extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-10 06:49:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Large cleanup patch from Tuomo Soini

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2449 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-02 16:46:30 +00:00
parent 21a7315717
commit ac1983a5da
85 changed files with 1382 additions and 1138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Shorewall/accounting
View File

@ -7,7 +7,7 @@
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
@ -21,7 +21,7 @@
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
@ -29,18 +29,18 @@
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
# and a host or net address.
#
# DESTINATION - Packet Destination
#
@ -49,14 +49,15 @@
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, or "ipp2p"
#
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
# this column must contain an ipp2p option ("iptables -m
# ipp2p --help") without the leading "--". If no option
# is given in this column, "ipp2p" is assumed.
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p"
# then this column must contain an ipp2p option
# ("iptables -m ipp2p --help") without the leading
# "--". If no option is given in this column, "ipp2p"
# is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
# or 17).
#
# SOURCE PORT Source Port number
#
@ -69,7 +70,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -81,17 +82,17 @@
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
# +upnpd #program named upnpd
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

36
Shorewall/action.Drop
View File

@ -1,21 +1,24 @@
#
# Shorewall 2.6 /usr/share/shorewall/action.Drop
# Shorewall version 2.6 - Drop Action
#
# /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose of the action
# is:
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
# Otherwise, you may experience problems establishing connections with
# servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Reject 'auth'
#
@ -27,10 +30,10 @@ dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log.
# Drop packets that in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid
#
@ -41,9 +44,10 @@ DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

33
Shorewall/action.Reject
View File

@ -1,33 +1,37 @@
#
# Shorewall 2.6 /usr/share/shorewall/action.Reject
# Shorewall version 2.6 - Reject Action
#
# /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose of the action
# is:
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' REJECT
#
Auth/REJECT
#
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log (these ICMPs cannot be rejected).
# Drop packets that in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
@ -38,9 +42,10 @@ DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

66
Shorewall/action.template
View File

@ -1,7 +1,9 @@
#
# Shorewall 2.6 /etc/shorewall/action.template
# Shorewall version 2.6 - Template Action
#
# This file is a template for files with names of the form
# /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
@ -20,20 +22,21 @@
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Discontinue processing this action
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
# /etc/shorewall/actions.
# The <action> must appear in that
# file BEFORE the one being defined
# in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
@ -58,7 +61,7 @@
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies.
# SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
@ -72,21 +75,21 @@
# kernel and iptables must have
# iprange match support.
#
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# iptables must have set match
# support
#
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
@ -95,14 +98,15 @@
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of destination host. Same as above with the exception that
# MAC addresses are not allowed and that you cannot specify
# an ipset name in both the SOURCE and DEST columns.
# DEST Location of destination host. Same as above with
# the exception that MAC addresses are not allowed and
# that you cannot specify an ipset name in both the
# SOURCE and DEST columns.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
@ -139,12 +143,12 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# RATE LIMIT You may rate-limit the rule by placing a value in
# this column:
#
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
@ -157,7 +161,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -169,11 +173,11 @@
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
# +upnpd #program named upnpd
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/actions
View File

@ -1,7 +1,9 @@
#
# Shorewall 2.6 /etc/shorewall/actions
# Shorewall version 2.6 - Actions File
#
# This file allows you to define new ACTIONS for use in rules
# /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
# be performed in an ACTION in
# /etc/shorewall/action.<action-name>.
@ -24,9 +26,8 @@
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
# Please see http://shorewall.net/Actions.html for additional information.
#
###############################################################################
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

35
Shorewall/actions.std
View File

@ -1,27 +1,28 @@
#
# Shorewall 2.6 /usr/share/shorewall/actions.std
# Shorewall version 2.6 - Actions.std File
#
# /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast
# dropNotSyn #Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
# allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn # Silently Reject Non-syn TCP packets
# dropInvalid # Silently Drop packets that are in the INVALID
# # conntrack state.
# allowInvalid # Accept packets that are in the INVALID
# # conntrack state.
# allowoutUPnP # Allow traffic from local command 'upnpd'
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
# forwardUPnP # Allow traffic that upnpd has redirected from
# # 'upnp' interfaces.
#
###############################################################################
#ACTION
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
Drop:DROP # Common Action for DROP policy
Reject:REJECT # Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

46
Shorewall/blacklist
View File

@ -1,21 +1,22 @@
#
# Shorewall 2.6 -- Blacklist File
# Shorewall version 2.6 - Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# This file contains a list of IP addresses, MAC addresses and/or
# subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# range (if your kernel and iptables contain iprange
# match support) or ipset name prefaced by "+" (if
# match support) or ipset name prefaced by "+" (if
# your kernel supports ipset match).
#
# MAC addresses must be prefixed with "~" and use "-"
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
@ -24,33 +25,32 @@
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is checked
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is
# checked against this file and disposed of according to the
# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
# Example:
#
# To block DNS queries from address 192.0.2.126:
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example:
# Example:
#
# To block DNS queries from addresses in the ipset 'dnsblack':
# To block DNS queries from addresses in the ipset 'dnsblack':
#
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/configpath
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.6 - Default Config Path
# Shorewall version 2.6 - Default Config Path
#
# /usr/share/shorewall/configpath
#

16
Shorewall/continue
View File

@ -1,8 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
# Shorewall version 2.6 - Continue File
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing
# connections.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/default.debian
View File

@ -10,7 +10,7 @@ startup=0
#
# Example:
# wait_interface="ppp0"
# or
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=

9
Shorewall/ecn
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 - /etc/shorewall/ecn
# Shorewall version 2.6 - Ecn File
#
# /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
#
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# That patch is included in kernels 2.4.21 and later.
#
# INTERFACE - Interface through which host(s) communicate with
@ -17,6 +19,7 @@
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#
###############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

