extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 08:07:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Clean up config files based on input from the Documentation Group

Browse Source 
Correct zone file installation message


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@169 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-07-31 13:58:53 +00:00
parent ad46d94bbb
commit 824e684ce6
5 changed files with 58 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/install.sh
View File

@ -274,7 +274,7 @@ if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones backup_file /etc/shorewall/zones
else else
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/policy" echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/zones"
fi fi
# #

4
Shorewall/interfaces
View File

@ -65,7 +65,9 @@
# addresses and you want to be able to # addresses and you want to be able to
# route between them. # route between them.
# routefilter - turn on kernel route filtering for this # routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). # interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid packets # dropunclean - Logs and drops mangled/invalid packets
# #
# logunclean - Logs mangled/invalid packets but does # logunclean - Logs mangled/invalid packets but does

5
Shorewall/masq
View File

@ -57,7 +57,7 @@
# #
# You add a router to your local network to connect subnet # You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then # 192.168.1.0/24 which you also want to masquerade. You then
# add the following entry to this file: # add a second entry for eth0 to this file:
# #
# eth0 192.168.1.0/24 # eth0 192.168.1.0/24
# #
@ -76,6 +76,9 @@
# #
# eth0 192.168.1.0/24 206.124.146.176 # eth0 192.168.1.0/24 206.124.146.176
# #
# This would normally be done when you have a static external
# IP address since it makes the processing of outgoing
# packets somewhat faster.
############################################################################## ##############################################################################
#INTERFACE SUBNET ADDRESS #INTERFACE SUBNET ADDRESS
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2
Shorewall/policy
View File

@ -35,7 +35,7 @@
# As shipped, the default policies are: # As shipped, the default policies are:
# #
# a) All connections from the local network to the internet are allowed # a) All connections from the local network to the internet are allowed
# b) All connections from the network are ignored but logged at syslog # b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO. # level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.

68
Shorewall/shorewall.conf
View File

@ -9,12 +9,16 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw" # Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed. # is assumed.
# #
FW=fw FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For # Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files, # should be /var/state/shorewall. If your init scripts don't use lock files,
@ -23,12 +27,17 @@ FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while # This is the directory where the firewall maintains state information while
# it is running # it is running
# #
STATEDIR=/var/lib/shorewall STATEDIR=/var/lib/shorewall
#
# ALLOW RELATED CONNECTIONS
# #
# Set this to "yes" or "Yes" if you want to accept all connection requests # Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want # that are related to already established connections. For example, you want
@ -39,6 +48,8 @@ STATEDIR=/var/lib/shorewall
ALLOWRELATED=yes ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
# #
# If your netfilter kernel modules are in a directory other than # If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
@ -46,6 +57,8 @@ ALLOWRELATED=yes
MODULESDIR= MODULESDIR=
#
# LOG RATE LIMITING
# #
# The next two variables can be used to control the amount of log output # The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional # generated. LOGRATE is expressed as a number followed by an optional
@ -54,22 +67,35 @@ MODULESDIR=
# maximum initial burst size that will be logged. If set empty, the default # maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used. # value of 5 will be used.
# #
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited. # If BOTH variables are set empty then logging will not be rate-limited.
# #
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
#
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
# #
# This variable determines the level at which Mangled/Invalid packets are logged # This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an # under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently. # silently.
# #
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level.
#
LOGUNCLEAN=info LOGUNCLEAN=info
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall # This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then # log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed. # /var/log/messages is assumed.
@ -83,7 +109,7 @@ LOGUNCLEAN=info
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
# #
# Enable nat support. # ENABLE NAT SUPPORT
# #
# You probally want yes here. Only gateways not doing NAT in any form, like # You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here. # SNAT,DNAT masquerading, port forwading etc. should say "no" here.
@ -91,7 +117,7 @@ LOGFILE=/var/log/messages
NAT_ENABLED=Yes NAT_ENABLED=Yes
# #
# Enable mangle support. # ENABLE MANGLE SUPPORT
# #
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping # and will not initialize the mangle table when starting or stopping
@ -101,7 +127,7 @@ NAT_ENABLED=Yes
MANGLE_ENABLED=Yes MANGLE_ENABLED=Yes
# #
# Enable IP Forwarding # ENABLE IP FORWARDING
# #
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want # say "Off" or "off", packet forwarding will be disabled. You would only want
@ -113,26 +139,27 @@ MANGLE_ENABLED=Yes
# enable nor disable packet forwarding. # enable nor disable packet forwarding.
# #
IP_FORWARDING=On IP_FORWARDING=On
# #
# Automatically add IP Aliases # AUTOMATICALLY ADD NAT IP ADDRESSES
# #
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say # for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself. # "No" or "no", you must add these aliases youself.
# #
ADD_IP_ALIASES=Yes ADD_IP_ALIASES=Yes
# #
# Automatically add SNAT Aliases # AUTOMATICALLY ADD SNAT IP ADDRESSES
# #
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say # for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. # "No" or "no", you must add these aliases youself.
# #
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
# #
# Enable Traffic Shaping # ENABLE TRAFFIC SHAPING
# #
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
@ -142,7 +169,7 @@ ADD_SNAT_ALIASES=No
TC_ENABLED=No TC_ENABLED=No
# #
# Blacklisting # BLACKLIST DISPOSITION
# #
# Set this variable to the action that you want to perform on packets from # Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
@ -151,7 +178,7 @@ TC_ENABLED=No
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
# #
# Blacklist Logging # BLACKLIST LOG LEVEL
# #
# Set this variable to the syslogd level that you want blacklist packets logged # Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging # (beward of DOS attacks resulting from such logging). If not set, no logging
@ -160,7 +187,7 @@ BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVEL= BLACKLIST_LOGLEVEL=
# #
# MSS Clamping # MSS CLAMPING
# #
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet # option. This option is most commonly required when your internet
@ -189,17 +216,19 @@ BLACKLIST_LOGLEVEL=
CLAMPMSS=No CLAMPMSS=No
# #
# Route Filtering # ROUTE FILTERING
# #
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure). # interfaces (anti-spoofing measure).
# #
# If this variable is not set or is set to the empty value, "No" is assumed. # If this variable is not set or is set to the empty value, "No" is assumed.
# In that case, you can still enable route filtering on individual interfaces
# in the /etc/shorewall/interfaces file.
ROUTE_FILTER=No ROUTE_FILTER=No
# #
# NAT before RULES # NAT BEFORE RULES
# #
# Shorewall has traditionally processed static NAT rules before port forwarding # Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No". # rules. If you would like to reverse the order, set this variable to "No".
@ -208,7 +237,7 @@ ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes NAT_BEFORE_RULES=Yes
# MULTIPORT # MULTIPORT support
# #
# If your kernel includes the multiport match option # If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
@ -228,7 +257,7 @@ NAT_BEFORE_RULES=Yes
MULTIPORT=No MULTIPORT=No
# DNAT IP Address Detection # DNAT IP ADDRESS DETECTION
# #
# Normally when Shorewall encounters the following rule: # Normally when Shorewall encounters the following rule:
# #
@ -259,7 +288,8 @@ MULTIPORT=No
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
# Merge Hosts File #
# MERGE HOSTS FILE
# #
# The traditional behavior of the /etc/shorewall/hosts file has been that # The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined # if that file has ANY entry for a zone then the zone must be defined
@ -292,7 +322,7 @@ DETECT_DNAT_IPADDRS=No
MERGE_HOSTS=Yes MERGE_HOSTS=Yes
# #
# Mutex Timeout # MUTEX TIMEOUT
# #
# The value of this variable determines the number of seconds that programs # The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number # will wait for exclusive access to the Shorewall lock file. After the number