mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-09 01:04:06 +01:00
Clean up config files based on input from the Documentation Group
Correct zone file installation message git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@169 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ad46d94bbb
commit
824e684ce6
@ -274,7 +274,7 @@ if [ -f ${PREFIX}/etc/shorewall/zones ]; then
|
||||
backup_file /etc/shorewall/zones
|
||||
else
|
||||
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
|
||||
echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/policy"
|
||||
echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/zones"
|
||||
fi
|
||||
|
||||
#
|
||||
|
@ -65,7 +65,9 @@
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
# dropunclean - Logs and drops mangled/invalid packets
|
||||
#
|
||||
# logunclean - Logs mangled/invalid packets but does
|
||||
|
@ -57,7 +57,7 @@
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add the following entry to this file:
|
||||
# add a second entry for eth0 to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
@ -76,6 +76,9 @@
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
# This would normally be done when you have a static external
|
||||
# IP address since it makes the processing of outgoing
|
||||
# packets somewhat faster.
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -35,7 +35,7 @@
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the network are ignored but logged at syslog
|
||||
# b) All connections from the internet are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
|
@ -9,12 +9,16 @@
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# NAME OF THE FIREWALL ZONE
|
||||
#
|
||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
||||
# is assumed.
|
||||
#
|
||||
FW=fw
|
||||
|
||||
|
||||
#
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
||||
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
||||
@ -23,12 +27,17 @@ FW=fw
|
||||
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
#
|
||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
||||
#
|
||||
# This is the directory where the firewall maintains state information while
|
||||
# it is running
|
||||
#
|
||||
|
||||
STATEDIR=/var/lib/shorewall
|
||||
|
||||
#
|
||||
# ALLOW RELATED CONNECTIONS
|
||||
#
|
||||
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
||||
# that are related to already established connections. For example, you want
|
||||
@ -39,6 +48,8 @@ STATEDIR=/var/lib/shorewall
|
||||
|
||||
ALLOWRELATED=yes
|
||||
|
||||
#
|
||||
# KERNEL MODULE DIRECTORY
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
||||
@ -46,6 +57,8 @@ ALLOWRELATED=yes
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
# The next two variables can be used to control the amount of log output
|
||||
# generated. LOGRATE is expressed as a number followed by an optional
|
||||
@ -54,22 +67,35 @@ MODULESDIR=
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# LOGRATE=10/minute
|
||||
# LOGBURST=5
|
||||
#
|
||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
||||
#
|
||||
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
|
||||
#
|
||||
# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
|
||||
#
|
||||
# This variable determines the level at which Mangled/Invalid packets are logged
|
||||
# under the 'dropunclean' interface option. If you set this variable to an
|
||||
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
|
||||
# silently.
|
||||
#
|
||||
# The value of this variable also determines the level at which Mangled/Invalid
|
||||
# packets are logged under the 'logunclean' interface option. If the variable
|
||||
# is empty, these packets will still be logged at the 'info' level.
|
||||
#
|
||||
|
||||
LOGUNCLEAN=info
|
||||
|
||||
#
|
||||
# LOG FILE LOCATION
|
||||
#
|
||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||
# /var/log/messages is assumed.
|
||||
@ -83,7 +109,7 @@ LOGUNCLEAN=info
|
||||
LOGFILE=/var/log/messages
|
||||
|
||||
#
|
||||
# Enable nat support.
|
||||
# ENABLE NAT SUPPORT
|
||||
#
|
||||
# You probally want yes here. Only gateways not doing NAT in any form, like
|
||||
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
|
||||
@ -91,7 +117,7 @@ LOGFILE=/var/log/messages
|
||||
NAT_ENABLED=Yes
|
||||
|
||||
#
|
||||
# Enable mangle support.
|
||||
# ENABLE MANGLE SUPPORT
|
||||
#
|
||||
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
|
||||
# and will not initialize the mangle table when starting or stopping
|
||||
@ -101,7 +127,7 @@ NAT_ENABLED=Yes
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
#
|
||||
# Enable IP Forwarding
|
||||
# ENABLE IP FORWARDING
|
||||
#
|
||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
||||
@ -113,26 +139,27 @@ MANGLE_ENABLED=Yes
|
||||
# enable nor disable packet forwarding.
|
||||
#
|
||||
IP_FORWARDING=On
|
||||
|
||||
#
|
||||
# Automatically add IP Aliases
|
||||
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
#
|
||||
# Automatically add SNAT Aliases
|
||||
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
#
|
||||
# Enable Traffic Shaping
|
||||
# ENABLE TRAFFIC SHAPING
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
@ -142,7 +169,7 @@ ADD_SNAT_ALIASES=No
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
# Blacklisting
|
||||
# BLACKLIST DISPOSITION
|
||||
#
|
||||
# Set this variable to the action that you want to perform on packets from
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
@ -151,7 +178,7 @@ TC_ENABLED=No
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# Blacklist Logging
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
||||
@ -160,7 +187,7 @@ BLACKLIST_DISPOSITION=DROP
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
# MSS Clamping
|
||||
# MSS CLAMPING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
||||
# option. This option is most commonly required when your internet
|
||||
@ -189,17 +216,19 @@ BLACKLIST_LOGLEVEL=
|
||||
CLAMPMSS=No
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
# ROUTE FILTERING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces (anti-spoofing measure).
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
# In that case, you can still enable route filtering on individual interfaces
|
||||
# in the /etc/shorewall/interfaces file.
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
#
|
||||
# NAT before RULES
|
||||
# NAT BEFORE RULES
|
||||
#
|
||||
# Shorewall has traditionally processed static NAT rules before port forwarding
|
||||
# rules. If you would like to reverse the order, set this variable to "No".
|
||||
@ -208,7 +237,7 @@ ROUTE_FILTER=No
|
||||
|
||||
NAT_BEFORE_RULES=Yes
|
||||
|
||||
# MULTIPORT
|
||||
# MULTIPORT support
|
||||
#
|
||||
# If your kernel includes the multiport match option
|
||||
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
|
||||
@ -228,7 +257,7 @@ NAT_BEFORE_RULES=Yes
|
||||
|
||||
MULTIPORT=No
|
||||
|
||||
# DNAT IP Address Detection
|
||||
# DNAT IP ADDRESS DETECTION
|
||||
#
|
||||
# Normally when Shorewall encounters the following rule:
|
||||
#
|
||||
@ -259,7 +288,8 @@ MULTIPORT=No
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
# Merge Hosts File
|
||||
#
|
||||
# MERGE HOSTS FILE
|
||||
#
|
||||
# The traditional behavior of the /etc/shorewall/hosts file has been that
|
||||
# if that file has ANY entry for a zone then the zone must be defined
|
||||
@ -292,7 +322,7 @@ DETECT_DNAT_IPADDRS=No
|
||||
MERGE_HOSTS=Yes
|
||||
|
||||
#
|
||||
# Mutex Timeout
|
||||
# MUTEX TIMEOUT
|
||||
#
|
||||
# The value of this variable determines the number of seconds that programs
|
||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
||||
|
Loading…
Reference in New Issue
Block a user