318
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

28
Shorewall/functions
View File

@ -128,7 +128,7 @@ ensure_config_path() {
. $F
fi
}
#
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
#
@ -245,7 +245,7 @@ loadmodule() # $1 = module name, $2 - * arguments
local suffix
moduleloader=modprobe
if ! qt mywhich modprobe; then
if ! qt mywhich modprobe; then
moduleloader=insmod
fi
@ -278,7 +278,7 @@ reload_kernel_modules() {
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
while read command; do
while read command; do
eval $command
done
@ -398,8 +398,8 @@ mktempfile() {
#
mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp
[ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in
STD)
mktemp -td shorewall.XXXXXX
@ -483,7 +483,7 @@ decodeaddr() {
local x
local temp=0
local ifs=$IFS
IFS=.
for x in $1; do
@ -517,7 +517,7 @@ encodeaddr() {
#
# Comes in two flavors:
#
# ip_range() - produces a mimimal list of network/host addresses that spans
# ip_range() - produces a mimimal list of network/host addresses that spans
# the range.
#
# ip_range_explicit() - explicitly enumerates the range.
@ -571,7 +571,7 @@ ip_range() {
ip_range_explicit() {
local first last
case $1 in
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
@ -700,7 +700,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Full interface name - may also end in "+"
{
local pattern=${1%+}
case $1 in
*+)
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
@ -721,7 +721,7 @@ find_device() {
shift
done
}
#
# Find the value 'via' in the passed arguments then echo the next value
#
@ -732,7 +732,7 @@ find_gateway() {
shift
done
}
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
@ -744,7 +744,7 @@ find_peer() {
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
@ -768,12 +768,12 @@ find_rt_interface() {
}
#
# Try to find the gateway through an interface looking for 'nexthop'
# Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface
{
echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
}
}
#
# Find the default route's interface

20
Shorewall/help
View File

@ -51,11 +51,11 @@ add)
;;
address|host)
echo "<$1>:
echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
match support then IP address ranges of the form <low address>-<high address>
are also permitted. If your kernel and iptables contain ipset match support
are also permitted. If your kernel and iptables contain ipset match support
then you may specify the name of an ipset prefaced by "+". The name of the
ipsec may be optionally followed by a number of levels of ipset bindings
(1 - 6) that are to be followed"
@ -141,7 +141,7 @@ dump)
shorewall [-x] dump
Produce a verbose report about the firewall for problem analysis.
(iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
@ -215,22 +215,22 @@ restart)
safe-restart)
echo "safe-restart: safe-restart
Restart the same way as a shorewall restart except that previous firewall
Restart the same way as a shorewall restart except that previous firewall
configuration is backed up and will be restored if you notice any anomalies
or you are not able to reach the firewall any more."
;;
safe-start)
echo "safe-start: safe-start
Start the same way as a shorewall start except that in case of anomalies
Start the same way as a shorewall start except that in case of anomalies
shorewall clear is issued. "
;;
restore)
echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf.
@ -239,7 +239,7 @@ restore)
save)
echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the
The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
@ -305,8 +305,8 @@ status)
Displays the Shorewall status (running/not-running).
Also displays the Shorewall state as shown in the state diagram at
http://www.shorewall.net/starting_and_stopping_shorewall. The time and
date when that state was reached is also displayed."
http://www.shorewall.net/starting_and_stopping_shorewall. The time and
date when that state was reached is also displayed."
;;
trace)

44
Shorewall/hosts
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 - /etc/shorewall/hosts
# Shorewall version 2.6 - Hosts file
#
# /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -17,7 +19,7 @@
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
@ -37,7 +39,8 @@
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP or a range.
# See http://www.shorewall.net/Bridge.html for details.
# See http://www.shorewall.net/Bridge.html
# for details.
# e) The name of an ipset (preceded by "+").
#
# Examples:
@ -60,19 +63,20 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary if hosts in this group use the
# services of a transparent proxy that is
# routeback - Shorewall should set up the
# infrastructure to pass packets
# from this/these address(es) back
# to themselves. This is necessary if
# hosts in this group use the services
# of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# to send requests originating from this
# group to a server in the group.
#
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
@ -100,7 +104,7 @@
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
@ -110,24 +114,26 @@
# shorewall.conf. After logging, the
# packets are dropped.
#
# newnotsyn - TCP packets that don't have the SYN
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from these hosts, even if
# from these hosts, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# This option has no effect if
# NEWNOTSYN=Yes.
#
# ipsec - The zone is accessed via a
# ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is
# zone named in the ZONE column is
# specified as an IPSEC zone in the
# /etc/shorewall/zones file then you do NOT
# need to specify the 'ipsec' option here.
# /etc/shorewall/zones file then you
# do NOT need to specify the 'ipsec'
# option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS
###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

15
Shorewall/init
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
# Shorewall version 2.4 - Init File
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/init.debian.sh
View File

@ -9,7 +9,7 @@ OPTIONS="-f"
test -x $SRWL || exit 0
test -n $INITLOG || {
echo "INITLOG cannot be empty, please configure $0" ;
echo "INITLOG cannot be empty, please configure $0" ;
exit 1;
}
@ -21,9 +21,9 @@ fi
echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then
if [ "$INITLOG" = "/dev/null" ] ; then
"not done."
else
else
"not done (check $INITLOG)."
fi
@ -62,7 +62,7 @@ else
not_configured
fi
# wait an unconfigured interface
# wait an unconfigured interface
wait_for_pppd () {
if [ "$wait_interface" != "" ]
then

17
Shorewall/initdone
View File

@ -1,9 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
# Shorewall version 2.6 - Initdone File
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

101
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.6 -- Interfaces File
# Shorewall version 2.6 - Interfaces File
#
# /etc/shorewall/interfaces
#
@ -25,7 +25,7 @@
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
@ -49,14 +49,14 @@
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
@ -71,7 +71,7 @@
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
@ -112,30 +112,31 @@
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# newnotsyn - TCP packets that don't have the SYN
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
@ -143,39 +144,39 @@
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
# - If specified, this interface will
# - If specified, this interface will
# respond to arp requests based on the
# value of <number>.
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
@ -190,18 +191,18 @@
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# GATEWAY This column is only meaningful if the 'default' OPTION
# is given -- it is ignored otherwise. You may specify
# is given -- it is ignored otherwise. You may specify
# the default gateway IP address for this interface here
# and Shorewall will use that IP address rather than any
# that it finds in the main routing table.
@ -231,9 +232,9 @@
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall/ipsec
View File

@ -1,7 +1,7 @@
#
# The /etc/shorewall/ipsec file is obsolete -- the information
# The /etc/shorewall/ipsec file is obsolete -- the information
# previously contained in this file is now placed in the
# /etc/shorewall/zones file.
#
# See the IPSECFILE option in shorewall.conf for further information.
#

14
Shorewall/ipsecvpn
View File

@ -54,7 +54,7 @@ NETWORKS="192.168.1.0/24"
#
CERTS=/etc/certs
#
# Certificate to be used for this connection. The cert
# Certificate to be used for this connection. The cert
# directory must contain:
#
# ${CERT}.pem - the certificate
@ -180,14 +180,14 @@ make_racoon_conf() {
#
# Make a setkey configuration file using the variables above
#
make_setkey_conf()
make_setkey_conf()
{
echo "flush;"
echo "spdflush;"
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
for network in $NETWORKS; do
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
@ -197,7 +197,7 @@ make_setkey_conf()
#
# Start the Tunnel
#
start()
start()
{
#
# Get the first IP address configured on the device in INTERFACE
@ -242,7 +242,7 @@ start()
#
# Stop the Tunnel
#
stop()
stop()
{
#
# Kill any racoon daemons
@ -257,7 +257,7 @@ stop()
#
# Display command syntax and abend
#
usage()
usage()
{
error_message "usage: $(basename $0) [start|stop|restart]"
exit 1
@ -286,7 +286,7 @@ case $1 in
esac

