Changes for 1.3.14

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@432 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-17 02:00:57 +01:00 · 2003-02-05 21:31:54 +00:00 · 2003-02-05 21:31:54 +00:00 · 79d00bdf9a
commit 79d00bdf9a
parent 50b692b6be
10 changed files with 105 additions and 85 deletions
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@ -46,18 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
-#			noping	     - icmp echo-request (ping) packets
-#				       addressed to the firewall should
-#				       be ignored on this interface
-#			filterping   - icmp echo-request (ping) packets 
-#				       addressed to the firewall should
-#				       be controlled by the rules file and
-#				       applicable policy. If neither 'noping'
-#				       nor 'filterping' are specified then
-#				       the firewall will respond to 'ping'
-#				       requests. 'filterping' takes 
-#				       precedence over 'noping' if both are
-#				       given.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
@ -117,29 +105,28 @@
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27 and you want pings from the internet
-#			to be ignored. You interface a DMZ with subnet
+#			206.191.149.192/27. You have a DMZ with subnet
 #			192.168.2.0/24 using eth2. You want to be able to
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
-#			net	eth0	206.191.149.223	noping,dhcp
+#			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
-#			net	eth0	detect		noping,dhcp
+#			net	eth0	detect		dhcp
 #			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
-#			connections and you want to ignore ping requests.
+#			connections.
 #
-#			net	ppp0	-		noping
+#			net	ppp0	-
 ##############################################################################
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
 net	eth0		detect		norfc1918,routefilter,dhcp
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@ -33,7 +33,7 @@
 #			also specify ULOG (must be in upper case). This will
 #			log to the ULOG target and sent to a separate log
 #			through use of ulogd
-#			q(http://www.gnumonks.org/projects/ulogd).
+#			(http://www.gnumonks.org/projects/ulogd).
 #
 #			If you don't want to log but need to specify the
 #			following column, place "_" here.
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -6,7 +6,14 @@
 #
 #  This file should be placed in /etc/shorewall
 #
-#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
+##############################################################################
+#
+# You should not have to change the variables in this section -- they are set
+# by the packager of your Shorewall distribution
+#
+SHARED_DIR=/usr/lib/shorewall
+#
 ##############################################################################
 #
 # General note about log levels. Log levels are a method of describing 
@ -394,12 +401,17 @@ MUTEX_TIMEOUT=60
 LOGNEWNOTSYN=

 #
-# Forward "Ping"
+# Old Ping Handling
 #
-# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
-# forwarded by the firewall.
-
-FORWARDPING=Yes
+# If this option is set to "Yes" then Shorewall will use its old ping handling
+# facility including the FORWARDPING option in this file and the 'noping' and
+# 'filterping' interface options. If this option is set to 'No' then ping
+# is handled via policy and rules just like any other connection request.
+#
+# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
+# DON'T DELETE IT!!!!!!
+#
+OLD_PING_HANDLING=No

 #
 # NEWNOTSYN
@ -495,4 +507,20 @@ RFC1918_LOG_LEVEL=info

 MARK_IN_FORWARD_CHAIN=No

+#
+# Clear Traffic Shapping/Control
+#
+# If this option is set to 'No' then Shorewall won't clear the current
+# traffic control rules during [re]start. This setting is intended
+# for use by people that prefer to configure traffic shaping when
+# the network interfaces come up rather than when the firewall
+# is started. If that is what you want to do, set TC_ENABLED=Yes and
+# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
+# way, your traffic shaping rules can still use the 'fwmark'
+# classifier based on packet marking defined in /etc/shorewall/tcrules.
+#
+# If omitted, CLEAR_TC=Yes is assumed.
+
+CLEAR_TC=Yes
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@ -46,18 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
-#			noping	     - icmp echo-request (ping) packets
-#				       addressed to the firewall should
-#				       be ignored on this interface
-#			filterping   - icmp echo-request (ping) packets 
-#				       addressed to the firewall should
-#				       be controlled by the rules file and
-#				       applicable policy. If neither 'noping'
-#				       nor 'filterping' are specified then
-#				       the firewall will respond to 'ping'
-#				       requests. 'filterping' takes 
-#				       precedence over 'noping' if both are
-#				       given.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
@ -117,32 +105,31 @@
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27 and you want pings from the internet
-#			to be ignored. You interface a DMZ with subnet
+#			206.191.149.192/27. You have a DMZ with subnet
 #			192.168.2.0/24 using eth2. You want to be able to
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
-#			net	eth0	206.191.149.223	noping,dhcp
+#			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
-#			net	eth0	detect		noping,dhcp
+#			net	eth0	detect		dhcp
 #			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
-#			connections and you want to ignore ping requests.
+#			connections.
 #
-#			net	ppp0	-		noping
+#			net	ppp0	-
 ##############################################################################
-#ZONE	 INTERFACE	BROADCAST	OPTIONS
-net     eth0		detect		dhcp,norfc1918
-loc	eth1		detect		routestopped
-dmz	eth2		detect		routestopped
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net	eth0		detect          dhcp,norfc1918
+loc	eth1            detect          routestopped
+dmz	eth2            detect          routestopped
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@ -9,7 +9,15 @@
 # Columns are:
 #
 #	INTERFACE -- Outgoing interface. This is usually your internet
-#		     interface. This may be qualified by adding the character
+#		     interface. If ADD_SNAT_ALIASES=Yes in
+#		     /etc/shorewall/shorewall.conf, you may add ":" and
+#		     a digit to indicate that you want the alias added with
+#                    that name (e.g., eth0:0). This will allow the alias to
+#		     be displayed with ifconfig. THAT IS THE ONLY USE FOR 
+#		     THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER 
+#		     PLACE IN YOUR SHOREWALL CONFIGURATION.
+#
+#		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
 #
@ -17,7 +25,7 @@
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, you must have iproute installed and the interface
 #		  must be up before you start the firewall.
-#
+#		  
 #		  In order to exclude a subset of the specified SUBNET, you
 #		  may append "!" and a comma-separated list of IP addresses
 #		  and/or subnets that you wish to exclude.
@ -74,13 +82,12 @@
 #	Example 4:
 #
 #		  You want all outgoing traffic from 192.168.1.0/24 through
-#		  eth0 to use source address 206.124.146.176.
+#		  eth0 to use source address 206.124.146.176 which is NOT the
+#		  primary address of eth0. You want 206.124.146.176 added to 
+#		  be added to eth0 with name eth0:0.
 #
-#			eth0	192.168.1.0/24	206.124.146.176
+#			eth0:0	192.168.1.0/24	206.124.146.176
 #
-#		  This would normally be done when you have a static external
-#		  IP address since it makes the processing of outgoing 
-#		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 eth0			eth1
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@ -24,6 +24,10 @@
 #				DNAT     -- Forward the request to another
 #					    system (and optionally another
 #					    port).
+#				DNAT-    -- Advanced users only. 
+#					    Like DNAT but only generates the
+#					    DNAT iptables rule and not
+#					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #
@ -208,10 +212,12 @@ ACCEPT	dmz	  net			udp	53
 # Make ping work between the DMZ, net and local zone (assumes that the loc->
 # net policy is ACCEPT).
 #
+ACCEPT		net	  fw		icmp	8
+ACCEPT		loc	  fw		icmp	8
+ACCEPT		dmz	  fw		icmp	8
 ACCEPT		loc	  dmz           icmp    8
 ACCEPT		dmz	  loc		icmp	8
 ACCEPT		dmz	  net		icmp	8
 ACCEPT		net	  dmz		icmp	8 # Only with Proxy ARP and
