From 7aa7de5bfa2c575a00cd284cb30d31e2f91ecc43 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 20 Oct 2005 22:47:10 +0000 Subject: [PATCH] Remove Samples from Shorewall project git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2910 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/Samples/README.txt | 3 - Shorewall/Samples/one-interface/interfaces | 236 --------- Shorewall/Samples/one-interface/policy | 90 ---- Shorewall/Samples/one-interface/rules | 430 ---------------- Shorewall/Samples/one-interface/zones | 94 ---- Shorewall/Samples/three-interfaces/interfaces | 238 --------- Shorewall/Samples/three-interfaces/masq | 222 --------- Shorewall/Samples/three-interfaces/policy | 96 ---- .../Samples/three-interfaces/routestopped | 66 --- Shorewall/Samples/three-interfaces/rules | 462 ------------------ Shorewall/Samples/three-interfaces/zones | 94 ---- Shorewall/Samples/two-interfaces/interfaces | 237 --------- Shorewall/Samples/two-interfaces/masq | 221 --------- Shorewall/Samples/two-interfaces/policy | 93 ---- Shorewall/Samples/two-interfaces/routestopped | 65 --- Shorewall/Samples/two-interfaces/rules | 445 ----------------- Shorewall/Samples/two-interfaces/zones | 94 ---- Shorewall/releasenotes.txt | 7 + 18 files changed, 7 insertions(+), 3186 deletions(-) delete mode 100644 Shorewall/Samples/README.txt delete mode 100755 Shorewall/Samples/one-interface/interfaces delete mode 100644 Shorewall/Samples/one-interface/policy delete mode 100755 Shorewall/Samples/one-interface/rules delete mode 100644 Shorewall/Samples/one-interface/zones delete mode 100755 Shorewall/Samples/three-interfaces/interfaces delete mode 100755 Shorewall/Samples/three-interfaces/masq delete mode 100644 Shorewall/Samples/three-interfaces/policy delete mode 100644 Shorewall/Samples/three-interfaces/routestopped delete mode 100755 Shorewall/Samples/three-interfaces/rules delete mode 100644 Shorewall/Samples/three-interfaces/zones delete mode 100755 Shorewall/Samples/two-interfaces/interfaces delete mode 100755 Shorewall/Samples/two-interfaces/masq delete mode 100644 Shorewall/Samples/two-interfaces/policy delete mode 100644 Shorewall/Samples/two-interfaces/routestopped delete mode 100755 Shorewall/Samples/two-interfaces/rules delete mode 100644 Shorewall/Samples/two-interfaces/zones diff --git a/Shorewall/Samples/README.txt b/Shorewall/Samples/README.txt deleted file mode 100644 index f92bed235..000000000 --- a/Shorewall/Samples/README.txt +++ /dev/null @@ -1,3 +0,0 @@ -For instructions on using these sample configurations, please see - -http://www.shorewall.net/shorewall_quickstart_guide.htm \ No newline at end of file diff --git a/Shorewall/Samples/one-interface/interfaces b/Shorewall/Samples/one-interface/interfaces deleted file mode 100755 index fe0bb3929..000000000 --- a/Shorewall/Samples/one-interface/interfaces +++ /dev/null @@ -1,236 +0,0 @@ -# -# Shorewall version 3.0 - Sample Interfaces File for one-interface configuration. -# -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the name of a -# zone defined in /etc/shorewall/zones. You may not -# list the firewall zone in this column. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you -# select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# logmartians - turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this -# interface are processed as if -# NEWNOTSYN=Yes had been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow -# filtering traffic arriving on this -# interface back out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# arp_ignore[=] -# - If specified, this interface will -# respond to arp requests based on the -# value of . -# -# 1 - reply only if the target IP address -# is local address configured on the -# incoming interface -# -# 2 - reply only if the target IP address -# is local address configured on the -# incoming interface and both with the -# sender's IP address are part from same -# subnet on this interface -# -# 3 - do not reply for local addresses -# configured with scope host, only -# resolutions for global and link -# addresses are replied -# -# 4-7 - reserved -# -# 8 - do not reply for all local -# addresses -# -# If no is given then the value -# 1 is assumed -# -# WARNING -- DO NOT SPECIFY arp_ignore -# FOR ANY INTERFACE INVOLVED IN PROXY ARP. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# -# upnp - Incoming requests from this interface -# may be remapped via UPNP (upnpd). -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -# -# For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces -# -############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/one-interface/policy b/Shorewall/Samples/one-interface/policy deleted file mode 100644 index 865f3de87..000000000 --- a/Shorewall/Samples/one-interface/policy +++ /dev/null @@ -1,90 +0,0 @@ -# -# Shorewall version 3.0 - Sample Policy File for one-interface configuration. -# -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# INTRA-ZONE POLICIES ARE PRE-DEFINED -# -# For $FW and for all of the zoned defined in /etc/shorewall/zones, -# the POLICY for connections from the zone to itself is ACCEPT (with no -# logging or TCP connection rate limiting but may be overridden by an -# entry in this file. The overriding entry must be explicit (cannot use -# "all" in the SOURCE or DEST). -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, -# send "port unreachable" ICMP. -# QUEUE - Send the request to a user-space -# application using the QUEUE target. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or -# destination zone in those rules is -# a superset of the SOURCE or DEST -# in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set -# up any infrastructure to handle such -# packets and you may not have any -# rules with this SOURCE and DEST in -# the /etc/shorewall/rules file. If -# such a packet _is_ received, the -# result is undefined. NONE may not be -# used if the SOURCE or DEST columns -# contain the firewall zone ($FW) or -# "all". -# -# If this column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in -# /etc/shorewall/actions (or -# /usr/share/shorewall/actions.std) then that action -# will be invoked before the policy named in this column -# is enforced. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# See http://shorewall.net/Documentation.htm#Policy for additional information. -# -############################################################################### -#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -$FW net ACCEPT -net all DROP info -# The FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/one-interface/rules b/Shorewall/Samples/one-interface/rules deleted file mode 100755 index 3ecb2084a..000000000 --- a/Shorewall/Samples/one-interface/rules +++ /dev/null @@ -1,430 +0,0 @@ -# -# Shorewall version 3.0 - Sample Rules File for one-interface configuration. -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#------------------------------------------------------------------------------ -# -# The rules file is divided into sections. Each section is introduced by -# a "Section Header" which is a line beginning with SECTION followed by the -# section name. -# -# Sections are as follows and must appear in the order listed: -# -# ESTABLISHED Packets in the ESTABLISHED state are processed -# by rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# RELATED Packets in the RELATED state are processed by -# rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# NEW Packets in the NEW and INVALID states are -# processed by rules in this section. -# -# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the -# ESTABLISHED and RELATED sections must be empty. -# -# Note: If you are not familiar with Netfilter to the point where you are -# comfortable with the differences between the various connection -# tracking states, then I suggest that you omit the ESTABLISHED and -# RELATED sections and place all of your rules in the NEW section. -# -# You may omit any section that you don't need. If no Section Headers appear -# in the file then all rules are assumed to be in the NEW section. -# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# SAME -- Similar to DNAT except that the -# port may not be remapped and when -# multiple server addresses are -# listed, all requests from a given -# remote system go to the same -# server. -# SAME- -- Advanced users only. -# Like SAME but only generates the -# NAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -# -- The name of a macro defined in a -# file named macro.. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# If the ACTION names an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std then: -# -# - If the log level is followed by "!' then all rules -# in the action are logged at the log level. -# -# - If the log level is not followed by "!" then only -# those rules in the action that do not specify -# logging are logged at the specified level. -# -# - The special log level 'none!' suppresses logging -# by the action. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+" or "none" If the ACTION -# is DNAT or REDIRECT, sub-zones of the specified zone -# may be excluded from the rule by following the zone -# name with "!' and a comma-separated list of sub-zone -# names. -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, clients may be -# further restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of source bindings to be -# matched. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all". "all+" or "none". -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of destination bindings -# to be matched. Only one of the SOURCE and DEST columns -# may specify an ipset name. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example -# "bit" for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then -# place "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] -# then if included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# For other actions, this column may be included and may -# contain one or more addresses (host or network) -# separated by commas. Address ranges are not allowed. -# When this column is supplied, rules are generated -# that require that the original destination address -# matches one of the listed addresses. This feature is -# most useful when you want to generate a filter rule -# that corresponds to a DNAT- or REDIRECT- rule. In this -# usage, the list of addresses should not begin with "!". -# -# See http://shorewall.net/PortKnocking.html for an -# example of using an entry in this column with a -# user-defined action rule. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named 'upnpd' -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the -# internet to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ -# tcp 22 -############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP - -# Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. - -Ping/REJECT net $FW - -# Permit all ICMP traffic FROM the firewall TO the net zone - -ACCEPT $FW net icmp - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/one-interface/zones b/Shorewall/Samples/one-interface/zones deleted file mode 100644 index 5f23e5155..000000000 --- a/Shorewall/Samples/one-interface/zones +++ /dev/null @@ -1,94 +0,0 @@ -# -# Shorewall version 3.0 - Sample Zones File for one-interface configuration. -# -# /etc/shorewall/zones -# -# This file determines your network zones. -# -# Columns are: -# -# ZONE Short name of the zone (5 Characters or less in length). -# The names "all" and "none" are reserved and may not be -# used as zone names. -# -# Where a zone is nested in one or more other zones, -# you may follow the (sub)zone name by ":" and a -# comma-separated list of the parent zones. The parent -# zones must have been defined in earlier records in this -# file. -# -# Example: -# -# #ZONE TYPE OPTIONS -# a ipv4 -# b ipv4 -# c:a,b ipv4 -# -# Currently, Shorewall uses this information only to reorder the -# zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. -# -# TYPE ipv4 - This is the standard Shorewall zone type and is the -# default if you leave this column empty or if you enter -# "-" in the column. Communication with some zone hosts -# may be encrypted. Encrypted hosts are designated using -# the 'ipsec'option in /etc/shorewall/hosts. -# ipsec - Communication with all zone hosts is encrypted -# Your kernel and iptables must include policy -# match support. -# firewall -# - Designates the firewall itself. You must have -# exactly one 'firewall' zone. No options are -# permitted with a 'firewall' zone. The name that you -# enter in the ZONE column will be stored in the shell -# variable $FW which you may use in other configuration -# files to designate the firewall zone. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -# -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR -# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. -# -# See http://www.shorewall.net/Documentation.htm#Nested -############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS\ -fw firewall -net ipv4 -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/interfaces b/Shorewall/Samples/three-interfaces/interfaces deleted file mode 100755 index ac57d11c9..000000000 --- a/Shorewall/Samples/three-interfaces/interfaces +++ /dev/null @@ -1,238 +0,0 @@ -# -# Shorewall version 3.0 - Sample Interfaces File for three-interface configuration. -# -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the name of a -# zone defined in /etc/shorewall/zones. You may not -# list the firewall zone in this column. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you -# select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# logmartians - turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this -# interface are processed as if -# NEWNOTSYN=Yes had been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow -# filtering traffic arriving on this -# interface back out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# arp_ignore[=] -# - If specified, this interface will -# respond to arp requests based on the -# value of . -# -# 1 - reply only if the target IP address -# is local address configured on the -# incoming interface -# -# 2 - reply only if the target IP address -# is local address configured on the -# incoming interface and both with the -# sender's IP address are part from same -# subnet on this interface -# -# 3 - do not reply for local addresses -# configured with scope host, only -# resolutions for global and link -# addresses are replied -# -# 4-7 - reserved -# -# 8 - do not reply for all local -# addresses -# -# If no is given then the value -# 1 is assumed -# -# WARNING -- DO NOT SPECIFY arp_ignore -# FOR ANY INTERFACE INVOLVED IN PROXY ARP. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# -# upnp - Incoming requests from this interface -# may be remapped via UPNP (upnpd). -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -# -# For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces -# -############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians -loc eth1 detect tcpflags,detectnets,nosmurfs -dmz eth2 detect -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/masq b/Shorewall/Samples/three-interfaces/masq deleted file mode 100755 index b9f6e3a8e..000000000 --- a/Shorewall/Samples/three-interfaces/masq +++ /dev/null @@ -1,222 +0,0 @@ -# -# Shorewall version 3.0 - Sample Masq file for three-interface configuration. -# -# /etc/shorewall/masq -# -# Use this file to define dynamic NAT (Masquerading) and to define -# Source NAT (SNAT). -# -# Columns are: -# -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. -# -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: -# -# eth0: -# eth2::192.0.2.32/27 -# -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": -# -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 -# -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. -# -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. -# -# Example: eth1!192.168.1.4,192.168.32.0/27 -# -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 -# -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# You may also specify a range of up to 256 -# IP addresses if you want the SNAT address to -# be assigned from that range in a round-robin -# range by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 -# -# Finally, you may also specify a comma-separated -# list of ranges and/or addresses in this column. -# -# This column may not contain DNS Names. -# -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. -# -# Examples: -# -# 192.0.2.4:5000-6000 -# :4000-5000 -# -# You can invoke the SAME target using the -# following in this column: -# -# SAME:[nodst:][,...] -# -# The may be single addresses. -# -# SAME works like SNAT with the exception that -# the same local IP address is assigned to each -# connection from a local address to a given -# remote address. -# -# If the 'nodst:' option is included, then the -# same source address is used for a given -# internal system regardless of which remote -# system is involved. -# -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. -# -# PROTO -- (Optional) If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. -# -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). -# -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be -# listed. -# -# IPSEC -- (Optional) If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. -# -# Comma-separated list of options from the -# following. Only packets that will be encrypted -# via an SA that matches these options will have -# their source address changed. -# -# Yes or yes -- must be the only option -# listed and matches all outbound -# traffic that will be encrypted. -# -# reqid= where is -# specified using setkey(8) using the -# 'unique: option for the SPD -# level. -# -# spi= where is the -# SPI of the SA. -# -# proto=ah|esp|ipcomp -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match -# all rules. -# -# next Separates rules; can only be -# used with