12
Shorewall/maclist
View File

@ -1,13 +1,13 @@
#
# Shorewall 2.6 - MAC list file
# Shorewall version 2.6 - Maclist file
#
# /etc/shorewall/maclist
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host. If the interface
@ -21,11 +21,11 @@
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP
# and iptables have iprange match support then IP
# address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
###############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

16
Shorewall/macro.AllowICMPs
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs
# Shorewall version 2.6 - AllowICMPs Macro
#
# /usr/share/shorewall/macro.AllowICMPs
#
# ACCEPT needed ICMP types
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Amanda
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Amanda
# Shorewall version 2.6 - Amanda Macro
#
# /usr/share/shorewall/macro.Amanda
#
# This macro handles connections to the AMANDA backup system.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - udp 10080
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 10080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Auth
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Auth
# Shorewall version 2.6 - Auth Macro
#
# /usr/share/shorewall/macro.Auth
#
# This macro handles Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 113
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.BitTorrent
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.BitTorrent
# Shorewall version 2.6 - BitTorrent Macro
#
# /usr/share/shorewall/macro.BitTorrent
#
# This macro handles BitTorrent traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 6881:6889
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6881:6889
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.CVS
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.CVS
# Shorewall version 2.6 - CVS Macro
#
# /usr/share/shorewall/macro.CVS
#
# This macro handles connections to the CVS pserver.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 2401
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.DNS
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DNS
# Shorewall version 2.6 - DNS Macro
#
# /usr/share/shorewall/macro.DNS
#
# This macro handles DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Distcc
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.Distcc
# Shorewall version 2.6 - Distoc Macro
#
# /usr/share/shorewall/macro.Distcc
#
# This macro handles connections to the Distributed Compiler
# service.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3632
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.DropDNSrep
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep
# Shorewall version 2.6 - DropDNSrep Macro
#
# /usr/share/shorewall/macro.DropDNSrep
#
# This macro silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.DropUPnP
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP
# Shorewall version 2.6 - DropUPnP Macro
#
# /usr/share/shorewall/macro.DropUPnP
#
# This macro silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

50
Shorewall/macro.Edonkey
View File

@ -1,31 +1,35 @@
#
# Shorewall macro.Edonkey
# Shorewall version 2.6 - Edonkey Macro
#
# /usr/share/shorewall/macro.Edonkey
#
# This macro handles Edonkey traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665.
#
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
# 4661 TCP (outgoing)
# Port, on which a server listens for connection (defined by server).
#4665 UDP (outgoing)
# used for global server searches and global source queries. This is
#always Server TCP port (in this case 4661) + 4.
#4662 TCP (outgoing and incoming)
# Client to client transfers.
#4672 UDP (outgoing and incoming)
# Extended eMule protocol, Queue Rating, File Reask Ping
#4711 TCP
# WebServer listening port.
#4712 TCP
# External Connection port. Used to communicate aMule with other
#applications such as aMule WebServer or aMuleCMD.
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
#
# 4661 TCP (outgoing) Port, on which a server listens for connection
# (defined by server).
#
# 4665 UDP (outgoing) used for global server searches and global source
# queries. This is always Server TCP port (in this case 4661) + 4.
#
# 4662 TCP (outgoing and incoming) Client to client transfers.
#
# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
# Rating, File Reask Ping
#
# 4711 TCP WebServer listening port.
#
# 4712 TCP External Connection port. Used to communicate aMule with other
# applications such as aMule WebServer or aMuleCMD.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.FTP
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.FTP
# Shorewall version 2.6 - FTP Macro
#
# /usr/share/shorewall/macro.FTP
#
# This macro handles FTP traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 21
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Gnutella
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.Gnutella
# Shorewall version 2.6 - Gnutella Macro
#
# /usr/share/shorewall/macro.Gnutella
#
# This macro handles gnutella traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.ICQ
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.ICQ
# Shorewall version 2.6 - ICQ Macro
#
# /usr/share/shorewall/macro.ICQ
#
# This macro handles ICQ traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 5190
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.IMAP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.IMAP
# Shorewall version 2.6 - IMAP Macro
#
# /usr/share/shorewall/macro.IMAP
#
# This macro handles IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 143 #Unsecure IMAP
PARAM - - tcp 993 #Secure IMAP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 143 # Unsecure IMAP
PARAM - - tcp 993 # Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.LDAP
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.LDAP
# Shorewall version 2.6 - LDAP Macro
#
# /usr/share/shorewall/macro.LDAP
#
# This macro handles LDAP traffic (secure and insecure)
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 389
PARAM - - tcp 636
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 389
PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.MySQL
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.MySQL
# Shorewall version 2.6 - MySQL Macro
#
# /usr/share/shorewall/macro.MySQL
#
# This action macro.handles connections to the MySQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3306
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.NNTP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NNTP
# Shorewall version 2.6 NNTP Macro
#
# /usr/share/shorewall/macro.NNTP
#
# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 119
PARAM - - tcp 563
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 119
PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.NTP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NTP
# Shorewall version 2.6 - NTP Macro
#
# /usr/share/shorewall/macro.NTP
#
# This macro handles NTP traffic (ntpd).
# For broadcast NTP traffic, use NTPbrd Macro.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
PARAM - - udp 123
PARAM - - udp 1024: 123
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.NTPbrd Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall version 2.6 - NTPbrd Macro
#
# /usr/share/shorewall/macro.NTPbrd
#
# This macro handles NTP traffic (ntpd) including replies to Broadcast
# NTP traffic.
#
# It is recommended only to use this where the source host is trusted -
# otherwise it opens up a large hole in your firewall because
# Netfilter doesn't track connections for broadcast traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.PCA
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.PCA
# Shorewall version 2.6 - PCA Macro
#
# /usr/share/shorewall/macro.PCA
#
# This macro handles PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.POP3
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.POP3
# Shorewall version 2.6 - POP3 Macro
#
# /usr/share/shorewall/macro.POP3
#
# This macro handles POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
PARAM - - tcp 110 #Unsecure POP3
PARAM - - tcp 995 #Secure POP3
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 110 # Unsecure POP3
PARAM - - tcp 995 # Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Ping
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Ping
# Shorewall version 2.6 - Ping Macro
#
# /usr/share/shorewall/macro.Ping
#
# This macro handles 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - icmp 8
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.PostgreSQL
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.PostgreSQL
# Shorewall version 2.6 - PostgreSQL Macro
#
# /usr/share/shorewall/macro.PostgreSQL
#
# This macro handles connections to the PostgreSQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 5432
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Rdate
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Rdate
# Shorewall version 2.6 - Rdate Macro
#
# /usr/share/shorewall/macro.Rdate
#
# This macro handles remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 37
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Rsync
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Rsync
# Shorewall version 2.6 - Rsync Macro
#
# /usr/share/shorewall/macro.Rsync
#
# This macro handles connections to the rsync server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 873
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.SMB
View File