 ACCEPT		net	  loc		icmp	8 # static NAT
-
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@ -46,18 +46,6 @@
 #                                      a DHCP server running on the firewall or
 #				       you have a static IP but are on a LAN
 #				       segment with lots of Laptop DHCP clients.
-#			noping	     - icmp echo-request (ping) packets
-#				       addressed to the firewall should
-#				       be ignored on this interface
-#			filterping   - icmp echo-request (ping) packets 
-#				       addressed to the firewall should
-#				       be controlled by the rules file and
-#				       applicable policy. If neither 'noping'
-#				       nor 'filterping' are specified then
-#				       the firewall will respond to 'ping'
-#				       requests. 'filterping' takes 
-#				       precedence over 'noping' if both are
-#				       given.
 #			routestopped - (Deprecated -- use 
 #				       /etc/shorewall/routestopped)
 #				       When the firewall is stopped, allow
@ -117,31 +105,30 @@
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27 and you want pings from the internet
-#			to be ignored. You interface a DMZ with subnet
+#			206.191.149.192/27. You have a DMZ with subnet
 #			192.168.2.0/24 using eth2. You want to be able to
 #			access the firewall from the local network when the
 #			firewall is stopped.
 #
 #			Your entries for this setup would look like:
 #
-#			net	eth0	206.191.149.223	noping,dhcp
+#			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255	routestopped
 #			dmz	eth2	192.168.2.255
 #
 #	Example 2:	The same configuration without specifying broadcast
 #			addresses is:
 #
-#			net	eth0	detect		noping,dhcp
+#			net	eth0	detect		dhcp
 #			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet
-#			connections and you want to ignore ping requests.
+#			connections.
 #
-#			net	ppp0	-		noping
+#			net	ppp0	-
 ##############################################################################
-#ZONE	 INTERFACE	BROADCAST	OPTIONS
-net	eth0		detect		dhcp,routefilter,norfc1918
-loc	eth1		detect		routestopped
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net	eth0            detect          dhcp,routefilter,norfc1918
+loc	eth1            detect
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@ -9,7 +9,15 @@
 # Columns are:
 #
 #	INTERFACE -- Outgoing interface. This is usually your internet
-#		     interface. This may be qualified by adding the character
+#		     interface. If ADD_SNAT_ALIASES=Yes in
+#		     /etc/shorewall/shorewall.conf, you may add ":" and
+#		     a digit to indicate that you want the alias added with
+#                    that name (e.g., eth0:0). This will allow the alias to
+#		     be displayed with ifconfig. THAT IS THE ONLY USE FOR 
+#		     THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER 
+#		     PLACE IN YOUR SHOREWALL CONFIGURATION.
+#
+#		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
 #
@ -17,7 +25,7 @@
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, you must have iproute installed and the interface
 #		  must be up before you start the firewall.
-#
+#		  
 #		  In order to exclude a subset of the specified SUBNET, you
 #		  may append "!" and a comma-separated list of IP addresses
 #		  and/or subnets that you wish to exclude.
@ -74,13 +82,12 @@
 #	Example 4:
 #
 #		  You want all outgoing traffic from 192.168.1.0/24 through
-#		  eth0 to use source address 206.124.146.176.
+#		  eth0 to use source address 206.124.146.176 which is NOT the
+#		  primary address of eth0. You want 206.124.146.176 added to 
+#		  be added to eth0 with name eth0:0.
 #
-#			eth0	192.168.1.0/24	206.124.146.176
+#			eth0:0	192.168.1.0/24	206.124.146.176
 #
-#		  This would normally be done when you have a static external
-#		  IP address since it makes the processing of outgoing 
-#		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 eth0			eth1
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@ -33,7 +33,7 @@
 #			also specify ULOG (must be in upper case). This will
 #			log to the ULOG target and sent to a separate log
 #			through use of ulogd
-#			q(http://www.gnumonks.org/projects/ulogd).
+#			(http://www.gnumonks.org/projects/ulogd).
 #
 #			If you don't want to log but need to specify the
 #			following column, place "_" here.
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@ -24,6 +24,10 @@
 #				DNAT     -- Forward the request to another
 #					    system (and optionally another
 #					    port).
+#				DNAT-    -- Advanced users only.
+#					    Like DNAT but only generates the
+#					    DNAT iptables rule and not
+#					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #
@ -198,5 +202,12 @@ ACCEPT		fw	  net		udp	53
 # Accept SSH connections from the local network for administration
 #
 ACCEPT		loc	  fw		tcp	22
-
+#
+# Accept Ping Ubiquitously
+#
+ACCEPT		loc	fw		icmp	8
+ACCEPT		net	fw		icmp	8
+#
+# All ICMP are accepted fw->all
+#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE