.
|
||||
|
Loading…
Reference in New Issue
Block a user