@ -1,14 +1,16 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMB
# Shorewall version 2.6 - SMB Macro
#
# /usr/share/shorewall/macro.SMB
#
# Handle Microsoft SMB traffic. You need to invoke this macro in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SMBswat
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.SMBswat
# Shorewall version 2.6 - SMBswat Macro
#
# /usr/share/shorewall/macro.SMBswat
#
# This macro handles connections to the Samba Web Administration
# Tool (SWAT).
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 901
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SMTP
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMTP
# Shorewall version 2.6 - SMTP Macro
#
# /usr/share/shorewall/macro.SMTP
#
# This macro handles SMTP (email) traffic.
#
@ -8,8 +10,8 @@
# reading of email via POP3 or IMAP. For those you need to use
# the POP3 or IMAP macros.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 25
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SNMP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SNMP
# Shorewall version 2.6 - SNMP Macro
#
# /usr/share/shorewall/macro.SNMP
#
# This macro accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SPAMD
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.SPAMD
# Shorewall version 2.6 - SPAMD Macro
#
# /usr/share/shorewall/macro.SPAMD
#
# This macro handles Spam Assassin SPAMD traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 783
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SSH
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SSH
# Shorewall version 2.6 - SSH Macro
#
# /usr/share/shorewall/macro.SSH
#
# This macro handles secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 22
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SVN
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.SVN
# Shorewall version 2.6 - SVN Macro
#
# This macro handles connections to the Subversion server.
# /usr/share/shorewall/macro.SVN
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3690
# This macro handles connections to the Subversion (SVN) server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Submission Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 2.6 - Submission Macro
#
# /usr/share/shorewall/macro.Submission
#
# This macro handles mail message submission traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 587
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Syslog
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Syslog
# Shorewall version 2.6 - Syslog Macro
#
# /usr/share/shorewall/macro.Syslog
#
# This macro handles syslog UDP traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - udp 514
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 514
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Telnet
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Telnet
# Shorewall version 2.6 - Telnet Macro
#
# /usr/share/shorewall/macro.Telnet
#
# This macro handles Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 23
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Trcrt
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt
# Shorewall version 2.6 -Trcrt Macro
#
# /usr/share/shorewall/macro.Trcrt
#
# This macro handles Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 33434:33524 #UDP Traceroute
PARAM - - icmp 8 #ICMP Traceroute
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 33434:33524 # UDP Traceroute
PARAM - - icmp 8 # ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.VNC
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNC
# Shorewall version 2.6 - VNC Macro
#
# /usr/share/shorewall/macro.VNC
#
# This macro handles VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5900:5909
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/macro.VNCL
View File

@ -1,10 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNCL
# Shorewall version 2.6 -VNCL Macro
#
# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode.
# /usr/share/shorewall/macro.VNCL
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5500
# This macro handles VNC traffic from Vncservers to Vncviewers in listen
# mode.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Web
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Web
# Shorewall version 2.6 - Web Macro
#
# /usr/share/shorewall/macro.Web
#
# This macro handles WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 80
PARAM - - tcp 443
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 80
PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

79
Shorewall/macro.template
View File

@ -1,21 +1,24 @@
#
# Shorewall version 2.6 - Macro Template File
# Shorewall version 2.6 - Template Macro
#
# /usr/share/shorewall/macro.template
#
# Macro files are similar to template files with the following exceptions:
#
# - A macro file is not processed unless the marcro that it defines is referenced in the
# /etc/shorewall/rules file or in an action definition file.
# - A macro file is not processed unless the marcro that it defines is
# referenced in the /etc/shorewall/rules file or in an action
# definition file.
#
# - Macros are translated directly into one or more rules whereas actions become their own
# chain.
# - Macros are translated directly into one or more rules whereas
# actions become their own chain.
#
# - All entries in a macro undergo substitution when the macro is invoked in the rules file.
# - All entries in a macro undergo substitution when the macro is
# invoked in the rules file.
#
# - Macros may not invoke other macros.
#
# The columns in a macro definition are the same as those in the action.template file.
# The columns in a macro definition are the same as those in the
# action.template file.
# A few examples should help show how Macros work.
#
# /etc/shorewall/macro.FwdFTP:
@ -26,44 +29,52 @@
#
# /etc/shorewall/rules:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# FwdFTP net loc:192.168.1.5
#
# The result is equivalent to:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.5 tcp 21
#
# The substitution rules are as follows:
#
# ACTION column If in the invocation of the macro, the macro name is followed by
# slash ("/") and a second name, the second name is substituted for
# each entry in the macro whose ACTION is PARAM
# ACTION column If in the invocation of the macro, the macro
# name is followed by slash ("/") and a second
# name, the second name is substituted for each
# entry in the macro whose ACTION is PARAM
#
# For example, if macro FOO is invoked as FOO/ACCEPT then when
# expanding macro.FOO, Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column contains PARAM. PARAM may
# be optionally followed by a colon and a log level.
#
# Any logging specified when the macro is invoked is applied to each
# entry in the macros.
#
# SOURCE and DEST If the column in the macro is empty then the value in the rules
# columns file is used. If the column in the macro is non-empty then any
# value in the rules file is appended with a ":" separator.
#
# Example: Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
# For example, if macro FOO is invoked as
# FOO/ACCEPT then when expanding macro.FOO,
# Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column
# contains PARAM. PARAM may be optionally
# followed by a colon and a log level.
#
# Remaining Any value in the rules file REPLACES the value given in the macro
# columns file.
# Any logging specified when the macro is
# invoked is applied to each entry in the macros.
#
# SOURCE and DEST If the column in the macro is empty then the
# columns value in the rules file is used. If the column
# in the macro is non-empty then any value in
# the rules file is appended with a ":"
# separator.
#
#
# Example: ###############################################
# #ACTION SOURCE DEST PROTO DEST
# # PORT
# Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
#
# Remaining Any value in the rules file REPLACES the value
# columns given in the macro file.
#
#
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

100
Shorewall/masq
View File

@ -1,10 +1,10 @@
#
# Shorewall 2.6 - Masquerade file
# Shorewall version 2.6 - Masq file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# Columns are:
#
@ -12,13 +12,13 @@
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
@ -35,7 +35,7 @@
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
@ -53,7 +53,7 @@
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
@ -74,11 +74,11 @@
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
@ -86,29 +86,32 @@
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
@ -117,31 +120,32 @@
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the following.
# Only packets that will be encrypted via an SA that
# matches these options will have their source address
# changed.
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option listed
# and matches all outbound traffic that will be
# encrypted.
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the SPI of
# the SA.
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
@ -149,13 +153,13 @@
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
# available with mode=tunnel)
#
# strict Means that packets must match all
# rules.
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be used
# with strict..
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#
@ -179,13 +183,13 @@
#
# eth0 192.168.1.0/24
#
# Example 3:
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
@ -199,8 +203,8 @@
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
@ -212,5 +216,5 @@
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

52
Shorewall/modules
View File

@ -1,27 +1,31 @@
##############################################################################
# Shorewall 2.6 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
# Shorewall version 2.6 - Modules File
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
# /etc/shorewall/modules
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# For additional information, see
# http://shorewall.net/Documentation.htm#modules
#
###############################################################################
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Shorewall/nat
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Network Address Translation Table
# Shorewall version 2.6 - Nat File
#
# /etc/shorewall/nat
#
@ -8,17 +7,17 @@
# (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns must be separated by white space and are:
# Columns are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
#
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
@ -31,17 +30,17 @@
# ":" and no digit (e.g., "eth0:").
# INTERNAL Internal Address (must not be a DNS Name).
#
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

10
Shorewall/netmap
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Network Mapping Table
# Shorewall version 2.6 - Netmap File
#
# /etc/shorewall/netmap
#
@ -10,9 +9,9 @@
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns must be separated by white space and are:
# Columns are:
#
# TYPE Must be DNAT or SNAT.
# TYPE Must be DNAT or SNAT.
#
# If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the
@ -32,7 +31,6 @@
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
##############################################################################
###############################################################################
#TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

30
Shorewall/params
View File

@ -1,25 +1,27 @@
#
# Shorewall 2.6 /etc/shorewall/params
# Shorewall version 2.4 - Params File
#
# Assign any variables that you need here.
# /etc/shorewall/params
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
# Assign any variables that you need here.
#
# Example:
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
# Example:
#
# Example (/etc/shorewall/interfaces record):
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
# Example (/etc/shorewall/interfaces record):
#
# The result will be the same as if the record had been written
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# net eth0 130.252.100.255 routefilter,norfc1918
# The result will be the same as if the record had been written
#
##############################################################################
# net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

59
Shorewall/policy
View File

@ -1,9 +1,9 @@
#
# Shorewall 2.6 -- Policy File
# Shorewall version 2.6 - Policy File
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
@ -23,39 +23,43 @@
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is inforced.
#
# The policy determined the default treatment of new
# connection requests and may optionally be followed by ":"
# and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an established
# connection. The choices are ACCEPT (the default) and QUEUE
# (to queue the packet to a user-space filter like Snort Inline).
# The policy determined the default treatment of new
# connection requests and may optionally be followed by
# ":" and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an
# established connection. The choices are ACCEPT (the
# default) and QUEUE (to queue the packet to a
# user-space filter like Snort Inline).
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
@ -90,9 +94,10 @@
# #
# # THE FOLLOWING POLICY MUST BE LAST
# #
# all all REJECT info
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL

27
Shorewall/providers
View File

@ -1,21 +1,20 @@
##############################################################################
#
# Shorewall 2.6 -- Internet Service Providers
# Shorewall version 2.6 - Providers File
#
# /etc/shorewall/providers
#
# This file is used to define additional routing tables. You will
# This file is used to define additional routing tables. You will
# want to define an additional table if:
#
# - You have connections to more than one ISP or multiple connections
# to the same ISP
#
# - You run Squid as a transparent proxy on a host other than the
# - You run Squid as a transparent proxy on a host other than the
# firewall.
#
# To omit a column, enter "-".
#
# Columns must be separated by white space and are:
# Columns are:
#
# NAME The provider name.
#
@ -47,14 +46,14 @@
# balance The providers that have 'default' specified will
# get outbound traffic load-balanced among them. By
# default, all interfaces with 'balance' specified
# will have the same weight (1). You can change the
# will have the same weight (1). You can change the
# weight of an interface by specifiying balance=<weight>
# where <weight> is the weight of the route out of
# this interface.
#
# loose Normally, Shorewall adds routing rules to prohibit
# firewall marks from working with traffic generated
# on the firewall itself. By setting the 'loose'
# on the firewall itself. By setting the 'loose'
# option, generation of these rules is avoided.
#
# COPY A comma-separated lists of other interfaces on your
@ -68,7 +67,7 @@
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
# Squid 1 1 - eth2 192.168.2.99 -
#
# Example:
# Example:
#
# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and
# the ISP's gateway router has IP address 206.124.146.254.
@ -76,11 +75,13 @@
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
# ISP's gateway router has IP address 130.252.99.254.
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance
#
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
##############################################################################################
# For additional information, see
# http://shorewall.net/Shorewall_and_Routing.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8
Shorewall/proxyarp
View File

@ -1,12 +1,11 @@
##############################################################################
#
# Shorewall 2.6 -- Proxy ARP
# Shorewall version 2.6 - Proxyarp File
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
# Columns are:
#
# ADDRESS IP Address
#
@ -41,6 +40,7 @@
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Shorewall/releasenotes.txt
View File