strict.. -# -# Example 1: -# -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. -# -# Your entry in the file can be either: -# -# eth0 eth1 -# -# or -# -# eth0 192.168.0.0/24 -# -# Example 2: -# -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: -# -# eth0 192.168.1.0/24 -# -# Example 3: -# -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: -# -# ipsec0:10.1.1.0/24 196.168.1.0/24 -# -# Example 4: -# -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. -# -# eth0:0 192.168.1.0/24 206.124.146.176 -# -# Example 5: -# -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. -# -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 -# -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! -# -# For additional information, see http://shorewall.net/Documentation.htm#Masq -# -############################################################################## -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC -eth0 eth1 -eth0 eth2 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/policy b/Shorewall/Samples/three-interfaces/policy deleted file mode 100644 index 4d9c2f529..000000000 --- a/Shorewall/Samples/three-interfaces/policy +++ /dev/null @@ -1,96 +0,0 @@ -# -# Shorewall version 3.0 - Sample Policy File for three-interface configuration. -# -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# INTRA-ZONE POLICIES ARE PRE-DEFINED -# -# For $FW and for all of the zoned defined in /etc/shorewall/zones, -# the POLICY for connections from the zone to itself is ACCEPT (with no -# logging or TCP connection rate limiting but may be overridden by an -# entry in this file. The overriding entry must be explicit (cannot use -# "all" in the SOURCE or DEST). -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, -# send "port unreachable" ICMP. -# QUEUE - Send the request to a user-space -# application using the QUEUE target. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or -# destination zone in those rules is -# a superset of the SOURCE or DEST -# in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set -# up any infrastructure to handle such -# packets and you may not have any -# rules with this SOURCE and DEST in -# the /etc/shorewall/rules file. If -# such a packet _is_ received, the -# result is undefined. NONE may not be -# used if the SOURCE or DEST columns -# contain the firewall zone ($FW) or -# "all". -# -# If this column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in -# /etc/shorewall/actions (or -# /usr/share/shorewall/actions.std) then that action -# will be invoked before the policy named in this column -# is enforced. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# See http://shorewall.net/Documentation.htm#Policy for additional information. -# -############################################################################### -#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -loc net ACCEPT -# If you want open access to the Internet from your Firewall -# remove the comment from the following line. -#$FW net ACCEPT -# Also If You Wish To Open Up DMZ Access To The Internet -# remove the comment from the following line. -#dmz net ACCEPT -net all DROP info -# THE FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/routestopped b/Shorewall/Samples/three-interfaces/routestopped deleted file mode 100644 index 9687ecc97..000000000 --- a/Shorewall/Samples/three-interfaces/routestopped +++ /dev/null @@ -1,66 +0,0 @@ -# -# Shorewall version 3.0 - Sample Routestopped File for three-interface configuration. -# -# /etc/shorewall/routestopped -# -# This file is used to define the hosts that are accessible when the -# firewall is stopped or when it is in the process of being -# [re]started. -# -# Columns are: -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. -# -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of -# options. The currently-supported options are: -# -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. -# -# source - Allow traffic from these hosts to ANY -# destination. Without this option or the 'dest' -# option, only traffic from this host to other -# listed hosts (and the firewall) is allowed. If -# 'source' is specified then 'routeback' is redundent. -# -# dest - Allow traffic to these hosts from ANY -# source. Without this option or the 'source' -# option, only traffic from this host to other -# listed hosts (and the firewall) is allowed. If -# 'dest' is specified then 'routeback' is redundent. -# -# critical - Allow traffic between the firewall and -# these hosts throughout '[re]start', 'stop' and -# 'clear'. Specifying 'critical' on one or more -# entries will cause your firewall to be "totally -# open" for a brief window during each of those -# operations. -# -# NOTE: The 'source' and 'dest' options work best when used -# in conjunction with ADMINISABSENTMINDED=Yes in -# /etc/shorewall/shorewall.conf. -# -# Example: -# -# INTERFACE HOST(S) OPTIONS -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 -# br0 - routeback -# eth3 - source -# -# See http://shorewall.net/Documentation.htm#Routestopped and -# http://shorewall.net/starting_and_stopping_shorewall.htm for additional -# information. -# -############################################################################## -#INTERFACE HOST(S) -eth1 - -eth2 - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/rules b/Shorewall/Samples/three-interfaces/rules deleted file mode 100755 index bd2234aa6..000000000 --- a/Shorewall/Samples/three-interfaces/rules +++ /dev/null @@ -1,462 +0,0 @@ -# -# Shorewall version 3.0 - Sample Rules File for three-interface configuration. -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#------------------------------------------------------------------------------ -# -# The rules file is divided into sections. Each section is introduced by -# a "Section Header" which is a line beginning with SECTION followed by the -# section name. -# -# Sections are as follows and must appear in the order listed: -# -# ESTABLISHED Packets in the ESTABLISHED state are processed -# by rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# RELATED Packets in the RELATED state are processed by -# rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# NEW Packets in the NEW and INVALID states are -# processed by rules in this section. -# -# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the -# ESTABLISHED and RELATED sections must be empty. -# -# Note: If you are not familiar with Netfilter to the point where you are -# comfortable with the differences between the various connection -# tracking states, then I suggest that you omit the ESTABLISHED and -# RELATED sections and place all of your rules in the NEW section. -# -# You may omit any section that you don't need. If no Section Headers appear -# in the file then all rules are assumed to be in the NEW section. -# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# SAME -- Similar to DNAT except that the -# port may not be remapped and when -# multiple server addresses are -# listed, all requests from a given -# remote system go to the same -# server. -# SAME- -- Advanced users only. -# Like SAME but only generates the -# NAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -# -- The name of a macro defined in a -# file named macro.. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# If the ACTION names an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std then: -# -# - If the log level is followed by "!' then all rules -# in the action are logged at the log level. -# -# - If the log level is not followed by "!" then only -# those rules in the action that do not specify -# logging are logged at the specified level. -# -# - The special log level 'none!' suppresses logging -# by the action. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+" or "none" If the ACTION -# is DNAT or REDIRECT, sub-zones of the specified zone -# may be excluded from the rule by following the zone -# name with "!' and a comma-separated list of sub-zone -# names. -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, clients may be -# further restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of source bindings to be -# matched. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all". "all+" or "none". -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of destination bindings -# to be matched. Only one of the SOURCE and DEST columns -# may specify an ipset name. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example -# "bit" for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then -# place "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] -# then if included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# For other actions, this column may be included and may -# contain one or more addresses (host or network) -# separated by commas. Address ranges are not allowed. -# When this column is supplied, rules are generated -# that require that the original destination address -# matches one of the listed addresses. This feature is -# most useful when you want to generate a filter rule -# that corresponds to a DNAT- or REDIRECT- rule. In this -# usage, the list of addresses should not begin with "!". -# -# See http://shorewall.net/PortKnocking.html for an -# example of using an entry in this column with a -# user-defined action rule. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named 'upnpd' -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the -# internet to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ -# tcp 22 -############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -# -# Accept DNS connections from the firewall to the Internet -# -DNS/ACCEPT $FW net -# -# -# Accept SSH connections from the local network to the firewall and DMZ -# -SSH/ACCEPT loc $FW -SSH/ACCEPT loc dmz -# -# DMZ DNS access to the Internet -# -DNS/ACCEPT dmz net - - -# Reject Ping from the "bad" net zone. - -Ping/REJECT net $FW - -# -# Make ping work bi-directionally between the dmz, net, Firewall and local zone -# (assumes that the loc-> net policy is ACCEPT). -# - -Ping/ACCEPT loc $FW -Ping/ACCEPT dmz $FW -Ping/ACCEPT loc dmz -Ping/ACCEPT dmz loc -Ping/ACCEPT dmz net - -ACCEPT $FW net icmp -ACCEPT $FW loc icmp -ACCEPT $FW dmz icmp - -# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from -# the net zone to the dmz and loc - -#Ping/ACCEPT net dmz -#Ping/ACCEPT net loc - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/three-interfaces/zones b/Shorewall/Samples/three-interfaces/zones deleted file mode 100644 index 88f916725..000000000 --- a/Shorewall/Samples/three-interfaces/zones +++ /dev/null @@ -1,94 +0,0 @@ -# -# Shorewall version 3.0 - Sample Zones File for three-interface configuration. -# -# /etc/shorewall/zones -# -# This file determines your network zones. -# -# Columns are: -# -# ZONE Short name of the zone (5 Characters or less in length). -# The names "all" and "none" are reserved and may not be -# used as zone names. -# -# Where a zone is nested in one or more other zones, -# you may follow the (sub)zone name by ":" and a -# comma-separated list of the parent zones. The parent -# zones must have been defined in earlier records in this -# file. -# -# Example: -# -# #ZONE TYPE OPTIONS -# a ipv4 -# b ipv4 -# c:a,b ipv4 -# -# Currently, Shorewall uses this information only to reorder the -# zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. -# -# TYPE ipv4 - This is the standard Shorewall zone type and is the -# default if you leave this column empty or if you enter -# "-" in the column. Communication with some zone hosts -# may be encrypted. Encrypted hosts are designated using -# the 'ipsec'option in /etc/shorewall/hosts. -# ipsec - Communication with all zone hosts is encrypted -# Your kernel and iptables must include policy -# match support. -# firewall -# - Designates the firewall itself. You must have -# exactly one 'firewall' zone. No options are -# permitted with a 'firewall' zone. The name that you -# enter in the ZONE column will be stored in the shell -# variable $FW which you may use in other configuration -# files to designate the firewall zone. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -# -# For more information, see http://www.shorewall.net/Documentation.htm#Zones -# -############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall -net ipv4 -loc ipv4 -dmz ipv4 -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/interfaces b/Shorewall/Samples/two-interfaces/interfaces deleted file mode 100755 index 9204a3170..000000000 --- a/Shorewall/Samples/two-interfaces/interfaces +++ /dev/null @@ -1,237 +0,0 @@ -# -# Shorewall version 3.0 - Sample Interfaces File for two-interface configuration. -# -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the name of a -# zone defined in /etc/shorewall/zones. You may not -# list the firewall zone in this column. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you -# select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# logmartians - turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# newnotsyn - TCP packets that don't have the SYN -# flag set and which are not part of an -# established connection will be accepted -# from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this -# interface are processed as if -# NEWNOTSYN=Yes had been specified in -# /etc/shorewall/shorewall.conf. -# -# This option has no effect if -# NEWNOTSYN=Yes. -# -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow -# filtering traffic arriving on this -# interface back out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# arp_ignore[=] -# - If specified, this interface will -# respond to arp requests based on the -# value of . -# -# 1 - reply only if the target IP address -# is local address configured on the -# incoming interface -# -# 2 - reply only if the target IP address -# is local address configured on the -# incoming interface and both with the -# sender's IP address are part from same -# subnet on this interface -# -# 3 - do not reply for local addresses -# configured with scope host, only -# resolutions for global and link -# addresses are replied -# -# 4-7 - reserved -# -# 8 - do not reply for all local -# addresses -# -# If no is given then the value -# 1 is assumed -# -# WARNING -- DO NOT SPECIFY arp_ignore -# FOR ANY INTERFACE INVOLVED IN PROXY ARP. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# -# upnp - Incoming requests from this interface -# may be remapped via UPNP (upnpd). -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -# -# For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces -# -############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians -loc eth1 detect tcpflags,detectnets,nosmurfs -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/masq b/Shorewall/Samples/two-interfaces/masq deleted file mode 100755 index f9adf3f73..000000000 --- a/Shorewall/Samples/two-interfaces/masq +++ /dev/null @@ -1,221 +0,0 @@ -# -# Shorewall version 3.0 - Sample Masq file for two-interface configuration. -# -# /etc/shorewall/masq -# -# Use this file to define dynamic NAT (Masquerading) and to define -# Source NAT (SNAT). -# -# Columns are: -# -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. -# -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: -# -# eth0: -# eth2::192.0.2.32/27 -# -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": -# -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 -# -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. -# -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. -# -# Example: eth1!192.168.1.4,192.168.32.0/27 -# -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 -# -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# You may also specify a range of up to 256 -# IP addresses if you want the SNAT address to -# be assigned from that range in a round-robin -# range by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 -# -# Finally, you may also specify a comma-separated -# list of ranges and/or addresses in this column. -# -# This column may not contain DNS Names. -# -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. -# -# Examples: -# -# 192.0.2.4:5000-6000 -# :4000-5000 -# -# You can invoke the SAME target using the -# following in this column: -# -# SAME:[nodst:][,...] -# -# The may be single addresses. -# -# SAME works like SNAT with the exception that -# the same local IP address is assigned to each -# connection from a local address to a given -# remote address. -# -# If the 'nodst:' option is included, then the -# same source address is used for a given -# internal system regardless of which remote -# system is involved. -# -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. -# -# PROTO -- (Optional) If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. -# -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). -# -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be -# listed. -# -# IPSEC -- (Optional) If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. -# -# Comma-separated list of options from the -# following. Only packets that will be encrypted -# via an SA that matches these options will have -# their source address changed. -# -# Yes or yes -- must be the only option -# listed and matches all outbound -# traffic that will be encrypted. -# -# reqid= where is -# specified using setkey(8) using the -# 'unique: option for the SPD -# level. -# -# spi= where is the -# SPI of the SA. -# -# proto=ah|esp|ipcomp -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match -# all rules. -# -# next Separates rules; can only be -# used with strict.. -# -# Example 1: -# -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. -# -# Your entry in the file can be either: -# -# eth0 eth1 -# -# or -# -# eth0 192.168.0.0/24 -# -# Example 2: -# -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: -# -# eth0 192.168.1.0/24 -# -# Example 3: -# -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: -# -# ipsec0:10.1.1.0/24 196.168.1.0/24 -# -# Example 4: -# -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. -# -# eth0:0 192.168.1.0/24 206.124.146.176 -# -# Example 5: -# -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. -# -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 -# -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! -# -# For additional information, see http://shorewall.net/Documentation.htm#Masq -# -############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC -eth0 eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/policy b/Shorewall/Samples/two-interfaces/policy deleted file mode 100644 index 320a0ddb7..000000000 --- a/Shorewall/Samples/two-interfaces/policy +++ /dev/null @@ -1,93 +0,0 @@ -# -# Shorewall version 3.0 - Sample Policy File for two-interface configuration. -# -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# INTRA-ZONE POLICIES ARE PRE-DEFINED -# -# For $FW and for all of the zoned defined in /etc/shorewall/zones, -# the POLICY for connections from the zone to itself is ACCEPT (with no -# logging or TCP connection rate limiting but may be overridden by an -# entry in this file. The overriding entry must be explicit (cannot use -# "all" in the SOURCE or DEST). -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, -# send "port unreachable" ICMP. -# QUEUE - Send the request to a user-space -# application using the QUEUE target. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or -# destination zone in those rules is -# a superset of the SOURCE or DEST -# in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set -# up any infrastructure to handle such -# packets and you may not have any -# rules with this SOURCE and DEST in -# the /etc/shorewall/rules file. If -# such a packet _is_ received, the -# result is undefined. NONE may not be -# used if the SOURCE or DEST columns -# contain the firewall zone ($FW) or -# "all". -# -# If this column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in -# /etc/shorewall/actions (or -# /usr/share/shorewall/actions.std) then that action -# will be invoked before the policy named in this column -# is enforced. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# See http://shorewall.net/Documentation.htm#Policy for additional information. -# -############################################################################### -#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST -loc net ACCEPT -# If you want open access to the Internet from your Firewall -# remove the comment from the following line. -#$FW net ACCEPT -net all DROP info -# THE FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/routestopped b/Shorewall/Samples/two-interfaces/routestopped deleted file mode 100644 index 2a7da6daf..000000000 --- a/Shorewall/Samples/two-interfaces/routestopped +++ /dev/null @@ -1,65 +0,0 @@ -# -# Shorewall version 3.0 - Sample Routestopped File for two-interface configuration. -# -# /etc/shorewall/routestopped -# -# This file is used to define the hosts that are accessible when the -# firewall is stopped or when it is in the process of being -# [re]started. -# -# Columns are: -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. -# -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of -# options. The currently-supported options are: -# -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. -# -# source - Allow traffic from these hosts to ANY -# destination. Without this option or the 'dest' -# option, only traffic from this host to other -# listed hosts (and the firewall) is allowed. If -# 'source' is specified then 'routeback' is redundent. -# -# dest - Allow traffic to these hosts from ANY -# source. Without this option or the 'source' -# option, only traffic from this host to other -# listed hosts (and the firewall) is allowed. If -# 'dest' is specified then 'routeback' is redundent. -# -# critical - Allow traffic between the firewall and -# these hosts throughout '[re]start', 'stop' and -# 'clear'. Specifying 'critical' on one or more -# entries will cause your firewall to be "totally -# open" for a brief window during each of those -# operations. -# -# NOTE: The 'source' and 'dest' options work best when used -# in conjunction with ADMINISABSENTMINDED=Yes in -# /etc/shorewall/shorewall.conf. -# -# Example: -# -# INTERFACE HOST(S) OPTIONS -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 -# br0 - routeback -# eth3 - source -# -# See http://shorewall.net/Documentation.htm#Routestopped and -# http://shorewall.net/starting_and_stopping_shorewall.htm for additional -# information. -# -############################################################################## -#INTERFACE HOST(S) OPTIONS -eth1 - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/rules b/Shorewall/Samples/two-interfaces/rules deleted file mode 100755 index 84a499a21..000000000 --- a/Shorewall/Samples/two-interfaces/rules +++ /dev/null @@ -1,445 +0,0 @@ -# -# Shorewall version 3.0 - Sample Rules File for two-interface configuration. -# -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#------------------------------------------------------------------------------ -# -# The rules file is divided into sections. Each section is introduced by -# a "Section Header" which is a line beginning with SECTION followed by the -# section name. -# -# Sections are as follows and must appear in the order listed: -# -# ESTABLISHED Packets in the ESTABLISHED state are processed -# by rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# RELATED Packets in the RELATED state are processed by -# rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# NEW Packets in the NEW and INVALID states are -# processed by rules in this section. -# -# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the -# ESTABLISHED and RELATED sections must be empty. -# -# Note: If you are not familiar with Netfilter to the point where you are -# comfortable with the differences between the various connection -# tracking states, then I suggest that you omit the ESTABLISHED and -# RELATED sections and place all of your rules in the NEW section. -# -# You may omit any section that you don't need. If no Section Headers appear -# in the file then all rules are assumed to be in the NEW section. -# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# SAME -- Similar to DNAT except that the -# port may not be remapped and when -# multiple server addresses are -# listed, all requests from a given -# remote system go to the same -# server. -# SAME- -- Advanced users only. -# Like SAME but only generates the -# NAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -# -- The name of a macro defined in a -# file named macro.. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# If the ACTION names an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std then: -# -# - If the log level is followed by "!' then all rules -# in the action are logged at the log level. -# -# - If the log level is not followed by "!" then only -# those rules in the action that do not specify -# logging are logged at the specified level. -# -# - The special log level 'none!' suppresses logging -# by the action. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+" or "none" If the ACTION -# is DNAT or REDIRECT, sub-zones of the specified zone -# may be excluded from the rule by following the zone -# name with "!' and a comma-separated list of sub-zone -# names. -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, clients may be -# further restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of source bindings to be -# matched. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all". "all+" or "none". -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of destination bindings -# to be matched. Only one of the SOURCE and DEST columns -# may specify an ipset name. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example -# "bit" for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then -# place "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] -# then if included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# For other actions, this column may be included and may -# contain one or more addresses (host or network) -# separated by commas. Address ranges are not allowed. -# When this column is supplied, rules are generated -# that require that the original destination address -# matches one of the listed addresses. This feature is -# most useful when you want to generate a filter rule -# that corresponds to a DNAT- or REDIRECT- rule. In this -# usage, the list of addresses should not begin with "!". -# -# See http://shorewall.net/PortKnocking.html for an -# example of using an entry in this column with a -# user-defined action rule. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named 'upnpd' -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the -# internet to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ -# tcp 22 -############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -# PORT PORT(S) DEST LIMIT GROUP -# -# Accept DNS connections from the firewall to the network -# -DNS/ACCEPT $FW net -# -# Accept SSH connections from the local network for administration -# -SSH/ACCEPT loc $FW -# -# Allow Ping from the local network -# -Ping/ACCEPT loc $FW - -# -# Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. -# - -Ping/REJECT net $FW - -ACCEPT $FW loc icmp -ACCEPT $FW net icmp -# - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/Samples/two-interfaces/zones b/Shorewall/Samples/two-interfaces/zones deleted file mode 100644 index 7e3e8a14e..000000000 --- a/Shorewall/Samples/two-interfaces/zones +++ /dev/null @@ -1,94 +0,0 @@ -# -# Shorewall version 3.0 - Sample Zones File for two-interface configuration. -# -# /etc/shorewall/zones -# -# This file determines your network zones. -# -# Columns are: -# -# ZONE Short name of the zone (5 Characters or less in length). -# The names "all" and "none" are reserved and may not be -# used as zone names. -# -# Where a zone is nested in one or more other zones, -# you may follow the (sub)zone name by ":" and a -# comma-separated list of the parent zones. The parent -# zones must have been defined in earlier records in this -# file. -# -# Example: -# -# #ZONE TYPE OPTIONS -# a ipv4 -# b ipv4 -# c:a,b ipv4 -# -# Currently, Shorewall uses this information only to reorder the -# zone list so that parent zones appear after their subzones in -# the list. In the future, Shorewall may make more extensive use -# of that information. -# -# TYPE ipv4 - This is the standard Shorewall zone type and is the -# default if you leave this column empty or if you enter -# "-" in the column. Communication with some zone hosts -# may be encrypted. Encrypted hosts are designated using -# the 'ipsec'option in /etc/shorewall/hosts. -# ipsec - Communication with all zone hosts is encrypted -# Your kernel and iptables must include policy -# match support. -# firewall -# - Designates the firewall itself. You must have -# exactly one 'firewall' zone. No options are -# permitted with a 'firewall' zone. The name that you -# enter in the ZONE column will be stored in the shell -# variable $FW which you may use in other configuration -# files to designate the firewall zone. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict.. -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -# -# For more information, see http://www.shorewall.net/Documentation.htm#Zones -# -############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall -net ipv4 -loc ipv4 - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 16ad401c0..8ede8211a 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -12,6 +12,13 @@ Problems Corrected in 3.0.0 RC 2: /usr/share/shorewall/firewall: line 1: \ /proc/sys/net/ipv4/conf/all/arp_ignore: No such file or directory +New Features in Shorewall 3.0.0 RC 2: + +1) The sample configurations are now packaged with the product. They are + in the Samples directory on the tarball and are in the RPM they are + in the Samples sub-directory of the Shorewall documentation + directory. + Migration Considerations: 1) The "monitor" command has been eliminated.