Update one-interface sample with latest 3.0 changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2717 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-21 16:19:38 +00:00
parent 193632b084
commit 76ba9e63ff
4 changed files with 114 additions and 60 deletions

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Interfaces File # Shorewall version 3.0 - Interfaces File
# #
# /etc/shorewall/interfaces # /etc/shorewall/interfaces
# #
@ -8,8 +8,9 @@
# #
# Columns are: # Columns are:
# #
# ZONE Zone for this interface. Must match the short name # ZONE Zone for this interface. Must match the name of a
# of a zone defined in /etc/shorewall/zones. # zone defined in /etc/shorewall/zones. You may not
# list the firewall zone in this column.
# #
# If the interface serves multiple zones that will be # If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should # defined in the /etc/shorewall/hosts file, you should

View File

@ -1,15 +1,23 @@
# #
# Shorewall 2.2 -- Sample Policy File For One Interface # Shorewall version 3.0 - Policy File
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #
# THE ORDER OF ENTRYS IN THIS FILE IS IMPORTANT! # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file For each # don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a # source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server). # match is found ("all" will match any client or server).
# #
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Columns are: # Columns are:
# #
# SOURCE Source zone. Must be the name of a zone defined # SOURCE Source zone. Must be the name of a zone defined
@ -19,38 +27,39 @@
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE" # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
# #
# ACCEPT # ACCEPT - Accept the connection
# Accept the connection # DROP - Ignore the connection request
# DROP # REJECT - For TCP, send RST. For all other,
# Ignore the connection request. # send "port unreachable" ICMP.
# REJECT # QUEUE - Send the request to a user-space
# For TCP, send RST. For all other, send # application using the QUEUE target.
# "port unreachable" ICMP. # CONTINUE - Pass the connection request past
# CONTINUE # any other rules that it might also
# Pass the connection request past # match (where the source or
# any other rules that it might also # destination zone in those rules is
# match (where the source or destination # a superset of the SOURCE or DEST
# zone in those rules is a superset of # in this policy).
# the SOURCE or DEST in this policy) # NONE - Assume that there will never be any
# NONE # packets from this SOURCE
# Assume that there will never be any # to this DEST. Shorewall will not set
# packets from this SOURCE to this # up any infrastructure to handle such
# DEST. Shorewall will not set up any # packets and you may not have any
# infrastructure to handle such packets # rules with this SOURCE and DEST in
# and you may not have any rules with # the /etc/shorewall/rules file. If
# this SOURCE and DEST in the /etc/shorewall/rules # such a packet _is_ received, the
# file. If such a packet is received the result # result is undefined. NONE may not be
# is undefined. NONE may not be used if the # used if the SOURCE or DEST columns
# SOURCE or DEST columns contain the firewall # contain the firewall zone ($FW) or
# zone ($FW) or "all". # "all".
# #
# If this column contains ACCEPT, DROP or REJECT and a # If this column contains ACCEPT, DROP or REJECT and a
# corresonding common action is defined in # corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) # /etc/shorewall/actions (or
# then that action will be invoked before the policy named in # /usr/share/shorewall/actions.std) then that action
# this column is inforced. # will be invoked before the policy named in this column
# is enforced.
# #
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no
@ -60,22 +69,18 @@
# Beginning with Shorewall version 1.3.12, you may # Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will # also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log # log to the ULOG target and sent to a separate log
# through use of ulogd (http://www.gnumonks.org/projects/ulogd). # through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
# #
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "-" here.
# #
# LIMIT:BURST If passed, specifies the maximum TCP connection rate # LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified, # and the size of an acceptable burst. If not specified,
# TCP connections are not limited. # TCP connections are not limited.
# #
# As shipped, the default policies are: # See http://shorewall.net/Documentation.htm#Policy for additional information.
# #
# a) All connections from the Firewall to the Internet are allowed
# b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT $FW net ACCEPT

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Rules File # Shorewall version 3.0 - Rules File
# #
# /etc/shorewall/rules # /etc/shorewall/rules
# #
@ -19,6 +19,45 @@
# you cannot use an ACCEPT rule to allow traffic from the internet to # you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead. # that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are: # Columns are:
# #
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
@ -77,6 +116,9 @@
# /etc/shorewall/actions or in # /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std. # /usr/share/shorewall/actions.std.
# #
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>.
#
# The ACTION may optionally be followed # The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or # by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be # DNAT:debug). This causes the packet to be
@ -219,14 +261,20 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "all". # a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
@ -368,15 +416,15 @@
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ # ACCEPT net:130.252.100.69,130.252.100.70 $FW \
# tcp 22 # tcp 22
############################################################################################################# #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. # Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/REJECT:none! net $FW Ping/REJECT net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone # Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Zones File # Shorewall version 3.0 - Zones File
# #
# /etc/shorewall/zones # /etc/shorewall/zones
# #