@ -29,7 +29,7 @@ Migration Considerations:
1) The "monitor" command has been eliminated.
2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones
file have been removed and have been replaced by the former
file have been removed and have been replaced by the former
columns of the /etc/shorewall/ipsec file. The latter file has been
removed.
@ -46,7 +46,7 @@ Migration Considerations:
The shorewall.conf file included in this release sets
IPSECFILE=zones so that new users are expected to use the new zone
file format.
file format.
As a result, the columns in the /etc/shorewall/zones file
are now as follows:
@ -80,7 +80,7 @@ Migration Considerations:
proto=ah|esp|ipcomp
mss=<number> (sets the MSS field in TCP
packets)
packets)
mode=transport|tunnel
@ -124,7 +124,7 @@ Migration Considerations:
5) Most of the standard actions have been replaced by parameterized
macros (see below). So for example, the action.AllowSMTP and
action.DropSMTP have been removed an a parameterized macro
macro.SMTP has been added to replace them.
macro.SMTP has been added to replace them.
In order that current users don't have to immediately update their
rules and user-defined actions, Shorewall can substitute an
@ -232,7 +232,7 @@ New Features in Shorewall 2.5.0
the macro. The first three columns get special treatment:
TARGET If you code PARAM as the target in a macro then
when you invoke the macro, you can include the
when you invoke the macro, you can include the
name of the macro followed by a slash ("/") and
an ACTION (either builtin or user-defined. All
instances of PARAM in the body of the macro will be
@ -241,11 +241,11 @@ New Features in Shorewall 2.5.0
Any logging applied when the action is invoked is
applied following the same rules as for actions.
SOURCE and
SOURCE and
DEST If the rule in the macro file specifies a value and
the invocation of the rule also specifies a value then
the value in the invocation is appended to the value
in the rule using ":" as a separator.
in the rule using ":" as a separator.
Example:
@ -298,5 +298,5 @@ New Features in Shorewall 2.5.0
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
PROXY ARP.

36
Shorewall/rfc1918
View File

@ -1,43 +1,45 @@
#
# Shorewall 2.6 -- RFC1918 File
# Shorewall version 2.6 - Rfc1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
# Lists the subnetworks that are blocked by the 'norfc1918' interface
# option.
#
# The default list includes those IP addresses listed in RFC 1918.
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNETS A comma-separated list of subnet addresses
# SUBNETS A comma-separated list of subnet addresses
# (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# have iprange match support).
# have iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
# By default, the RETURN target causes 'norfc1918' processing to cease for a
# packet if the packet's source IP address matches the rule. Thus, if you have:
# By default, the RETURN target causes 'norfc1918' processing to cease
# for a packet if the packet's source IP address matches the rule. Thus,
# if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
# you also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
# logged and dropped since while the packet's source matches the RETURN rule,
# the packet's destination matches the 'logdrop' rule.
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
# to be logged and dropped since while the packet's source matches the
# RETURN rule, the packet's destination matches the 'logdrop' rule.
#
################################################################################
###############################################################################
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918

22
Shorewall/routestopped
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped
# Shorewall version 2.6 - Routestopped File
#
# /etc/shorewall/routestopped
#
@ -8,7 +7,7 @@
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns must be separated by white space and are:
# Columns are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
@ -19,7 +18,7 @@
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
@ -27,15 +26,15 @@
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
# 'dest' is specified then 'routeback' is redundent.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
@ -53,8 +52,9 @@
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#INTERFACE HOST(S) OPTIONS
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

171
Shorewall/rules
View File

@ -5,9 +5,9 @@
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@ -15,40 +15,40 @@
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
#------------------------------------------------------------------------------
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
@ -69,12 +69,12 @@
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# The ACTION may optionally be followed
@ -90,7 +90,7 @@
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
@ -104,24 +104,24 @@
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT
# or REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
@ -134,11 +134,12 @@
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of source bindings to be matched.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
@ -148,8 +149,8 @@
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
@ -167,11 +168,11 @@
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
@ -194,13 +195,13 @@
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of destination bindings to be matched.
# Only one of the SOURCE and DEST columns may specify an
# ipset name.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
@ -220,7 +221,7 @@
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
@ -246,8 +247,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
@ -257,43 +258,43 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
# if included and different from the IP
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address matches
# one of the listed addresses. This feature is most useful when
# you want to generate a filter rule that corresponds to a
# DNAT- or REDIRECT- rule. In this usage, the list of
# addresses should not begin with "!".
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
@ -306,7 +307,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -318,54 +319,54 @@
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

44
Shorewall/shorewall
View File

@ -101,11 +101,11 @@
# a list of network/host addresses.
#
# shorewall safe-start Starts the firewall and promtp for a c
# confirmation to accept or reject the new
# confirmation to accept or reject the new
# configuration
#
# shorewall safe-restart Restarts the firewall and prompt for a
# confirmation to accept or reject the new
# shorewall safe-restart Restarts the firewall and prompt for a
# confirmation to accept or reject the new
# configuration
#
# Fatal Error
@ -175,7 +175,7 @@ validate_restorefile() # $* = label
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2
;;
esac
esac
}
#
@ -418,12 +418,12 @@ save_config() {
echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
rm -f ${RESTOREPATH}-ipsets
case ${SAVE_IPSETS:-No} in
[Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets
@ -446,7 +446,7 @@ save_config() {
echo "ipset -R << __EOF__" >> $f
ipset -S >> $f
echo "__EOF__" >> $f
mv -f $f $RESTOREPATH
mv -f $f $RESTOREPATH
chmod +x $RESTOREPATH
echo " Current Ipset Contents Saved to $RESTOREPATH"
;;
@ -472,7 +472,7 @@ save_config() {
else
echo "Shorewall isn't started"
fi
[ "$nolock" ] || mutex_off
}
#
@ -483,7 +483,7 @@ help()
[ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP"
}
#
# Give Usage Information
#
@ -518,7 +518,7 @@ usage() # $1 = exit status
echo " version"
echo " safe-start"
echo " safe-restart"
echo
echo
exit $1
}
@ -534,12 +534,12 @@ show_reset() {
#
# Display's the passed file name followed by "=" and the file's contents.
#
show_proc() # $1 = name of a file
show_proc() # $1 = name of a file
{
[ -f $1 ] && echo " $1 = $(cat $1)"
}
read_yesno_with_timeout() {
read_yesno_with_timeout() {
read -t 60 yn 2> /dev/null
if [ $? -eq 2 ]
then
@ -593,7 +593,7 @@ while [ $done -eq 0 ]; do
option=${option#-}
[ -z "$option" ] && usage 1
while [ -n "$option" ]; do
case $option in
c)
@ -755,7 +755,7 @@ case "$1" in
fi
if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then
@ -893,7 +893,7 @@ case "$1" in
;;
*)
shift
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo
show_reset
@ -931,7 +931,7 @@ case "$1" in
fi
echo "State:$state"
echo
exit $status
exit $status
;;
dump)
[ -n "$debugging" ] && set -x
@ -990,7 +990,7 @@ case "$1" in
ip rule ls
ip rule ls | while read rule; do
echo ${rule##* }
done | sort -u | while read table; do
done | sort -u | while read table; do
echo
echo "Table $table:"
echo
@ -1226,7 +1226,7 @@ case "$1" in
[ -n "$nolock" ] || mutex_on
if [ -x $RESTOREPATH ]; then
if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets...
iptables -F
@ -1243,7 +1243,7 @@ case "$1" in
exit 2
fi
;;
call)
call)
[ -n "$debugging" ] && set -x
#
# Undocumented way to call functions in /usr/share/shorewall/functions directly
@ -1257,7 +1257,7 @@ case "$1" in
help $@
;;
safe-restart|safe-start)
# test is the shell supports timed read
# test is the shell supports timed read
read -t 0 junk 2> /dev/null
if [ $? -eq 2 -a ! -x /bin/bash ]
then
@ -1314,10 +1314,10 @@ case "$1" in
then
$0 nolock $debugging restore "safe-start-restart"
rm /var/lib/shorewall/safe-start-restart
else
else
$0 nolock $debugging clear
fi
mutex_off
echo "New configuration has been rejected and the old one restored"
exit 2

176
Shorewall/shorewall.conf
View File

@ -1,4 +1,4 @@
##############################################################################
###############################################################################
# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
# match your setup
#
@ -7,17 +7,19 @@
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# S T A R T U P E N A B L E D
##############################################################################
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
#
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'
#
STARTUP_ENABLED=No
##############################################################################
# L O G G I N G
##############################################################################
###############################################################################
# L O G G I N G
###############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
@ -26,7 +28,7 @@ STARTUP_ENABLED=No
# These levels are defined by syslog and are used to determine the destination
# of the messages through entries in /etc/syslog.conf (5). The syslog
# documentation refers to these as "priorities"; Netfilter calls them "levels"
# and Shorewall also uses that term.
# and Shorewall also uses that term.
#
# Valid levels are:
#
@ -53,7 +55,7 @@ STARTUP_ENABLED=No
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################
###############################################################################
#
# LOG FILE LOCATION
#
@ -62,10 +64,11 @@ STARTUP_ENABLED=No
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages
@ -77,8 +80,8 @@ LOGFILE=/var/log/messages
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
# being logged. You must use the %d formatting type for the rule number; if
# your template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
@ -86,21 +89,22 @@ LOGFILE=/var/log/messages
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
#
LOGFORMAT="Shorewall:%s:%s:"
#
# LOG FORMAT Continued
#
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
# truncation of the log prefix may occur. Longer chain names may be used with
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# specified then the tag is included in the log prefix in place of the chain
# name.
#
@ -141,8 +145,8 @@ LOGBURST=
# LOG ALL NEW
#
# This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug).
#
@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL=
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
#
LOGNEWNOTSYN=info
@ -219,8 +224,7 @@ RFC1918_LOG_LEVEL=info
# Specifies the logging level for smurf packets dropped by the
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
@ -231,20 +235,20 @@ SMURF_LOG_LEVEL=info
# MARTIAN LOGGING
#
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
# that have impossible source IP addresses. This logging may be enabled
# that have impossible source IP addresses. This logging may be enabled
# on individual interfaces by using the 'logmartians' option in
# /etc/shorewall/interfaces.
#
LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
@ -253,7 +257,7 @@ IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
#
SHOREWALL_SHELL=/bin/sh
@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
# If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
#
MODULESDIR=
@ -296,6 +302,7 @@ MODULESDIR=
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
@ -314,23 +321,26 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
#
RESTOREFILE=
#
# OLD ZONE FILE FORMAT
#
# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
# Beginning with 2.5.0, those files were combined. For users who haven't
# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
# Beginning with 2.5.0, those files were combined. For users who haven't
# converted, we offer this variable that sets the name of the file for ipsec
# information. This option must take the value "zones" or "ipsec". If the option
# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed.
# information. This option must take the value "zones" or "ipsec". If the
# option is not set or is set to the empty value (IPSECFILE="") then "ipsec"
# is assumed.
#
IPSECFILE=zones
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
# NAME OF THE FIREWALL ZONE
#
@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
# for each SNAT external address that you give in /etc/shorewall/masq. If you
# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
# unless you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
@ -383,11 +393,11 @@ ADD_SNAT_ALIASES=No
# will first delete the address then re-add it. This is to ensure that the
# address is added with the specified label. Unfortunately, this can cause
# problems if it results in the deletion of the last IP address on an
# interface because then all routes through the interface are automatically
# interface because then all routes through the interface are automatically
# removed.
#
# You can cause Shorewall to retain existing addresses by setting
# RETAIN_ALIASES=Yes.
# RETAIN_ALIASES=Yes.
#
RETAIN_ALIASES=No
@ -395,8 +405,9 @@ RETAIN_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall.
# If you say "No" or "no" then traffic shaping is not enabled.
#
TC_ENABLED=No
@ -413,6 +424,7 @@ TC_ENABLED=No
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
#
CLEAR_TC=Yes
@ -425,14 +437,15 @@ CLEAR_TC=Yes
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
# packets destined for Masqueraded/SNATed local hosts have had their
# destination address rewritten so they can be marked based on their
# destination. When packets are marked in the PREROUTING chain, packets
# destined for Masqueraded/SNATed local hosts still have a destination address
# corresponding to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
# setting this variable to Yes may cause startup problems.
#
MARK_IN_FORWARD_CHAIN=No
@ -456,7 +469,7 @@ MARK_IN_FORWARD_CHAIN=No
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
@ -481,12 +494,14 @@ CLAMPMSS=No
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# Regardless of the setting of ROUTE_FILTER, you can still enable route
# filtering on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
#
ROUTE_FILTER=No
#
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
@ -515,6 +530,7 @@ ROUTE_FILTER=No
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
#
DETECT_DNAT_IPADDRS=No
@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
#
MUTEX_TIMEOUT=60
@ -541,8 +558,8 @@ MUTEX_TIMEOUT=60
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
@ -552,7 +569,7 @@ MUTEX_TIMEOUT=60
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already
# established connection.
#
#
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
@ -565,7 +582,7 @@ MUTEX_TIMEOUT=60
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts.
#
@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
#
NEWNOTSYN=Yes
@ -584,7 +602,7 @@ NEWNOTSYN=Yes
# Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted.
# /etc/shorewall/routestopped is accepted.
#
# When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for
@ -592,11 +610,11 @@ NEWNOTSYN=Yes
#
# Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this
# setting, when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - static blacklisting through the /etc/shorewall/blacklist file
# together with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes
# time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist.
#
DELAYBLACKLISTLOAD=No
@ -654,7 +673,7 @@ DELAYBLACKLISTLOAD=No
# All of the file names listed should have the same suffix (extension). Set
# MODULE_SUFFIX to that suffix.
#
# Examples:
# Examples:
#
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
@ -668,7 +687,7 @@ MODULE_SUFFIX=
# Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your
# Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed.
DISABLE_IPV6=Yes
@ -677,7 +696,7 @@ DISABLE_IPV6=Yes
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
@ -694,12 +713,13 @@ BRIDGING=No
DYNAMIC_ZONES=No
#
# USE PKTTYPE MATCH
# USE PKTTYPE MATCH
#
# Some users have reported problems with the PKTTYPE match extension not being
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
#
PKTTYPE=Yes
@ -713,7 +733,7 @@ PKTTYPE=Yes
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
#
# SUBNETS TARGET
@ -727,7 +747,8 @@ PKTTYPE=Yes
# RFC1918_STRICT=No is assumed.
#
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match.
# 'conntrack state' match.
#
RFC1918_STRICT=No
@ -747,10 +768,11 @@ RFC1918_STRICT=No
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
#
MACLIST_TTL=
@ -762,9 +784,10 @@ MACLIST_TTL=
# Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save"
#
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
#
SAVE_IPSETS=No
@ -776,12 +799,13 @@ SAVE_IPSETS=No
# compatibility, Shorewall can map the old names into invocations of the new
# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
#
MAPOLDACTIONS=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
#
# BLACKLIST DISPOSITION
#
@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
#
MACLIST_DISPOSITION=REJECT
@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
#
TCP_FLAGS_DISPOSITION=DROP

