extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 22:30:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove Samples from Shorewall project

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2910 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-10-20 22:47:10 +00:00
parent 2e17cc8a0e
commit 7aa7de5bfa
18 changed files with 7 additions and 3186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall/Samples/README.txt
View File

@ -1,3 +0,0 @@
For instructions on using these sample configurations, please see
http://www.shorewall.net/shorewall_quickstart_guide.htm

236
Shorewall/Samples/one-interface/interfaces
View File

@ -1,236 +0,0 @@
#
# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration.
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the name of a
# zone defined in /etc/shorewall/zones. You may not
# list the firewall zone in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
# - If specified, this interface will
# respond to arp requests based on the
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

90
Shorewall/Samples/one-interface/policy
View File

@ -1,90 +0,0 @@
#
# Shorewall version 3.0 - Sample Policy File for one-interface configuration.
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is enforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

430
Shorewall/Samples/one-interface/rules
View File

@ -1,430 +0,0 @@
#
# Shorewall version 3.0 - Sample Rules File for one-interface configuration.
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all", "all+" or "none" If the ACTION
# is DNAT or REDIRECT, sub-zones of the specified zone
# may be excluded from the rule by following the zone
# name with "!' and a comma-separated list of sub-zone
# names.
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, clients may be
# further restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all". "all+" or "none".
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
# tcp 22
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/REJECT net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

94
Shorewall/Samples/one-interface/zones
View File

@ -1,94 +0,0 @@
#
# Shorewall version 3.0 - Sample Zones File for one-interface configuration.
#
# /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# Where a zone is nested in one or more other zones,
# you may follow the (sub)zone name by ":" and a
# comma-separated list of the parent zones. The parent
# zones must have been defined in earlier records in this
# file.
#
# Example:
#
# #ZONE TYPE OPTIONS
# a ipv4
# b ipv4
# c:a,b ipv4
#
# Currently, Shorewall uses this information only to reorder the
# zone list so that parent zones appear after their subzones in
# the list. In the future, Shorewall may make more extensive use
# of that information.
#
# TYPE ipv4 - This is the standard Shorewall zone type and is the
# default if you leave this column empty or if you enter
# "-" in the column. Communication with some zone hosts
# may be encrypted. Encrypted hosts are designated using
# the 'ipsec'option in /etc/shorewall/hosts.
# ipsec - Communication with all zone hosts is encrypted
# Your kernel and iptables must include policy
# match support.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone. The name that you
# enter in the ZONE column will be stored in the shell
# variable $FW which you may use in other configuration
# files to designate the firewall zone.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS\
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

238
Shorewall/Samples/three-interfaces/interfaces
View File

@ -1,238 +0,0 @@
#
# Shorewall version 3.0 - Sample Interfaces File for three-interface configuration.
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the name of a
# zone defined in /etc/shorewall/zones. You may not
# list the firewall zone in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
# - If specified, this interface will
# respond to arp requests based on the
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth1 detect tcpflags,detectnets,nosmurfs
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

222
Shorewall/Samples/three-interfaces/masq
View File

@ -1,222 +0,0 @@
#
# Shorewall version 3.0 - Sample Masq file for three-interface configuration.
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
#
# eth0:
# eth2::192.0.2.32/27
#
# Normally Masq/SNAT rules are evaluated after those for
# one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
#
# +eth0
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
# range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
##############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

96
Shorewall/Samples/three-interfaces/policy
View File

@ -1,96 +0,0 @@
#
# Shorewall version 3.0 - Sample Policy File for three-interface configuration.
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is enforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#$FW net ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet
# remove the comment from the following line.
#dmz net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

66
Shorewall/Samples/three-interfaces/routestopped
View File

@ -1,66 +0,0 @@
#
# Shorewall version 3.0 - Sample Routestopped File for three-interface configuration.
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed.
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
# 'clear'. Specifying 'critical' on one or more
# entries will cause your firewall to be "totally
# open" for a brief window during each of those
# operations.
#
# NOTE: The 'source' and 'dest' options work best when used
# in conjunction with ADMINISABSENTMINDED=Yes in
# /etc/shorewall/shorewall.conf.
#
# Example:
#
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
##############################################################################
#INTERFACE HOST(S)
eth1 -
eth2 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

462
Shorewall/Samples/three-interfaces/rules
View File

@ -1,462 +0,0 @@
#
# Shorewall version 3.0 - Sample Rules File for three-interface configuration.
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all", "all+" or "none" If the ACTION
# is DNAT or REDIRECT, sub-zones of the specified zone
# may be excluded from the rule by following the zone
# name with "!' and a comma-separated list of sub-zone
# names.
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, clients may be
# further restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all". "all+" or "none".
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
# tcp 22
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
# Reject Ping from the "bad" net zone.
Ping/REJECT net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

94
Shorewall/Samples/three-interfaces/zones
View File

@ -1,94 +0,0 @@
#
# Shorewall version 3.0 - Sample Zones File for three-interface configuration.
#
# /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# Where a zone is nested in one or more other zones,
# you may follow the (sub)zone name by ":" and a
# comma-separated list of the parent zones. The parent
# zones must have been defined in earlier records in this
# file.
#
# Example:
#
# #ZONE TYPE OPTIONS
# a ipv4
# b ipv4
# c:a,b ipv4
#
# Currently, Shorewall uses this information only to reorder the
# zone list so that parent zones appear after their subzones in
# the list. In the future, Shorewall may make more extensive use
# of that information.
#
# TYPE ipv4 - This is the standard Shorewall zone type and is the
# default if you leave this column empty or if you enter
# "-" in the column. Communication with some zone hosts
# may be encrypted. Encrypted hosts are designated using
# the 'ipsec'option in /etc/shorewall/hosts.
# ipsec - Communication with all zone hosts is encrypted
# Your kernel and iptables must include policy
# match support.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone. The name that you
# enter in the ZONE column will be stored in the shell
# variable $FW which you may use in other configuration
# files to designate the firewall zone.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

237
Shorewall/Samples/two-interfaces/interfaces
View File

@ -1,237 +0,0 @@
#
# Shorewall version 3.0 - Sample Interfaces File for two-interface configuration.
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the name of a
# zone defined in /etc/shorewall/zones. You may not
# list the firewall zone in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
# - If specified, this interface will
# respond to arp requests based on the
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

221
Shorewall/Samples/two-interfaces/masq
View File

@ -1,221 +0,0 @@
#
# Shorewall version 3.0 - Sample Masq file for two-interface configuration.
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
#
# eth0:
# eth2::192.0.2.32/27
#
# Normally Masq/SNAT rules are evaluated after those for
# one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
#
# +eth0
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
# range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

93
Shorewall/Samples/two-interfaces/policy
View File

@ -1,93 +0,0 @@
#
# Shorewall version 3.0 - Sample Policy File for two-interface configuration.
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is enforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#$FW net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

65
Shorewall/Samples/two-interfaces/routestopped
View File

@ -1,65 +0,0 @@
#
# Shorewall version 3.0 - Sample Routestopped File for two-interface configuration.
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed.
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
# 'clear'. Specifying 'critical' on one or more
# entries will cause your firewall to be "totally
# open" for a brief window during each of those
# operations.
#
# NOTE: The 'source' and 'dest' options work best when used
# in conjunction with ADMINISABSENTMINDED=Yes in
# /etc/shorewall/shorewall.conf.
#
# Example:
#
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
##############################################################################
#INTERFACE HOST(S) OPTIONS
eth1 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

445
Shorewall/Samples/two-interfaces/rules
View File

@ -1,445 +0,0 @@
#
# Shorewall version 3.0 - Sample Rules File for two-interface configuration.
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all", "all+" or "none" If the ACTION
# is DNAT or REDIRECT, sub-zones of the specified zone
# may be excluded from the rule by following the zone
# name with "!' and a comma-separated list of sub-zone
# names.
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, clients may be
# further restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all". "all+" or "none".
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
# tcp 22
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

94
Shorewall/Samples/two-interfaces/zones
View File

@ -1,94 +0,0 @@
#
# Shorewall version 3.0 - Sample Zones File for two-interface configuration.
#
# /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# Where a zone is nested in one or more other zones,
# you may follow the (sub)zone name by ":" and a
# comma-separated list of the parent zones. The parent
# zones must have been defined in earlier records in this
# file.
#
# Example:
#
# #ZONE TYPE OPTIONS
# a ipv4
# b ipv4
# c:a,b ipv4
#
# Currently, Shorewall uses this information only to reorder the
# zone list so that parent zones appear after their subzones in
# the list. In the future, Shorewall may make more extensive use
# of that information.
#
# TYPE ipv4 - This is the standard Shorewall zone type and is the
# default if you leave this column empty or if you enter
# "-" in the column. Communication with some zone hosts
# may be encrypted. Encrypted hosts are designated using
# the 'ipsec'option in /etc/shorewall/hosts.
# ipsec - Communication with all zone hosts is encrypted
# Your kernel and iptables must include policy
# match support.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone. The name that you
# enter in the ZONE column will be stored in the shell
# variable $FW which you may use in other configuration
# files to designate the firewall zone.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

7
Shorewall/releasenotes.txt
View File

@ -12,6 +12,13 @@ Problems Corrected in 3.0.0 RC 2:
/usr/share/shorewall/firewall: line 1: \
/proc/sys/net/ipv4/conf/all/arp_ignore: No such file or directory
New Features in Shorewall 3.0.0 RC 2:
1) The sample configurations are now packaged with the product. They are
in the Samples directory on the tarball and are in the RPM they are
in the Samples sub-directory of the Shorewall documentation
directory.
Migration Considerations:
1) The "monitor" command has been eliminated.