diff --git a/Shorewall/install.sh b/Shorewall/install.sh index c9ac3a9cf..1b1121eba 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -274,7 +274,7 @@ if [ -f ${PREFIX}/etc/shorewall/zones ]; then backup_file /etc/shorewall/zones else run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones - echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/policy" + echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/zones" fi # diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 6c535bd42..556455ead 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -65,7 +65,9 @@ # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. # dropunclean - Logs and drops mangled/invalid packets # # logunclean - Logs mangled/invalid packets but does diff --git a/Shorewall/masq b/Shorewall/masq index b6cb59c64..69894ddbb 100755 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -57,7 +57,7 @@ # # You add a router to your local network to connect subnet # 192.168.1.0/24 which you also want to masquerade. You then -# add the following entry to this file: +# add a second entry for eth0 to this file: # # eth0 192.168.1.0/24 # @@ -76,6 +76,9 @@ # # eth0 192.168.1.0/24 206.124.146.176 # +# This would normally be done when you have a static external +# IP address since it makes the processing of outgoing +# packets somewhat faster. ############################################################################## #INTERFACE SUBNET ADDRESS #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/policy b/Shorewall/policy index 8545ec919..abee2aa0c 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -35,7 +35,7 @@ # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed -# b) All connections from the network are ignored but logged at syslog +# b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 8d68535ec..9e1aacc17 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -9,12 +9,16 @@ # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # +# NAME OF THE FIREWALL ZONE +# # Name of the firewall zone -- if not set or if set to an empty string, "fw" # is assumed. # FW=fw - +# +# SUBSYSTEM LOCK FILE +# # Set this to the name of the lock file expected by your init scripts. For # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it # should be /var/state/shorewall. If your init scripts don't use lock files, @@ -23,12 +27,17 @@ FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# # This is the directory where the firewall maintains state information while # it is running # STATEDIR=/var/lib/shorewall +# +# ALLOW RELATED CONNECTIONS # # Set this to "yes" or "Yes" if you want to accept all connection requests # that are related to already established connections. For example, you want @@ -39,6 +48,8 @@ STATEDIR=/var/lib/shorewall ALLOWRELATED=yes +# +# KERNEL MODULE DIRECTORY # # If your netfilter kernel modules are in a directory other than # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that @@ -46,6 +57,8 @@ ALLOWRELATED=yes MODULESDIR= +# +# LOG RATE LIMITING # # The next two variables can be used to control the amount of log output # generated. LOGRATE is expressed as a number followed by an optional @@ -54,22 +67,35 @@ MODULESDIR= # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # +# Example: +# +# LOGRATE=10/minute +# LOGBURST=5 +# # If BOTH variables are set empty then logging will not be rate-limited. # LOGRATE= LOGBURST= - +# +# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS # # This variable determines the level at which Mangled/Invalid packets are logged # under the 'dropunclean' interface option. If you set this variable to an # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped # silently. # +# The value of this variable also determines the level at which Mangled/Invalid +# packets are logged under the 'logunclean' interface option. If the variable +# is empty, these packets will still be logged at the 'info' level. +# LOGUNCLEAN=info +# +# LOG FILE LOCATION +# # This variable tells the /sbin/shorewall program where to look for Shorewall # log messages. If not set or set to an empty string (e.g., LOGFILE="") then # /var/log/messages is assumed. @@ -83,7 +109,7 @@ LOGUNCLEAN=info LOGFILE=/var/log/messages # -# Enable nat support. +# ENABLE NAT SUPPORT # # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. @@ -91,7 +117,7 @@ LOGFILE=/var/log/messages NAT_ENABLED=Yes # -# Enable mangle support. +# ENABLE MANGLE SUPPORT # # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # and will not initialize the mangle table when starting or stopping @@ -101,7 +127,7 @@ NAT_ENABLED=Yes MANGLE_ENABLED=Yes # -# Enable IP Forwarding +# ENABLE IP FORWARDING # # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # say "Off" or "off", packet forwarding will be disabled. You would only want @@ -113,26 +139,27 @@ MANGLE_ENABLED=Yes # enable nor disable packet forwarding. # IP_FORWARDING=On + # -# Automatically add IP Aliases +# AUTOMATICALLY ADD NAT IP ADDRESSES # -# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # ADD_IP_ALIASES=Yes # -# Automatically add SNAT Aliases +# AUTOMATICALLY ADD SNAT IP ADDRESSES # -# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. # ADD_SNAT_ALIASES=No # -# Enable Traffic Shaping +# ENABLE TRAFFIC SHAPING # # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic @@ -142,7 +169,7 @@ ADD_SNAT_ALIASES=No TC_ENABLED=No # -# Blacklisting +# BLACKLIST DISPOSITION # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, @@ -151,7 +178,7 @@ TC_ENABLED=No BLACKLIST_DISPOSITION=DROP # -# Blacklist Logging +# BLACKLIST LOG LEVEL # # Set this variable to the syslogd level that you want blacklist packets logged # (beward of DOS attacks resulting from such logging). If not set, no logging @@ -160,7 +187,7 @@ BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= # -# MSS Clamping +# MSS CLAMPING # # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet @@ -189,17 +216,19 @@ BLACKLIST_LOGLEVEL= CLAMPMSS=No # -# Route Filtering +# ROUTE FILTERING # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. +# In that case, you can still enable route filtering on individual interfaces +# in the /etc/shorewall/interfaces file. ROUTE_FILTER=No # -# NAT before RULES +# NAT BEFORE RULES # # Shorewall has traditionally processed static NAT rules before port forwarding # rules. If you would like to reverse the order, set this variable to "No". @@ -208,7 +237,7 @@ ROUTE_FILTER=No NAT_BEFORE_RULES=Yes -# MULTIPORT +# MULTIPORT support # # If your kernel includes the multiport match option # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this @@ -228,7 +257,7 @@ NAT_BEFORE_RULES=Yes MULTIPORT=No -# DNAT IP Address Detection +# DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: # @@ -259,7 +288,8 @@ MULTIPORT=No DETECT_DNAT_IPADDRS=No -# Merge Hosts File +# +# MERGE HOSTS FILE # # The traditional behavior of the /etc/shorewall/hosts file has been that # if that file has ANY entry for a zone then the zone must be defined @@ -292,7 +322,7 @@ DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes # -# Mutex Timeout +# MUTEX TIMEOUT # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall lock file. After the number