2
Shorewall/shorewall.spec
View File

@ -152,7 +152,7 @@ fi
%changelog
* Tue Jul 26 2005 Tom Eastep tom@shorewall.net
- Fix omissions/errors
- Fix omissions/errors
* Mon Jul 25 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.0-1
- Add macros and convert most actions to macros

15
Shorewall/start
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
# Shorewall version 2.4 - Start File
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

30
Shorewall/started
View File

@ -1,17 +1,23 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
# Shorewall version 2.6 - Started File
#
# This script should not change the firewall configuration directly but may
# do so indirectly by running /sbin/shorewall with the 'nolock' option.
# /etc/shorewall/started
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. Note though that the "ensure_and_save_command" function
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. Note though that the "ensure_and_save_command" function
# should not be used in this script because Shorewall is already running
# when this function is called.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

15
Shorewall/stop
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
# Shorewall version 2.6 - Stop File
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

15
Shorewall/stopped
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
# Shorewall version 2.4 - Stopped File
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

87
Shorewall/tcrules
View File

@ -1,18 +1,18 @@
#
# Shorewall version 2.6 - Traffic Control Rules File
# Shorewall version 2.6 - Tcrules File
#
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the
# of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
@ -24,33 +24,35 @@
#
#
# MARK/ a) A mark value which is an integer in the range 1-255
# CLASSIFY
# CLASSIFY
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# ":P" nor ":F" follow the mark value then the chain
# is determined by the setting of
# MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# If your kernel and iptables include CONNMARK support
# then you can also mark the connection rather than
# the packet.
#
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
#
# C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN
# by the setting of MARK_IN_FORWARD_CHAIN
#
# CF: Mark the connection in the FORWARD chain
# CF: Mark the connection in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING chain.
# CP: Mark the connection in the PREROUTING
# chain.
#
# b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to
# <major> and <minor> are integers. Corresponds to
# the 'class' specification in these traffic shaping
# modules:
#
@ -65,19 +67,24 @@
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or
# ":F".
# the table.
#
# SOURCE Source of the packet. A comma-separated list of
# As in a) above, may be followed by ":P" or ":F".
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. If your kernel and iptables include
# iprange match support, IP address ranges are also
@ -93,15 +100,15 @@
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets. If your kernel and
# IP addresses and/or subnets. If your kernel and
# iptables include iprange match support, IP address
# ranges are also allowed.
#
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
#
@ -111,8 +118,8 @@
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
@ -134,27 +141,29 @@
#
# It may contain :
#
# [<user name or number>]:[<group name or number>][+<program name>]
# [<user name or number>]:[<group name or number>][+<program name>]
#
# The colon is optionnal when specifying only a user
# The colon is optionnal when specifying only a user
# or a program name.
# Examples : john: , john , :users , john:users , +mozilla-bin
# Examples : john: , john , :users , john:users ,
# +mozilla-bin
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
# TEST Defines a test on the existing packet or connection
# mark. The rule will match only if the test returns
# true. Tests have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If
# omitted, the packet mark's value is
# tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
###############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/tos
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 -- /etc/shorewall/tos
# Shorewall version 2.6 - Tos File
#
# /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
@ -10,7 +12,7 @@
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
@ -41,6 +43,7 @@
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
###############################################################################
#SOURCE DEST PROTOCOL SOURCE DEST TOS
# PORTS PORTS
#LAST LINE -- Add your entries above -- DO NOT REMOVE

33
Shorewall/tunnels
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.4 - /etc/shorewall/tunnels
# Shorewall version 2.6 - Tunnels File
#
# /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
@ -9,13 +11,13 @@
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat",
# "ipip", "gre", "6to4", "pptpclient", "pptpserver",
# "openvpn" or "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
# If the type is "ipsec" or "ipsecnat", it may be
# followed by ":noah" to indicate that the Authentication
# Header protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
@ -34,7 +36,7 @@
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. May be
# then specify the gateway as 0.0.0.0/0. May be
# specified as a network address and if your kernel and
# iptables include iprange match support then IP address
# ranges are also allowed.
@ -102,16 +104,17 @@
#
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
# You have a tunnel that is not one of the supported
# types. Your tunnel uses UDP port 4444. The other end
# of the tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
#
# TYPE ZONE GATEWAY GATEWAY
# See http://shorewall.net/Documentation.htm#Tunnels for additional
# information.
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

34
Shorewall/zones
View File

@ -1,20 +1,24 @@
#
# Shorewall 2.6 /etc/shorewall/zones
# Shorewall version 2.6 - Zones File
#
# This file determines your network zones. Columns are:
# /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY Your kernel and iptables must include policy
# match support.
# No -- Communication with some zone hosts may be encrypted.
# No -- Communication with some zone hosts may be encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
# option in /etc/shorewall/hosts.
#
# OPTIONS, A comma-separated list of options as follows:
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
@ -25,7 +29,7 @@
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
@ -35,36 +39,38 @@
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
#
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#--------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Example zones:
#
# You have a three interface firewall with internet, local and DMZ interfaces.
# You have a three interface firewall with internet, local and DMZ
# interfaces.
#
# #ZONE IPSEC OPTIONS IN OUT
# net
# loc
# dmz
#
###############################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE