extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Large cleanup patch from Tuomo Soini

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2449 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-02 16:46:30 +00:00
parent 21a7315717
commit ac1983a5da
85 changed files with 1382 additions and 1138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Shorewall/accounting
View File

@ -7,7 +7,7 @@
# that you define in this file. You may display these rules and their # that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command. # packet and byte counters using the "shorewall show accounting" command.
# #
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
# #
@ -21,7 +21,7 @@
# to match any other accounting rules # to match any other accounting rules
# in the chain specified in the CHAIN # in the chain specified in the CHAIN
# column. # column.
# <chain>[:COUNT] # <chain>[:COUNT]
# - Where <chain> is the name of # - Where <chain> is the name of
# a chain. Shorewall will create # a chain. Shorewall will create
# the chain automatically if it # the chain automatically if it
@ -29,18 +29,18 @@
# a jump to that chain. If :COUNT # a jump to that chain. If :COUNT
# is including, a counting rule # is including, a counting rule
# matching this record will be # matching this record will be
# added to <chain> # added to <chain>
# #
# CHAIN - The name of a chain. If specified as "-" the # CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain # 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will # where the accounting rule is added. The chain will
# be created if it doesn't already exist. # be created if it doesn't already exist.
# #
# SOURCE - Packet Source # SOURCE - Packet Source
# #
# The name of an interface, an address (host or net) or # The name of an interface, an address (host or net) or
# an interface name followed by ":" # an interface name followed by ":"
# and a host or net address. # and a host or net address.
# #
# DESTINATION - Packet Destination # DESTINATION - Packet Destination
# #
@ -49,14 +49,15 @@
# PROTOCOL A protocol name (from /etc/protocols), a protocol # PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, or "ipp2p" # number, or "ipp2p"
# #
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then # DEST PORT Destination Port number. If the PROTOCOL is "ipp2p"
# this column must contain an ipp2p option ("iptables -m # then this column must contain an ipp2p option
# ipp2p --help") without the leading "--". If no option # ("iptables -m ipp2p --help") without the leading
# is given in this column, "ipp2p" is assumed. # "--". If no option is given in this column, "ipp2p"
# is assumed.
# #
# Service name from /etc/services or port number. May # Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6 # only be specified if the protocol is TCP or UDP (6
# or 17). # or 17).
# #
# SOURCE PORT Source Port number # SOURCE PORT Source Port number
# #
@ -69,7 +70,7 @@
# #
# The column may contain: # The column may contain:
# #
# [!][<user name or number>][:<group name or number>][+<program name>] # [!][<user name or number>][:<group name or number>][+<program name>]
# #
# When this column is non-empty, the rule applies only # When this column is non-empty, the rule applies only
# if the program generating the output is running under # if the program generating the output is running under
@ -81,17 +82,17 @@
# joe #program must be run by joe # joe #program must be run by joe
# :kids #program must be run by a member of # :kids #program must be run by a member of
# #the 'kids' group # #the 'kids' group
# !:kids #program must not be run by a member # !:kids #program must not be run by a member
# #of the 'kids' group # #of the 'kids' group
# +upnpd #program named upnpd # +upnpd #program named upnpd
# #
# In all of the above columns except ACTION and CHAIN, the values "-", # In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards # "any" and "all" may be used as wildcards
# #
# Please see http://shorewall.net/Accounting.html for examples and # Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file. # additional information about how to use this file.
# #
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ #####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP # PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

36
Shorewall/action.Drop
View File

@ -1,21 +1,24 @@
# #
# Shorewall 2.6 /usr/share/shorewall/action.Drop # Shorewall version 2.6 - Drop Action
#
# /usr/share/shorewall/action.Drop
# #
# The default DROP common rules # The default DROP common rules
# #
# This action is invoked before a DROP policy is enforced. The purpose of the action # This action is invoked before a DROP policy is enforced. The purpose
# is: # of the action is:
# #
# a) Avoid logging lots of useless cruft. # a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP. # b) Ensure that 'auth' requests are rejected, even if the policy is
# Otherwise, you may experience problems establishing connections with # DROP. Otherwise, you may experience problems establishing
# servers that use auth. # connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful # c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed. # internet operation are always ACCEPTed.
# #
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###################################################################################### #
#TARGET SOURCE DEST PROTO DPORT SPORT ###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
# #
# Reject 'auth' # Reject 'auth'
# #
@ -27,10 +30,10 @@ dropBcast
# #
# ACCEPT critical ICMP types # ACCEPT critical ICMP types
# #
AllowICMPs - - icmp AllowICMPs - - icmp
# #
# Drop packets that in the INVALID state -- these are usually ICMP packets and just # Drop packets that in the INVALID state -- these are usually ICMP packets
# confuse people when they appear in the log. # and just confuse people when they appear in the log.
# #
dropInvalid dropInvalid
# #
@ -41,9 +44,10 @@ DropUPnP
# #
# Drop 'newnotsyn' traffic so that it doesn't get logged. # Drop 'newnotsyn' traffic so that it doesn't get logged.
# #
dropNotSyn - - tcp dropNotSyn - - tcp
# #
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. # Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
# #
DropDNSrep DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

33
Shorewall/action.Reject
View File

@ -1,33 +1,37 @@
# #
# Shorewall 2.6 /usr/share/shorewall/action.Reject # Shorewall version 2.6 - Reject Action
#
# /usr/share/shorewall/action.Reject
# #
# The default REJECT action common rules # The default REJECT action common rules
# #
# This action is invoked before a REJECT policy is enforced. The purpose of the action # This action is invoked before a REJECT policy is enforced. The purpose
# is: # of the action is:
# #
# a) Avoid logging lots of useless cruft. # a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful # b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed. # internet operation are always ACCEPTed.
# #
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!! # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO #TARGET SOURCE DEST PROTO
# #
# Don't log 'auth' REJECT # Don't log 'auth' REJECT
# #
Auth/REJECT Auth/REJECT
# #
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected). # Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
# #
dropBcast dropBcast
# #
# ACCEPT critical ICMP types # ACCEPT critical ICMP types
# #
AllowICMPs - - icmp AllowICMPs - - icmp
# #
# Drop packets that in the INVALID state -- these are usually ICMP packets and just # Drop packets that in the INVALID state -- these are usually ICMP packets
# confuse people when they appear in the log (these ICMPs cannot be rejected). # and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
# #
dropInvalid dropInvalid
# #
@ -38,9 +42,10 @@ DropUPnP
# #
# Drop 'newnotsyn' traffic so that it doesn't get logged. # Drop 'newnotsyn' traffic so that it doesn't get logged.
# #
dropNotSyn - - tcp dropNotSyn - - tcp
# #
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log. # Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
# #
DropDNSrep DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

66
Shorewall/action.template
View File

@ -1,7 +1,9 @@
# #
# Shorewall 2.6 /etc/shorewall/action.template # Shorewall version 2.6 - Template Action
# #
# This file is a template for files with names of the form # /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an # /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions. # ACTION defined in /etc/shorewall/actions.
# #
@ -20,20 +22,21 @@
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a # TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action> # previously-defined <action>
# #
# ACCEPT -- allow the connection request # ACCEPT -- allow the connection request
# DROP -- ignore the request # DROP -- ignore the request
# REJECT -- disallow the request and return an # REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet. # icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space # QUEUE -- Queue the packet to a user-space
# application such as p2pwall. # application such as p2pwall.
# CONTINUE -- Discontinue processing this action # CONTINUE -- Discontinue processing this action
# and return to the point where the # and return to the point where the
# action was invoked. # action was invoked.
# <action> -- An <action> defined in # <action> -- An <action> defined in
# /etc/shorewall/actions. The <action> # /etc/shorewall/actions.
# must appear in that file BEFORE the # The <action> must appear in that
# one being defined in this file. # file BEFORE the one being defined
# in this file.
# #
# The TARGET may optionally be followed # The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or # by ":" and a syslog log level (e.g, REJECT:info or
@ -58,7 +61,7 @@
# at the end of the log prefix generated by the # at the end of the log prefix generated by the
# LOGPREFIX setting. # LOGPREFIX setting.
# #
# SOURCE Source hosts to which the rule applies. # SOURCE Source hosts to which the rule applies.
# A comma-separated list of subnets # A comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC # and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use # address; mac addresses must begin with "~" and must use
@ -72,21 +75,21 @@
# kernel and iptables must have # kernel and iptables must have
# iprange match support. # iprange match support.
# #
# +remote The name of an ipset prefaced # +remote The name of an ipset prefaced
# by "+". Your kernel and # by "+". Your kernel and
# iptables must have set match # iptables must have set match
# support # support
# #
# +remote[4] The name of the ipset may # +remote[4] The name of the ipset may
# followed by a number of # followed by a number of
# levels of ipset bindings # levels of ipset bindings
# enclosed in square brackets. # enclosed in square brackets.
# #
# 192.168.1.1,192.168.1.2 # 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and # Hosts 192.168.1.1 and
# 192.168.1.2. # 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with # ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78. # MAC address 00:A0:C9:15:39:78.
# #
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a # name. For example, eth1 specifies a
@ -95,14 +98,15 @@
# another colon (":") and an IP/MAC/subnet address # another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5). # as described above (e.g., eth1:192.168.1.5).
# #
# DEST Location of destination host. Same as above with the exception that # DEST Location of destination host. Same as above with
# MAC addresses are not allowed and that you cannot specify # the exception that MAC addresses are not allowed and
# an ipset name in both the SOURCE and DEST columns. # that you cannot specify an ipset name in both the
# SOURCE and DEST columns.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all". # "all".
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
@ -139,12 +143,12 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this column: # this column:
# #
# <rate>/<interval>[:<burst>] # <rate>/<interval>[:<burst>]
# #
# where <rate> is the number of connections per # where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the # <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given, # largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no # a value of 5 is assumed. There may be no
@ -157,7 +161,7 @@
# #
# The column may contain: # The column may contain:
# #
# [!][<user name or number>][:<group name or number>][+<program name>] # [!][<user name or number>][:<group name or number>][+<program name>]
# #
# When this column is non-empty, the rule applies only # When this column is non-empty, the rule applies only
# if the program generating the output is running under # if the program generating the output is running under
@ -169,11 +173,11 @@
# joe #program must be run by joe # joe #program must be run by joe
# :kids #program must be run by a member of # :kids #program must be run by a member of
# #the 'kids' group # #the 'kids' group
# !:kids #program must not be run by a member # !:kids #program must not be run by a member
# #of the 'kids' group # #of the 'kids' group
# +upnpd #program named upnpd # +upnpd #program named upnpd
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/actions
View File

@ -1,7 +1,9 @@
# #
# Shorewall 2.6 /etc/shorewall/actions # Shorewall version 2.6 - Actions File
# #
# This file allows you to define new ACTIONS for use in rules # /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to # (/etc/shorewall/rules). You define the iptables rules to
# be performed in an ACTION in # be performed in an ACTION in
# /etc/shorewall/action.<action-name>. # /etc/shorewall/action.<action-name>.
@ -24,9 +26,8 @@
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by # If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action. # itself, the associated policy will have no common action.
# #
# Please see http://shorewall.net/Actions.html for additional # Please see http://shorewall.net/Actions.html for additional information.
# information.
# #
###############################################################################
#ACTION #ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

35
Shorewall/actions.std
View File

@ -1,27 +1,28 @@
# #
# Shorewall 2.6 /usr/share/shorewall/actions.std # Shorewall version 2.6 - Actions.std File
#
# /usr/share/shorewall/actions.std
# #
# Please see http://shorewall.net/Actions.html for additional # Please see http://shorewall.net/Actions.html for additional
# information. # information.
# #
# Builtin Actions are: # Builtin Actions are:
# #
# allowBcast #Silently Allow Broadcast/multicast # allowBcast # Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast # dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn #Silently Drop Non-syn TCP packets # dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets # rejNotSyn # Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID # dropInvalid # Silently Drop packets that are in the INVALID
# #conntrack state. # # conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid # Accept packets that are in the INVALID
# #conntrack state. # # conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd' # allowoutUPnP # Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic # allowinUPnP # Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from # forwardUPnP # Allow traffic that upnpd has redirected from
# #'upnp' interfaces. # # 'upnp' interfaces.
# #
###############################################################################
#ACTION #ACTION
Drop:DROP # Common Action for DROP policy
Drop:DROP #Common Action for DROP policy Reject:REJECT # Common Action for REJECT policy
Reject:REJECT #Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

46
Shorewall/blacklist
View File

@ -1,21 +1,22 @@
# #
# Shorewall 2.6 -- Blacklist File # Shorewall version 2.6 - Blacklist File
# #
# /etc/shorewall/blacklist # /etc/shorewall/blacklist
# #
# This file contains a list of IP addresses, MAC addresses and/or subnetworks. # This file contains a list of IP addresses, MAC addresses and/or
# subnetworks.
# #
# Columns are: # Columns are:
# #
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address # ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# range (if your kernel and iptables contain iprange # range (if your kernel and iptables contain iprange
# match support) or ipset name prefaced by "+" (if # match support) or ipset name prefaced by "+" (if
# your kernel supports ipset match). # your kernel supports ipset match).
# #
# MAC addresses must be prefixed with "~" and use "-" # MAC addresses must be prefixed with "~" and use "-"
# as a separator. # as a separator.
# #
# Example: ~00-A0-C9-15-39-78 # Example: ~00-A0-C9-15-39-78
# #
# PROTOCOL - Optional. If specified, must be a protocol number # PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols. # or a protocol name from /etc/protocols.
@ -24,33 +25,32 @@
# is TCP (6) or UDP (17). A comma-separated list # is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services. # of port numbers or service names from /etc/services.
# #
# When a packet arrives on an interface that has the 'blacklist' option # When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is checked # specified in /etc/shorewall/interfaces, its source IP address is
# against this file and disposed of according to the BLACKLIST_DISPOSITION and # checked against this file and disposed of according to the
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf # BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
# #
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked. # the protocol (and one of the ports if PORTS supplied) are blocked.
# #
# Example: # Example:
# #
# To block DNS queries from address 192.0.2.126: # To block DNS queries from address 192.0.2.126:
# #
# ADDRESS/SUBNET PROTOCOL PORT # ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53 # 192.0.2.126 udp 53
# #
# Example: # Example:
# #
# To block DNS queries from addresses in the ipset 'dnsblack': # To block DNS queries from addresses in the ipset 'dnsblack':
# #
# ADDRESS/SUBNET PROTOCOL PORT # ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53 # +dnsblack udp 53
# #
# Please see http://shorewall.net/blacklisting_support.htm for additional # Please see http://shorewall.net/blacklisting_support.htm for additional
# information. # information.
# #
############################################################################### ###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT #ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/configpath
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Default Config Path # Shorewall version 2.6 - Default Config Path
# #
# /usr/share/shorewall/configpath # /usr/share/shorewall/configpath
# #

16
Shorewall/continue
View File

@ -1,8 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/continue
# #
# Add commands below that you want to be executed after shorewall has # Shorewall version 2.6 - Continue File
# cleared any existing Netfilter rules and has enabled existing connections.
# #
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm # /etc/shorewall/continue
# #
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing
# connections.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/default.debian
View File

@ -10,7 +10,7 @@ startup=0
# #
# Example: # Example:
# wait_interface="ppp0" # wait_interface="ppp0"
# or # or
# wait_interface="ppp0 ppp1" # wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params # or, if you have defined in /etc/shorewall/params
# wait_interface= # wait_interface=

9
Shorewall/ecn
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 - /etc/shorewall/ecn # Shorewall version 2.6 - Ecn File
#
# /etc/shorewall/ecn
# #
# Use this file to list the destinations for which you want to # Use this file to list the destinations for which you want to
# disable ECN. # disable ECN.
# #
# This feature requires kernel 2.4.20 or later. If you run 2.4.20, # This feature requires kernel 2.4.20 or later. If you run 2.4.20,
# you also need the patch found at http://www.shorewall.net/ecn/patch. # you also need the patch found at http://www.shorewall.net/ecn/patch.
# That patch is included in kernels 2.4.21 and later. # That patch is included in kernels 2.4.21 and later.
# #
# INTERFACE - Interface through which host(s) communicate with # INTERFACE - Interface through which host(s) communicate with
@ -17,6 +19,7 @@
# are also permitted. # are also permitted.
# #
# For additional information, see http://shorewall.net/Documentation.htm#ECN # For additional information, see http://shorewall.net/Documentation.htm#ECN
############################################################################## #
###############################################################################
#INTERFACE HOST(S) #INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

318
Shorewall/firewall
View File

File diff suppressed because it is too large Load Diff

28
Shorewall/functions
View File

@ -128,7 +128,7 @@ ensure_config_path() {
. $F . $F
fi fi
} }
# #
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
# #
@ -245,7 +245,7 @@ loadmodule() # $1 = module name, $2 - * arguments
local suffix local suffix
moduleloader=modprobe moduleloader=modprobe
if ! qt mywhich modprobe; then if ! qt mywhich modprobe; then
moduleloader=insmod moduleloader=insmod
fi fi
@ -278,7 +278,7 @@ reload_kernel_modules() {
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
while read command; do while read command; do
eval $command eval $command
done done
@ -398,8 +398,8 @@ mktempfile() {
# #
mktempdir() { mktempdir() {
[ -z "$MKTEMP" ] && find_mktemp [ -z "$MKTEMP" ] && find_mktemp
case "$MKTEMP" in case "$MKTEMP" in
STD) STD)
mktemp -td shorewall.XXXXXX mktemp -td shorewall.XXXXXX
@ -483,7 +483,7 @@ decodeaddr() {
local x local x
local temp=0 local temp=0
local ifs=$IFS local ifs=$IFS
IFS=. IFS=.
for x in $1; do for x in $1; do
@ -517,7 +517,7 @@ encodeaddr() {
# #
# Comes in two flavors: # Comes in two flavors:
# #
# ip_range() - produces a mimimal list of network/host addresses that spans # ip_range() - produces a mimimal list of network/host addresses that spans
# the range. # the range.
# #
# ip_range_explicit() - explicitly enumerates the range. # ip_range_explicit() - explicitly enumerates the range.
@ -571,7 +571,7 @@ ip_range() {
ip_range_explicit() { ip_range_explicit() {
local first last local first last
case $1 in case $1 in
[0-9]*.*.*.*-*.*.*.*) [0-9]*.*.*.*-*.*.*.*)
;; ;;
*) *)
@ -700,7 +700,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Full interface name - may also end in "+" # $2 = Full interface name - may also end in "+"
{ {
local pattern=${1%+} local pattern=${1%+}
case $1 in case $1 in
*+) *+)
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}" test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
@ -721,7 +721,7 @@ find_device() {
shift shift
done done
} }
# #
# Find the value 'via' in the passed arguments then echo the next value # Find the value 'via' in the passed arguments then echo the next value
# #
@ -732,7 +732,7 @@ find_gateway() {
shift shift
done done
} }
# #
# Find the value 'peer' in the passed arguments then echo the next value up to # Find the value 'peer' in the passed arguments then echo the next value up to
# "/" # "/"
@ -744,7 +744,7 @@ find_peer() {
shift shift
done done
} }
# #
# Find the interfaces that have a route to the passed address - the default # Find the interfaces that have a route to the passed address - the default
# route is not used. # route is not used.
@ -768,12 +768,12 @@ find_rt_interface() {
} }
# #
# Try to find the gateway through an interface looking for 'nexthop' # Try to find the gateway through an interface looking for 'nexthop'
find_nexthop() # $1 = interface find_nexthop() # $1 = interface
{ {
echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`) echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
} }
# #
# Find the default route's interface # Find the default route's interface

20
Shorewall/help
View File

@ -51,11 +51,11 @@ add)
;; ;;
address|host) address|host)
echo "<$1>: echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in May be either a host IP address such as 192.168.1.4 or a network address in
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
match support then IP address ranges of the form <low address>-<high address> match support then IP address ranges of the form <low address>-<high address>
are also permitted. If your kernel and iptables contain ipset match support are also permitted. If your kernel and iptables contain ipset match support
then you may specify the name of an ipset prefaced by "+". The name of the then you may specify the name of an ipset prefaced by "+". The name of the
ipsec may be optionally followed by a number of levels of ipset bindings ipsec may be optionally followed by a number of levels of ipset bindings
(1 - 6) that are to be followed" (1 - 6) that are to be followed"
@ -141,7 +141,7 @@ dump)
shorewall [-x] dump shorewall [-x] dump
Produce a verbose report about the firewall for problem analysis. Produce a verbose report about the firewall for problem analysis.
(iptables -L -n -) (iptables -L -n -)
When -x is given, that option is also passed to iptables to display actual packet and byte counts." When -x is given, that option is also passed to iptables to display actual packet and byte counts."
@ -215,22 +215,22 @@ restart)
safe-restart) safe-restart)
echo "safe-restart: safe-restart echo "safe-restart: safe-restart
Restart the same way as a shorewall restart except that previous firewall Restart the same way as a shorewall restart except that previous firewall
configuration is backed up and will be restored if you notice any anomalies configuration is backed up and will be restored if you notice any anomalies
or you are not able to reach the firewall any more." or you are not able to reach the firewall any more."
;; ;;
safe-start) safe-start)
echo "safe-start: safe-start echo "safe-start: safe-start
Start the same way as a shorewall start except that in case of anomalies Start the same way as a shorewall start except that in case of anomalies
shorewall clear is issued. " shorewall clear is issued. "
;; ;;
restore) restore)
echo "restore: restore [ <file name> ] echo "restore: restore [ <file name> ]
Restore Shorewall to a state saved using the 'save' command Restore Shorewall to a state saved using the 'save' command
Existing connections are maintained. The <file name> names a restore file in Existing connections are maintained. The <file name> names a restore file in
/var/lib/shorewall created using "shorewall save"; if no <file name> is given /var/lib/shorewall created using "shorewall save"; if no <file name> is given
then Shorewall will be restored from the file specified by the RESTOREFILE then Shorewall will be restored from the file specified by the RESTOREFILE
option in shorewall.conf. option in shorewall.conf.
@ -239,7 +239,7 @@ restore)
save) save)
echo "save: save [ <file name> ] echo "save: save [ <file name> ]
The dynamic data is stored in /var/lib/shorewall/save. The state of the The dynamic data is stored in /var/lib/shorewall/save. The state of the
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore' firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
and 'shorewall -f start' commands. If <file name> is not given then the state is saved and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf. in the file specified by the RESTOREFILE option in shorewall.conf.
@ -305,8 +305,8 @@ status)
Displays the Shorewall status (running/not-running). Displays the Shorewall status (running/not-running).
Also displays the Shorewall state as shown in the state diagram at Also displays the Shorewall state as shown in the state diagram at
http://www.shorewall.net/starting_and_stopping_shorewall. The time and http://www.shorewall.net/starting_and_stopping_shorewall. The time and
date when that state was reached is also displayed." date when that state was reached is also displayed."
;; ;;
trace) trace)

44
Shorewall/hosts
View File

@ -1,5 +1,7 @@
# #
# Shorewall 2.6 - /etc/shorewall/hosts # Shorewall version 2.6 - Hosts file
#
# /etc/shorewall/hosts
# #
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN # THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. # ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -17,7 +19,7 @@
# The order of entries in this file is not significant in # The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones # determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in # are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted. # which the records in this file are interpreted.
# #
# ZONE - The name of a zone defined in /etc/shorewall/zones # ZONE - The name of a zone defined in /etc/shorewall/zones
# #
@ -37,7 +39,8 @@
# be defined in /etc/shorewall/interfaces and may # be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a # optionally followed by a colon (":") and a
# host or network IP or a range. # host or network IP or a range.
# See http://www.shorewall.net/Bridge.html for details. # See http://www.shorewall.net/Bridge.html
# for details.
# e) The name of an ipset (preceded by "+"). # e) The name of an ipset (preceded by "+").
# #
# Examples: # Examples:
@ -60,19 +63,20 @@
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# #
# routeback - Shorewall should set up the infrastructure # routeback - Shorewall should set up the
# to pass packets from this/these # infrastructure to pass packets
# address(es) back to themselves. This is # from this/these address(es) back
# necessary if hosts in this group use the # to themselves. This is necessary if
# services of a transparent proxy that is # hosts in this group use the services
# of a transparent proxy that is
# a member of the group or if DNAT is used # a member of the group or if DNAT is used
# to send requests originating from this # to send requests originating from this
# group to a server in the group. # group to a server in the group.
# #
# norfc1918 - This option only makes sense for ports # norfc1918 - This option only makes sense for ports
# on a bridge. # on a bridge.
# #
# The port should not accept # The port should not accept
# any packets whose source is in one # any packets whose source is in one
# of the ranges reserved by RFC 1918 # of the ranges reserved by RFC 1918
# (i.e., private or "non-routable" # (i.e., private or "non-routable"
@ -100,7 +104,7 @@
# #
# nosmurfs - This option only makes sense for ports # nosmurfs - This option only makes sense for ports
# on a bridge. # on a bridge.
# #
# Filter packets for smurfs # Filter packets for smurfs
# (packets with a broadcast # (packets with a broadcast
# address as the source). # address as the source).
@ -110,24 +114,26 @@
# shorewall.conf. After logging, the # shorewall.conf. After logging, the
# packets are dropped. # packets are dropped.
# #
# newnotsyn - TCP packets that don't have the SYN # newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an # flag set and which are not part of an
# established connection will be accepted # established connection will be accepted
# from these hosts, even if # from these hosts, even if
# NEWNOTSYN=No has been specified in # NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf.
# #
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# ipsec - The zone is accessed via a # ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the # kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is # zone named in the ZONE column is
# specified as an IPSEC zone in the # specified as an IPSEC zone in the
# /etc/shorewall/zones file then you do NOT # /etc/shorewall/zones file then you
# need to specify the 'ipsec' option here. # do NOT need to specify the 'ipsec'
# option here.
# #
# For additional information, see http://shorewall.net/Documentation.htm#Hosts # For additional information, see http://shorewall.net/Documentation.htm#Hosts
# #
#ZONE HOST(S) OPTIONS ###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

15
Shorewall/init
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/init
# #
# Add commands below that you want to be executed at the beginning of # Shorewall version 2.4 - Init File
# a "shorewall start" or "shorewall restart" command.
# #
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm # /etc/shorewall/init
# #
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

8
Shorewall/init.debian.sh
View File

@ -9,7 +9,7 @@ OPTIONS="-f"
test -x $SRWL || exit 0 test -x $SRWL || exit 0
test -n $INITLOG || { test -n $INITLOG || {
echo "INITLOG cannot be empty, please configure $0" ; echo "INITLOG cannot be empty, please configure $0" ;
exit 1; exit 1;
} }
@ -21,9 +21,9 @@ fi
echo_notdone () { echo_notdone () {
if [ "$INITLOG" = "/dev/null" ] ; then if [ "$INITLOG" = "/dev/null" ] ; then
"not done." "not done."
else else
"not done (check $INITLOG)." "not done (check $INITLOG)."
fi fi
@ -62,7 +62,7 @@ else
not_configured not_configured
fi fi
# wait an unconfigured interface # wait an unconfigured interface
wait_for_pppd () { wait_for_pppd () {
if [ "$wait_interface" != "" ] if [ "$wait_interface" != "" ]
then then

17
Shorewall/initdone
View File

@ -1,9 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/initdone
# #
# Add commands below that you want to be executed during # Shorewall version 2.6 - Initdone File
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
# #
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm # /etc/shorewall/initdone
# #
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

101
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
# #
# Shorewall 2.6 -- Interfaces File # Shorewall version 2.6 - Interfaces File
# #
# /etc/shorewall/interfaces # /etc/shorewall/interfaces
# #
@ -25,7 +25,7 @@
# interfaces, use 'ppp+'. # interfaces, use 'ppp+'.
# #
# There is no need to define the loopback interface (lo) # There is no need to define the loopback interface (lo)
# in this file. # in this file.
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
@ -49,14 +49,14 @@
# dhcp - Specify this option when any of # dhcp - Specify this option when any of
# the following are true: # the following are true:
# 1. the interface gets its IP address # 1. the interface gets its IP address
# via DHCP # via DHCP
# 2. the interface is used by # 2. the interface is used by
# a DHCP server running on the firewall # a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN # 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP # segment with lots of Laptop DHCP
# clients. # clients.
# 4. the interface is a bridge with # 4. the interface is a bridge with
# a DHCP server on one port and DHCP # a DHCP server on one port and DHCP
# clients on another port. # clients on another port.
# #
# norfc1918 - This interface should not receive # norfc1918 - This interface should not receive
@ -71,7 +71,7 @@
# #
# routefilter - turn on kernel route filtering for this # routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This # interface (anti-spoofing measure). This
# option can also be enabled globally in # option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file. # the /etc/shorewall/shorewall.conf file.
# #
# logmartians - turn on kernel martian logging (logging # logmartians - turn on kernel martian logging (logging
@ -112,30 +112,31 @@
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# newnotsyn - TCP packets that don't have the SYN # newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an # flag set and which are not part of an
# established connection will be accepted # established connection will be accepted
# from this interface, even if # from this interface, even if
# NEWNOTSYN=No has been specified in # NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other # /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface # words, packets coming in on this
# are processed as if NEWNOTSYN=Yes had been # interface are processed as if
# specified in /etc/shorewall/shorewall.conf. # NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
# #
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# It is the opinion of the author that # It is the opinion of the author that
# NEWNOTSYN=No creates more problems than # NEWNOTSYN=No creates more problems than
# it solves and I recommend against using # it solves and I recommend against using
# that setting in shorewall.conf (hence # that setting in shorewall.conf (hence
# making the use of the 'newnotsyn' # making the use of the 'newnotsyn'
# interface option unnecessary). # interface option unnecessary).
# #
# routeback - If specified, indicates that Shorewall # routeback - If specified, indicates that Shorewall
# should include rules that allow filtering # should include rules that allow
# traffic arriving on this interface back # filtering traffic arriving on this
# out that same interface. # interface back out that same interface.
# #
# arp_filter - If specified, this interface will only # arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP # respond to ARP who-has requests for IP
@ -143,39 +144,39 @@
# If not specified, the interface can # If not specified, the interface can
# respond to ARP who-has requests for # respond to ARP who-has requests for
# IP addresses on any of the firewall's # IP addresses on any of the firewall's
# interface. The interface must be up # interface. The interface must be up
# when Shorewall is started. # when Shorewall is started.
# #
# arp_ignore[=<number>] # arp_ignore[=<number>]
# - If specified, this interface will # - If specified, this interface will
# respond to arp requests based on the # respond to arp requests based on the
# value of <number>. # value of <number>.
# #
# 1 - reply only if the target IP address # 1 - reply only if the target IP address
# is local address configured on the # is local address configured on the
# incoming interface # incoming interface
# #
# 2 - reply only if the target IP address # 2 - reply only if the target IP address
# is local address configured on the # is local address configured on the
# incoming interface and both with the # incoming interface and both with the
# sender's IP address are part from same # sender's IP address are part from same
# subnet on this interface # subnet on this interface
# #
# 3 - do not reply for local addresses # 3 - do not reply for local addresses
# configured with scope host, only # configured with scope host, only
# resolutions for global and link # resolutions for global and link
# addresses are replied # addresses are replied
# #
# 4-7 - reserved # 4-7 - reserved
# #
# 8 - do not reply for all local # 8 - do not reply for all local
# addresses # addresses
# #
# If no <number> is given then the value # If no <number> is given then the value
# 1 is assumed # 1 is assumed
# #
# WARNING -- DO NOT SPECIFY arp_ignore # WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP. # FOR ANY INTERFACE INVOLVED IN PROXY ARP.
# #
# nosmurfs - Filter packets for smurfs # nosmurfs - Filter packets for smurfs
# (packets with a broadcast # (packets with a broadcast
@ -190,18 +191,18 @@
# in the ZONE column to include only those # in the ZONE column to include only those
# hosts routed through the interface. # hosts routed through the interface.
# #
# upnp - Incoming requests from this interface may # upnp - Incoming requests from this interface
# be remapped via UPNP (upnpd). # may be remapped via UPNP (upnpd).
# #
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR # WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE. # INTERNET INTERFACE.
# #
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.
# #
# GATEWAY This column is only meaningful if the 'default' OPTION # GATEWAY This column is only meaningful if the 'default' OPTION
# is given -- it is ignored otherwise. You may specify # is given -- it is ignored otherwise. You may specify
# the default gateway IP address for this interface here # the default gateway IP address for this interface here
# and Shorewall will use that IP address rather than any # and Shorewall will use that IP address rather than any
# that it finds in the main routing table. # that it finds in the main routing table.
@ -231,9 +232,9 @@
# #
# net ppp0 - # net ppp0 -
# #
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces # For additional information, see
# # http://shorewall.net/Documentation.htm#Interfaces
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
# #
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

4
Shorewall/ipsec
View File

@ -1,7 +1,7 @@
# #
# The /etc/shorewall/ipsec file is obsolete -- the information # The /etc/shorewall/ipsec file is obsolete -- the information
# previously contained in this file is now placed in the # previously contained in this file is now placed in the
# /etc/shorewall/zones file. # /etc/shorewall/zones file.
# #
# See the IPSECFILE option in shorewall.conf for further information. # See the IPSECFILE option in shorewall.conf for further information.
#

14
Shorewall/ipsecvpn
View File

@ -54,7 +54,7 @@ NETWORKS="192.168.1.0/24"
# #
CERTS=/etc/certs CERTS=/etc/certs
# #
# Certificate to be used for this connection. The cert # Certificate to be used for this connection. The cert
# directory must contain: # directory must contain:
# #
# ${CERT}.pem - the certificate # ${CERT}.pem - the certificate
@ -180,14 +180,14 @@ make_racoon_conf() {
# #
# Make a setkey configuration file using the variables above # Make a setkey configuration file using the variables above
# #
make_setkey_conf() make_setkey_conf()
{ {
echo "flush;" echo "flush;"
echo "spdflush;" echo "spdflush;"
echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
for network in $NETWORKS; do for network in $NETWORKS; do
echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;"
echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;"
@ -197,7 +197,7 @@ make_setkey_conf()
# #
# Start the Tunnel # Start the Tunnel
# #
start() start()
{ {
# #
# Get the first IP address configured on the device in INTERFACE # Get the first IP address configured on the device in INTERFACE
@ -242,7 +242,7 @@ start()
# #
# Stop the Tunnel # Stop the Tunnel
# #
stop() stop()
{ {
# #
# Kill any racoon daemons # Kill any racoon daemons
@ -257,7 +257,7 @@ stop()
# #
# Display command syntax and abend # Display command syntax and abend
# #
usage() usage()
{ {
error_message "usage: $(basename $0) [start|stop|restart]" error_message "usage: $(basename $0) [start|stop|restart]"
exit 1 exit 1
@ -286,7 +286,7 @@ case $1 in
esac esac

12
Shorewall/maclist
View File

@ -1,13 +1,13 @@
# #
# Shorewall 2.6 - MAC list file # Shorewall version 2.6 - Maclist file
#
# /etc/shorewall/maclist
# #
# This file is used to define the MAC addresses and optionally their # This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface. # associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces # The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file. # or hosts configuration file.
# #
# /etc/shorewall/maclist
#
# Columns are: # Columns are:
# #
# INTERFACE Network interface to a host. If the interface # INTERFACE Network interface to a host. If the interface
@ -21,11 +21,11 @@
# IP ADDRESSES Optional -- if specified, both the MAC and IP address # IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated # must match. This column can contain a comma-separated
# list of host and/or subnet addresses. If your kernel # list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP # and iptables have iprange match support then IP
# address ranges are also allowed. # address ranges are also allowed.
# #
# For additional information, see http://shorewall.net/MAC_Validation.html # For additional information, see http://shorewall.net/MAC_Validation.html
# #
############################################################################## ###############################################################################
#INTERFACE MAC IP ADDRESSES (Optional) #INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

16
Shorewall/macro.AllowICMPs
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs # Shorewall version 2.6 - AllowICMPs Macro
#
# /usr/share/shorewall/macro.AllowICMPs
# #
# ACCEPT needed ICMP types # ACCEPT needed ICMP types
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
# ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp fragmentation-needed ACCEPT - - icmp time-exceeded
ACCEPT - - icmp time-exceeded #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Amanda
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.Amanda # Shorewall version 2.6 - Amanda Macro
#
# /usr/share/shorewall/macro.Amanda
# #
# This macro handles connections to the AMANDA backup system. # This macro handles connections to the AMANDA backup system.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 10080 PARAM - - udp 10080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Auth
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.Auth # Shorewall version 2.6 - Auth Macro
#
# /usr/share/shorewall/macro.Auth
# #
# This macro handles Auth (identd) traffic. # This macro handles Auth (identd) traffic.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 113 PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.BitTorrent
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.BitTorrent # Shorewall version 2.6 - BitTorrent Macro
#
# /usr/share/shorewall/macro.BitTorrent
# #
# This macro handles BitTorrent traffic. # This macro handles BitTorrent traffic.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6881:6889 PARAM - - tcp 6881:6889
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.CVS
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.CVS # Shorewall version 2.6 - CVS Macro
#
# /usr/share/shorewall/macro.CVS
# #
# This macro handles connections to the CVS pserver. # This macro handles connections to the CVS pserver.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 2401 PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.DNS
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.DNS # Shorewall version 2.6 - DNS Macro
#
# /usr/share/shorewall/macro.DNS
# #
# This macro handles DNS traffic. # This macro handles DNS traffic.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 53 PARAM - - udp 53
PARAM - - tcp 53 PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Distcc
View File

@ -1,11 +1,13 @@
# #
# Shorewall macro.Distcc # Shorewall version 2.6 - Distoc Macro
#
# /usr/share/shorewall/macro.Distcc
# #
# This macro handles connections to the Distributed Compiler # This macro handles connections to the Distributed Compiler
# service. # service.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3632 PARAM - - tcp 3632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.DropDNSrep
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep # Shorewall version 2.6 - DropDNSrep Macro
#
# /usr/share/shorewall/macro.DropDNSrep
# #
# This macro silently drops DNS UDP replies # This macro silently drops DNS UDP replies
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
DROP - - udp - 53 DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.DropUPnP
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP # Shorewall version 2.6 - DropUPnP Macro
#
# /usr/share/shorewall/macro.DropUPnP
# #
# This macro silently drops UPnP probes on UDP port 1900 # This macro silently drops UPnP probes on UDP port 1900
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
DROP - - udp 1900 DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

50
Shorewall/macro.Edonkey
View File

@ -1,31 +1,35 @@
# #
# Shorewall macro.Edonkey # Shorewall version 2.6 - Edonkey Macro
#
# /usr/share/shorewall/macro.Edonkey
# #
# This macro handles Edonkey traffic. # This macro handles Edonkey traffic.
# #
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
# #
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm # http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665 # says to use udp 5737 rather than 4665.
# #
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: # http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
# 4661 TCP (outgoing)
# Port, on which a server listens for connection (defined by server).
#4665 UDP (outgoing)
# used for global server searches and global source queries. This is
#always Server TCP port (in this case 4661) + 4.
#4662 TCP (outgoing and incoming)
# Client to client transfers.
#4672 UDP (outgoing and incoming)
# Extended eMule protocol, Queue Rating, File Reask Ping
#4711 TCP
# WebServer listening port.
#4712 TCP
# External Connection port. Used to communicate aMule with other
#applications such as aMule WebServer or aMuleCMD.
# #
# 4661 TCP (outgoing) Port, on which a server listens for connection
# (defined by server).
#
# 4665 UDP (outgoing) used for global server searches and global source
# queries. This is always Server TCP port (in this case 4661) + 4.
#
# 4662 TCP (outgoing and incoming) Client to client transfers.
#
# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
# Rating, File Reask Ping
#
# 4711 TCP WebServer listening port.
#
# 4712 TCP External Connection port. Used to communicate aMule with other
# applications such as aMule WebServer or aMuleCMD.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.FTP
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.FTP # Shorewall version 2.6 - FTP Macro
#
# /usr/share/shorewall/macro.FTP
# #
# This macro handles FTP traffic. # This macro handles FTP traffic.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 21 PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Gnutella
View File

@ -1,11 +1,13 @@
# #
# Shorewall macro.Gnutella # Shorewall version 2.6 - Gnutella Macro
#
# /usr/share/shorewall/macro.Gnutella
# #
# This macro handles gnutella traffic. # This macro handles gnutella traffic.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6346 PARAM - - tcp 6346
PARAM - - udp 6346 PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.ICQ
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.ICQ # Shorewall version 2.6 - ICQ Macro
#
# /usr/share/shorewall/macro.ICQ
# #
# This macro handles ICQ traffic. # This macro handles ICQ traffic.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5190 PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.IMAP
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.IMAP # Shorewall version 2.6 - IMAP Macro
#
# /usr/share/shorewall/macro.IMAP
# #
# This macro handles IMAP traffic (secure and insecure): # This macro handles IMAP traffic (secure and insecure):
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 143 #Unsecure IMAP PARAM - - tcp 143 # Unsecure IMAP
PARAM - - tcp 993 #Secure IMAP PARAM - - tcp 993 # Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.LDAP
View File

@ -1,11 +1,13 @@
# #
# Shorewall macro.LDAP # Shorewall version 2.6 - LDAP Macro
#
# /usr/share/shorewall/macro.LDAP
# #
# This macro handles LDAP traffic (secure and insecure) # This macro handles LDAP traffic (secure and insecure)
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 389 PARAM - - tcp 389
PARAM - - tcp 636 PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.MySQL
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.MySQL # Shorewall version 2.6 - MySQL Macro
#
# /usr/share/shorewall/macro.MySQL
# #
# This action macro.handles connections to the MySQL server. # This action macro.handles connections to the MySQL server.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3306 PARAM - - tcp 3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.NNTP
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.NNTP # Shorewall version 2.6 NNTP Macro
#
# /usr/share/shorewall/macro.NNTP
# #
# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS) # This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 119 PARAM - - tcp 119
PARAM - - tcp 563 PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.NTP
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.NTP # Shorewall version 2.6 - NTP Macro
#
# /usr/share/shorewall/macro.NTP
# #
# This macro handles NTP traffic (ntpd). # This macro handles NTP traffic (ntpd).
# For broadcast NTP traffic, use NTPbrd Macro.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123 PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.NTPbrd Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall version 2.6 - NTPbrd Macro
#
# /usr/share/shorewall/macro.NTPbrd
#
# This macro handles NTP traffic (ntpd) including replies to Broadcast
# NTP traffic.
#
# It is recommended only to use this where the source host is trusted -
# otherwise it opens up a large hole in your firewall because
# Netfilter doesn't track connections for broadcast traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.PCA
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.PCA # Shorewall version 2.6 - PCA Macro
#
# /usr/share/shorewall/macro.PCA
# #
# This macro handles PCAnywere (tm) # This macro handles PCAnywere (tm)
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 5632 PARAM - - udp 5632
PARAM - - tcp 5631 PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.POP3
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.POP3 # Shorewall version 2.6 - POP3 Macro
#
# /usr/share/shorewall/macro.POP3
# #
# This macro handles POP3 traffic (secure and insecure): # This macro handles POP3 traffic (secure and insecure):
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 110 #Unsecure POP3 PARAM - - tcp 110 # Unsecure POP3
PARAM - - tcp 995 #Secure POP3 PARAM - - tcp 995 # Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Ping
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.Ping # Shorewall version 2.6 - Ping Macro
#
# /usr/share/shorewall/macro.Ping
# #
# This macro handles 'ping' requests. # This macro handles 'ping' requests.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - icmp 8 PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.PostgreSQL
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.PostgreSQL # Shorewall version 2.6 - PostgreSQL Macro
#
# /usr/share/shorewall/macro.PostgreSQL
# #
# This macro handles connections to the PostgreSQL server. # This macro handles connections to the PostgreSQL server.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5432 PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Rdate
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.Rdate # Shorewall version 2.6 - Rdate Macro
#
# /usr/share/shorewall/macro.Rdate
# #
# This macro handles remote time retrieval (rdate). # This macro handles remote time retrieval (rdate).
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 37 PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Rsync
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.Rsync # Shorewall version 2.6 - Rsync Macro
#
# /usr/share/shorewall/macro.Rsync
# #
# This macro handles connections to the rsync server. # This macro handles connections to the rsync server.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 873 PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.SMB
View File

@ -1,14 +1,16 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.SMB # Shorewall version 2.6 - SMB Macro
#
# /usr/share/shorewall/macro.SMB
# #
# Handle Microsoft SMB traffic. You need to invoke this macro in # Handle Microsoft SMB traffic. You need to invoke this macro in
# both directions. # both directions.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 135,445 PARAM - - udp 135,445
PARAM - - udp 137:139 PARAM - - udp 137:139
PARAM - - udp 1024: 137 PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445 PARAM - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SMBswat
View File

@ -1,11 +1,13 @@
# #
# Shorewall macro.SMBswat # Shorewall version 2.6 - SMBswat Macro
#
# /usr/share/shorewall/macro.SMBswat
# #
# This macro handles connections to the Samba Web Administration # This macro handles connections to the Samba Web Administration
# Tool (SWAT). # Tool (SWAT).
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 901 PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SMTP
View File

@ -1,5 +1,7 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.SMTP # Shorewall version 2.6 - SMTP Macro
#
# /usr/share/shorewall/macro.SMTP
# #
# This macro handles SMTP (email) traffic. # This macro handles SMTP (email) traffic.
# #
@ -8,8 +10,8 @@
# reading of email via POP3 or IMAP. For those you need to use # reading of email via POP3 or IMAP. For those you need to use
# the POP3 or IMAP macros. # the POP3 or IMAP macros.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 25 PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SNMP
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.SNMP # Shorewall version 2.6 - SNMP Macro
#
# /usr/share/shorewall/macro.SNMP
# #
# This macro accepts SNMP traffic (including traps): # This macro accepts SNMP traffic (including traps):
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 161:162 PARAM - - udp 161:162
PARAM - - tcp 161 PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SPAMD
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.SPAMD # Shorewall version 2.6 - SPAMD Macro
#
# /usr/share/shorewall/macro.SPAMD
# #
# This macro handles Spam Assassin SPAMD traffic. # This macro handles Spam Assassin SPAMD traffic.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 783 PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SSH
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.SSH # Shorewall version 2.6 - SSH Macro
#
# /usr/share/shorewall/macro.SSH
# #
# This macro handles secure shell (SSH) traffic. # This macro handles secure shell (SSH) traffic.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 22 PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SVN
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.SVN # Shorewall version 2.6 - SVN Macro
# #
# This macro handles connections to the Subversion server. # /usr/share/shorewall/macro.SVN
# #
################################################################################ # This macro handles connections to the Subversion (SVN) server.
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #
# PORT PORT(S) LIMIT ###############################################################################
PARAM - - tcp 3690 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Submission Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 2.6 - Submission Macro
#
# /usr/share/shorewall/macro.Submission
#
# This macro handles mail message submission traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 587
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Syslog
View File

@ -1,10 +1,12 @@
# #
# Shorewall macro.Syslog # Shorewall version 2.6 - Syslog Macro
#
# /usr/share/shorewall/macro.Syslog
# #
# This macro handles syslog UDP traffic. # This macro handles syslog UDP traffic.
# #
################################################################################ ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 514 PARAM - - udp 514
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Telnet
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.Telnet # Shorewall version 2.6 - Telnet Macro
#
# /usr/share/shorewall/macro.Telnet
# #
# This macro handles Telnet traffic. For traffic over the # This macro handles Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead # internet, telnet is inappropriate; use SSH instead
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 23 PARAM - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Trcrt
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt # Shorewall version 2.6 -Trcrt Macro
#
# /usr/share/shorewall/macro.Trcrt
# #
# This macro handles Traceroute (for up to 30 hops): # This macro handles Traceroute (for up to 30 hops):
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 33434:33524 #UDP Traceroute PARAM - - udp 33434:33524 # UDP Traceroute
PARAM - - icmp 8 #ICMP Traceroute PARAM - - icmp 8 # ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.VNC
View File

@ -1,10 +1,12 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.VNC # Shorewall version 2.6 - VNC Macro
#
# /usr/share/shorewall/macro.VNC
# #
# This macro handles VNC traffic for VNC display's 0 - 9. # This macro handles VNC traffic for VNC display's 0 - 9.
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5900:5909 PARAM - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/macro.VNCL
View File

@ -1,10 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.VNCL # Shorewall version 2.6 -VNCL Macro
# #
# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode. # /usr/share/shorewall/macro.VNCL
# #
###################################################################################### # This macro handles VNC traffic from Vncservers to Vncviewers in listen
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # mode.
# PORT PORT(S) LIMIT GROUP #
PARAM - - tcp 5500 ###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Web
View File

@ -1,11 +1,13 @@
# #
# Shorewall 2.6 /usr/share/shorewall/macro.Web # Shorewall version 2.6 - Web Macro
#
# /usr/share/shorewall/macro.Web
# #
# This macro handles WWW traffic (secure and insecure): # This macro handles WWW traffic (secure and insecure):
# #
###################################################################################### ###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 80 PARAM - - tcp 80
PARAM - - tcp 443 PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

79
Shorewall/macro.template
View File

@ -1,21 +1,24 @@
# #
# Shorewall version 2.6 - Macro Template File # Shorewall version 2.6 - Template Macro
# #
# /usr/share/shorewall/macro.template # /usr/share/shorewall/macro.template
# #
# Macro files are similar to template files with the following exceptions: # Macro files are similar to template files with the following exceptions:
# #
# - A macro file is not processed unless the marcro that it defines is referenced in the # - A macro file is not processed unless the marcro that it defines is
# /etc/shorewall/rules file or in an action definition file. # referenced in the /etc/shorewall/rules file or in an action
# definition file.
# #
# - Macros are translated directly into one or more rules whereas actions become their own # - Macros are translated directly into one or more rules whereas
# chain. # actions become their own chain.
# #
# - All entries in a macro undergo substitution when the macro is invoked in the rules file. # - All entries in a macro undergo substitution when the macro is
# invoked in the rules file.
# #
# - Macros may not invoke other macros. # - Macros may not invoke other macros.
# #
# The columns in a macro definition are the same as those in the action.template file. # The columns in a macro definition are the same as those in the
# action.template file.
# A few examples should help show how Macros work. # A few examples should help show how Macros work.
# #
# /etc/shorewall/macro.FwdFTP: # /etc/shorewall/macro.FwdFTP:
@ -26,44 +29,52 @@
# #
# /etc/shorewall/rules: # /etc/shorewall/rules:
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP # # PORT PORT(S) DEST LIMIT GROUP
# FwdFTP net loc:192.168.1.5 # FwdFTP net loc:192.168.1.5
# #
# The result is equivalent to: # The result is equivalent to:
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP # # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.5 tcp 21 # DNAT net loc:192.168.1.5 tcp 21
# #
# The substitution rules are as follows: # The substitution rules are as follows:
# #
# ACTION column If in the invocation of the macro, the macro name is followed by # ACTION column If in the invocation of the macro, the macro
# slash ("/") and a second name, the second name is substituted for # name is followed by slash ("/") and a second
# each entry in the macro whose ACTION is PARAM # name, the second name is substituted for each
# entry in the macro whose ACTION is PARAM
# #
# For example, if macro FOO is invoked as FOO/ACCEPT then when # For example, if macro FOO is invoked as
# expanding macro.FOO, Shorewall will substitute ACCEPT in each # FOO/ACCEPT then when expanding macro.FOO,
# entry in macro.FOO whose ACTION column contains PARAM. PARAM may # Shorewall will substitute ACCEPT in each
# be optionally followed by a colon and a log level. # entry in macro.FOO whose ACTION column
# # contains PARAM. PARAM may be optionally
# Any logging specified when the macro is invoked is applied to each # followed by a colon and a log level.
# entry in the macros.
#
# SOURCE and DEST If the column in the macro is empty then the value in the rules
# columns file is used. If the column in the macro is non-empty then any
# value in the rules file is appended with a ":" separator.
#
# Example: Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
# #
# Remaining Any value in the rules file REPLACES the value given in the macro # Any logging specified when the macro is
# columns file. # invoked is applied to each entry in the macros.
# #
# SOURCE and DEST If the column in the macro is empty then the
# columns value in the rules file is used. If the column
# in the macro is non-empty then any value in
# the rules file is appended with a ":"
# separator.
#
#
# Example: ###############################################
# #ACTION SOURCE DEST PROTO DEST
# # PORT
# Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
#
# Remaining Any value in the rules file REPLACES the value
# columns given in the macro file.
# #
# #
#################################################################################################### ###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

100
Shorewall/masq
View File

@ -1,10 +1,10 @@
# #
# Shorewall 2.6 - Masquerade file # Shorewall version 2.6 - Masq file
# #
# /etc/shorewall/masq # /etc/shorewall/masq
# #
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT # Use this file to define dynamic NAT (Masquerading) and to define
# (SNAT). # Source NAT (SNAT).
# #
# Columns are: # Columns are:
# #
@ -12,13 +12,13 @@
# interface. If ADD_SNAT_ALIASES=Yes in # interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and # /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with # a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to # that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR # be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION. # PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# This may be qualified by adding the character # This may be qualified by adding the character
# ":" followed by a destination host or subnet. # ":" followed by a destination host or subnet.
# #
# If you wish to inhibit the action of ADD_SNAT_ALIASES # If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit: # for this entry then include the ":" but omit the digit:
@ -35,7 +35,7 @@
# +eth0:192.0.2.32/27 # +eth0:192.0.2.32/27
# +eth0:2 # +eth0:2
# #
# This feature should only be required if you need to # This feature should only be required if you need to
# insert rules in this file that preempt entries in # insert rules in this file that preempt entries in
# /etc/shorewall/nat. # /etc/shorewall/nat.
# #
@ -53,7 +53,7 @@
# In that example traffic from eth1 would be masqueraded unless # In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27 # it came from 192.168.1.4 or 196.168.32.0/27
# #
# ADDRESS -- (Optional). If you specify an address here, SNAT will be # ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If # used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in # ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall # /etc/shorewall/shorewall.conf then Shorewall
@ -74,11 +74,11 @@
# This column may not contain DNS Names. # This column may not contain DNS Names.
# #
# Normally, Netfilter will attempt to retain # Normally, Netfilter will attempt to retain
# the source port number. You may cause # the source port number. You may cause
# netfilter to remap the source port by following # netfilter to remap the source port by following
# an address or range (if any) by ":" and # an address or range (if any) by ":" and
# a port range with the format <low port>- # a port range with the format <low port>-
# <high port>. If this is done, you must # <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column. # specify "tcp" or "udp" in the PROTO column.
# #
# Examples: # Examples:
@ -86,29 +86,32 @@
# 192.0.2.4:5000-6000 # 192.0.2.4:5000-6000
# :4000-5000 # :4000-5000
# #
# You can invoke the SAME target using the # You can invoke the SAME target using the
# following in this column: # following in this column:
# #
# SAME:[nodst:]<address-range>[,<address-range>...] # SAME:[nodst:]<address-range>[,<address-range>...]
# #
# The <address-ranges> may be single addresses. # The <address-ranges> may be single addresses.
# #
# SAME works like SNAT with the exception that the # SAME works like SNAT with the exception that
# same local IP address is assigned to each connection # the same local IP address is assigned to each
# from a local address to a given remote address. If # connection from a local address to a given
# the 'nodst:' option is included, then the same source # remote address.
# address is used for a given internal system regardless #
# of which remote system is involved. # If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
# #
# If you want to leave this column empty # If you want to leave this column empty
# but you need to specify the next column then # but you need to specify the next column then
# place a hyphen ("-") here. # place a hyphen ("-") here.
# #
# PROTO -- (Optional) If you wish to restrict this entry to a # PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol # particular protocol then enter the protocol
# name (from /etc/protocols) or number here. # name (from /etc/protocols) or number here.
# #
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) # PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one # or UDP (protocol 17) then you may list one
# or more port numbers (or names from # or more port numbers (or names from
# /etc/services) separated by commas or you # /etc/services) separated by commas or you
@ -117,31 +120,32 @@
# #
# Where a comma-separated list is given, your # Where a comma-separated list is given, your
# kernel and iptables must have multiport match # kernel and iptables must have multiport match
# support and a maximum of 15 ports may be # support and a maximum of 15 ports may be
# listed. # listed.
# #
# IPSEC -- (Optional) If you specify a value other than "-" in this # IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and # column, you must be running kernel 2.6 and
# your kernel and iptables must include policy # your kernel and iptables must include policy
# match support. # match support.
# #
# Comma-separated list of options from the following. # Comma-separated list of options from the
# Only packets that will be encrypted via an SA that # following. Only packets that will be encrypted
# matches these options will have their source address # via an SA that matches these options will have
# changed. # their source address changed.
# #
# Yes or yes -- must be the only option listed # Yes or yes -- must be the only option
# and matches all outbound traffic that will be # listed and matches all outbound
# encrypted. # traffic that will be encrypted.
# #
# reqid=<number> where <number> is specified # reqid=<number> where <number> is
# using setkey(8) using the 'unique:<number> # specified using setkey(8) using the
# option for the SPD level. # 'unique:<number> option for the SPD
# level.
# #
# spi=<number> where <number> is the SPI of # spi=<number> where <number> is the
# the SA. # SPI of the SA.
# #
# proto=ah|esp|ipcomp # proto=ah|esp|ipcomp
# #
# mode=transport|tunnel # mode=transport|tunnel
# #
@ -149,13 +153,13 @@
# available with mode=tunnel) # available with mode=tunnel)
# #
# tunnel-dst=<address>[/<mask>] (only # tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel) # available with mode=tunnel)
# #
# strict Means that packets must match all # strict Means that packets must match
# rules. # all rules.
# #
# next Separates rules; can only be used # next Separates rules; can only be
# with strict.. # used with strict..
# #
# Example 1: # Example 1:
# #
@ -179,13 +183,13 @@
# #
# eth0 192.168.1.0/24 # eth0 192.168.1.0/24
# #
# Example 3: # Example 3:
# #
# You have an IPSEC tunnel through ipsec0 and you want to # You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if # masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24: # these packets are destined for hosts in 10.1.1.0/24:
# #
# ipsec0:10.1.1.0/24 196.168.1.0/24 # ipsec0:10.1.1.0/24 196.168.1.0/24
# #
# Example 4: # Example 4:
# #
@ -199,8 +203,8 @@
# Example 5: # Example 5:
# #
# You want all outgoing SMTP traffic entering the firewall # You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address # on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic # 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address # from eth1 to be sent from eth0 with source IP address
# 206.124.146.176. # 206.124.146.176.
# #
@ -212,5 +216,5 @@
# For additional information, see http://shorewall.net/Documentation.htm#Masq # For additional information, see http://shorewall.net/Documentation.htm#Masq
# #
############################################################################### ###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

52
Shorewall/modules
View File

@ -1,27 +1,31 @@
##############################################################################
# Shorewall 2.6 /etc/shorewall/modules
# #
# This file loads the modules needed by the firewall. # Shorewall version 2.6 - Modules File
# #
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # /etc/shorewall/modules
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
# #
# For additional information, see http://shorewall.net/Documentation.htm#modules # This file loads the modules needed by the firewall.
#
loadmodule ip_tables # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
loadmodule iptable_filter # dependency order. i.e., if M2 depends on M1 then you must load M1
loadmodule ip_conntrack # before you load M2.
loadmodule ip_conntrack_ftp #
loadmodule ip_conntrack_tftp # For additional information, see
loadmodule ip_conntrack_irc # http://shorewall.net/Documentation.htm#modules
loadmodule iptable_nat #
loadmodule ip_nat_ftp ###############################################################################
loadmodule ip_nat_tftp loadmodule ip_tables
loadmodule ip_nat_irc loadmodule iptable_filter
loadmodule ip_set loadmodule ip_conntrack
loadmodule ip_set_iphash loadmodule ip_conntrack_ftp
loadmodule ip_set_ipmap loadmodule ip_conntrack_tftp
loadmodule ip_set_macipmap loadmodule ip_conntrack_irc
loadmodule ip_set_portmap loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Shorewall/nat
View File

@ -1,6 +1,5 @@
##############################################################################
# #
# Shorewall 2.6 -- Network Address Translation Table # Shorewall version 2.6 - Nat File
# #
# /etc/shorewall/nat # /etc/shorewall/nat
# #
@ -8,17 +7,17 @@
# (NAT). # (NAT).
# #
# WARNING: If all you want to do is simple port forwarding, do NOT use this # WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most # file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT. # cases, Proxy ARP is a better solution that one-to-one NAT.
# #
# Columns must be separated by white space and are: # Columns are:
# #
# EXTERNAL External IP Address - this should NOT be the primary # EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next # IP address of the interface named in the next
# column and must not be a DNS Name. # column and must not be a DNS Name.
# #
# INTERFACE Interface that you want to EXTERNAL address to appear # INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may # on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to # follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias # indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to # with this name (e.g., "eth0:0"). That allows you to
@ -31,17 +30,17 @@
# ":" and no digit (e.g., "eth0:"). # ":" and no digit (e.g., "eth0:").
# INTERNAL Internal Address (must not be a DNS Name). # INTERNAL Internal Address (must not be a DNS Name).
# #
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. # ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective # If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE # only through the interface named in the INTERFACE
# column # column
# #
# LOCAL If Yes or yes, NAT will be effective from the firewall # LOCAL If Yes or yes, NAT will be effective from the firewall
# system # system
# #
# For additional information, see http://shorewall.net/NAT.htm # For additional information, see http://shorewall.net/NAT.htm
############################################################################## #
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL #EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES # INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

10
Shorewall/netmap
View File

@ -1,6 +1,5 @@
##############################################################################
# #
# Shorewall 2.6 -- Network Mapping Table # Shorewall version 2.6 - Netmap File
# #
# /etc/shorewall/netmap # /etc/shorewall/netmap
# #
@ -10,9 +9,9 @@
# WARNING: To use this file, your kernel and iptables must have # WARNING: To use this file, your kernel and iptables must have
# NETMAP support included. # NETMAP support included.
# #
# Columns must be separated by white space and are: # Columns are:
# #
# TYPE Must be DNAT or SNAT. # TYPE Must be DNAT or SNAT.
# #
# If DNAT, traffic entering INTERFACE and addressed to # If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the # NET1 has it's destination address rewritten to the
@ -32,7 +31,6 @@
# See http://shorewall.net/netmap.html for an example and usage # See http://shorewall.net/netmap.html for an example and usage
# information. # information.
# #
############################################################################## ###############################################################################
#TYPE NET1 INTERFACE NET2 #TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

30
Shorewall/params
View File

@ -1,25 +1,27 @@
# #
# Shorewall 2.6 /etc/shorewall/params # Shorewall version 2.4 - Params File
# #
# Assign any variables that you need here. # /etc/shorewall/params
# #
# It is suggested that variable names begin with an upper case letter # Assign any variables that you need here.
# to distinguish them from variables used internally within the
# Shorewall programs
# #
# Example: # It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
# #
# NET_IF=eth0 # Example:
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
# #
# Example (/etc/shorewall/interfaces record): # NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
# #
# net $NET_IF $NET_BCAST $NET_OPTIONS # Example (/etc/shorewall/interfaces record):
# #
# The result will be the same as if the record had been written # net $NET_IF $NET_BCAST $NET_OPTIONS
# #
# net eth0 130.252.100.255 routefilter,norfc1918 # The result will be the same as if the record had been written
# #
############################################################################## # net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

59
Shorewall/policy
View File

@ -1,9 +1,9 @@
# #
# Shorewall 2.6 -- Policy File # Shorewall version 2.6 - Policy File
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each # don't get a match from the /etc/shorewall/rules file . For each
@ -23,39 +23,43 @@
# #
# ACCEPT - Accept the connection # ACCEPT - Accept the connection
# DROP - Ignore the connection request # DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send # REJECT - For TCP, send RST. For all other,
# "port unreachable" ICMP. # send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space # QUEUE - Send the request to a user-space
# application using the QUEUE target. # application using the QUEUE target.
# CONTINUE - Pass the connection request past # CONTINUE - Pass the connection request past
# any other rules that it might also # any other rules that it might also
# match (where the source or destination # match (where the source or
# zone in those rules is a superset of # destination zone in those rules is
# the SOURCE or DEST in this policy). # a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any # NONE - Assume that there will never be any
# packets from this SOURCE # packets from this SOURCE
# to this DEST. Shorewall will not set up # to this DEST. Shorewall will not set
# any infrastructure to handle such # up any infrastructure to handle such
# packets and you may not have any rules # packets and you may not have any
# with this SOURCE and DEST in the # rules with this SOURCE and DEST in
# /etc/shorewall/rules file. If such a # the /etc/shorewall/rules file. If
# packet _is_ received, the result is # such a packet _is_ received, the
# undefined. NONE may not be used if the # result is undefined. NONE may not be
# SOURCE or DEST columns contain the # used if the SOURCE or DEST columns
# firewall zone ($FW) or "all". # contain the firewall zone ($FW) or
# "all".
# #
# If this column contains ACCEPT, DROP or REJECT and a # If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in # corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std) # /etc/shorewall/actions (or
# then that action will be invoked before the policy named in # /usr/share/shorewall/actions.std) then that action
# this column is inforced. # will be invoked before the policy named in this column
# is inforced.
# #
# The policy determined the default treatment of new # The policy determined the default treatment of new
# connection requests and may optionally be followed by ":" # connection requests and may optionally be followed by
# and an ESTABLISHED policy which determines what # ":" and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an established # is to be done with packets that are part of an
# connection. The choices are ACCEPT (the default) and QUEUE # established connection. The choices are ACCEPT (the
# (to queue the packet to a user-space filter like Snort Inline). # default) and QUEUE (to queue the packet to a
# user-space filter like Snort Inline).
# #
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no
@ -90,9 +94,10 @@
# # # #
# # THE FOLLOWING POLICY MUST BE LAST # # THE FOLLOWING POLICY MUST BE LAST
# # # #
# all all REJECT info # all all REJECT info
# #
# See http://shorewall.net/Documentation.htm#Policy for additional information. # See http://shorewall.net/Documentation.htm#Policy for additional information.
#
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL # LEVEL

27
Shorewall/providers
View File

@ -1,21 +1,20 @@
##############################################################################
# #
# Shorewall 2.6 -- Internet Service Providers # Shorewall version 2.6 - Providers File
# #
# /etc/shorewall/providers # /etc/shorewall/providers
# #
# This file is used to define additional routing tables. You will # This file is used to define additional routing tables. You will
# want to define an additional table if: # want to define an additional table if:
# #
# - You have connections to more than one ISP or multiple connections # - You have connections to more than one ISP or multiple connections
# to the same ISP # to the same ISP
# #
# - You run Squid as a transparent proxy on a host other than the # - You run Squid as a transparent proxy on a host other than the
# firewall. # firewall.
# #
# To omit a column, enter "-". # To omit a column, enter "-".
# #
# Columns must be separated by white space and are: # Columns are:
# #
# NAME The provider name. # NAME The provider name.
# #
@ -47,14 +46,14 @@
# balance The providers that have 'default' specified will # balance The providers that have 'default' specified will
# get outbound traffic load-balanced among them. By # get outbound traffic load-balanced among them. By
# default, all interfaces with 'balance' specified # default, all interfaces with 'balance' specified
# will have the same weight (1). You can change the # will have the same weight (1). You can change the
# weight of an interface by specifiying balance=<weight> # weight of an interface by specifiying balance=<weight>
# where <weight> is the weight of the route out of # where <weight> is the weight of the route out of
# this interface. # this interface.
# #
# loose Normally, Shorewall adds routing rules to prohibit # loose Normally, Shorewall adds routing rules to prohibit
# firewall marks from working with traffic generated # firewall marks from working with traffic generated
# on the firewall itself. By setting the 'loose' # on the firewall itself. By setting the 'loose'
# option, generation of these rules is avoided. # option, generation of these rules is avoided.
# #
# COPY A comma-separated lists of other interfaces on your # COPY A comma-separated lists of other interfaces on your
@ -68,7 +67,7 @@
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS # #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
# Squid 1 1 - eth2 192.168.2.99 - # Squid 1 1 - eth2 192.168.2.99 -
# #
# Example: # Example:
# #
# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and # eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and
# the ISP's gateway router has IP address 206.124.146.254. # the ISP's gateway router has IP address 206.124.146.254.
@ -76,11 +75,13 @@
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the # eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
# ISP's gateway router has IP address 130.252.99.254. # ISP's gateway router has IP address 130.252.99.254.
# #
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY # #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# ISP1 1 1 main eth0 206.124.146.254 track,balance # ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance # ISP2 2 2 main eth1 130.252.99.254 track,balance
# #
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html # For additional information, see
############################################################################################## # http://shorewall.net/Shorewall_and_Routing.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8
Shorewall/proxyarp
View File

@ -1,12 +1,11 @@
##############################################################################
# #
# Shorewall 2.6 -- Proxy ARP # Shorewall version 2.6 - Proxyarp File
# #
# /etc/shorewall/proxyarp # /etc/shorewall/proxyarp
# #
# This file is used to define Proxy ARP. # This file is used to define Proxy ARP.
# #
# Columns must be separated by white space and are: # Columns are:
# #
# ADDRESS IP Address # ADDRESS IP Address
# #
@ -41,6 +40,7 @@
# 155.186.235.6 eth1 eth0 # 155.186.235.6 eth1 eth0
# #
# See http://shorewall.net/ProxyARP.htm for additional information. # See http://shorewall.net/ProxyARP.htm for additional information.
############################################################################## #
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Shorewall/releasenotes.txt
View File

@ -29,7 +29,7 @@ Migration Considerations:
1) The "monitor" command has been eliminated. 1) The "monitor" command has been eliminated.
2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones 2) The "DISPLAY" and "COMMENTS" columns in the /etc/shorewall/zones
file have been removed and have been replaced by the former file have been removed and have been replaced by the former
columns of the /etc/shorewall/ipsec file. The latter file has been columns of the /etc/shorewall/ipsec file. The latter file has been
removed. removed.
@ -46,7 +46,7 @@ Migration Considerations:
The shorewall.conf file included in this release sets The shorewall.conf file included in this release sets
IPSECFILE=zones so that new users are expected to use the new zone IPSECFILE=zones so that new users are expected to use the new zone
file format. file format.
As a result, the columns in the /etc/shorewall/zones file As a result, the columns in the /etc/shorewall/zones file
are now as follows: are now as follows:
@ -80,7 +80,7 @@ Migration Considerations:
proto=ah|esp|ipcomp proto=ah|esp|ipcomp
mss=<number> (sets the MSS field in TCP mss=<number> (sets the MSS field in TCP
packets) packets)
mode=transport|tunnel mode=transport|tunnel
@ -124,7 +124,7 @@ Migration Considerations:
5) Most of the standard actions have been replaced by parameterized 5) Most of the standard actions have been replaced by parameterized
macros (see below). So for example, the action.AllowSMTP and macros (see below). So for example, the action.AllowSMTP and
action.DropSMTP have been removed an a parameterized macro action.DropSMTP have been removed an a parameterized macro
macro.SMTP has been added to replace them. macro.SMTP has been added to replace them.
In order that current users don't have to immediately update their In order that current users don't have to immediately update their
rules and user-defined actions, Shorewall can substitute an rules and user-defined actions, Shorewall can substitute an
@ -232,7 +232,7 @@ New Features in Shorewall 2.5.0
the macro. The first three columns get special treatment: the macro. The first three columns get special treatment:
TARGET If you code PARAM as the target in a macro then TARGET If you code PARAM as the target in a macro then
when you invoke the macro, you can include the when you invoke the macro, you can include the
name of the macro followed by a slash ("/") and name of the macro followed by a slash ("/") and
an ACTION (either builtin or user-defined. All an ACTION (either builtin or user-defined. All
instances of PARAM in the body of the macro will be instances of PARAM in the body of the macro will be
@ -241,11 +241,11 @@ New Features in Shorewall 2.5.0
Any logging applied when the action is invoked is Any logging applied when the action is invoked is
applied following the same rules as for actions. applied following the same rules as for actions.
SOURCE and SOURCE and
DEST If the rule in the macro file specifies a value and DEST If the rule in the macro file specifies a value and
the invocation of the rule also specifies a value then the invocation of the rule also specifies a value then
the value in the invocation is appended to the value the value in the invocation is appended to the value
in the rule using ":" as a separator. in the rule using ":" as a separator.
Example: Example:
@ -298,5 +298,5 @@ New Features in Shorewall 2.5.0
WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE INVOLVED IN
PROXY ARP. PROXY ARP.

36
Shorewall/rfc1918
View File

@ -1,43 +1,45 @@
# #
# Shorewall 2.6 -- RFC1918 File # Shorewall version 2.6 - Rfc1918 File
# #
# /etc/shorewall/rfc1918 # /etc/shorewall/rfc1918
# #
# Lists the subnetworks that are blocked by the 'norfc1918' interface option. # Lists the subnetworks that are blocked by the 'norfc1918' interface
# option.
# #
# The default list includes those IP addresses listed in RFC 1918. # The default list includes those IP addresses listed in RFC 1918.
# #
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE # DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY. # TO /etc/shorewall AND MODIFY THE COPY.
# #
# Columns are: # Columns are:
# #
# SUBNETS A comma-separated list of subnet addresses # SUBNETS A comma-separated list of subnet addresses
# (host addresses also allowed as are IP # (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables # address ranges provided that your kernel and iptables
# have iprange match support). # have iprange match support).
# TARGET Where to send packets to/from this subnet # TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally # RETURN - let the packet be processed normally
# DROP - silently drop the packet # DROP - silently drop the packet
# logdrop - log then drop # logdrop - log then drop
# #
# By default, the RETURN target causes 'norfc1918' processing to cease for a # By default, the RETURN target causes 'norfc1918' processing to cease
# packet if the packet's source IP address matches the rule. Thus, if you have: # for a packet if the packet's source IP address matches the rule. Thus,
# if you have:
# #
# SUBNETS TARGET # SUBNETS TARGET
# 192.168.1.0/24 RETURN # 192.168.1.0/24 RETURN
# #
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you # then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
# also have: # you also have:
# #
# SUBNETS TARGET # SUBNETS TARGET
# 10.0.0.0/8 logdrop # 10.0.0.0/8 logdrop
# #
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be # Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
# logged and dropped since while the packet's source matches the RETURN rule, # to be logged and dropped since while the packet's source matches the
# the packet's destination matches the 'logdrop' rule. # RETURN rule, the packet's destination matches the 'logdrop' rule.
# #
################################################################################ ###############################################################################
#SUBNETS TARGET #SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918

22
Shorewall/routestopped
View File

@ -1,6 +1,5 @@
##############################################################################
# #
# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped # Shorewall version 2.6 - Routestopped File
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
@ -8,7 +7,7 @@
# firewall is stopped or when it is in the process of being # firewall is stopped or when it is in the process of being
# [re]started. # [re]started.
# #
# Columns must be separated by white space and are: # Columns are:
# #
# INTERFACE - Interface through which host(s) communicate with # INTERFACE - Interface through which host(s) communicate with
# the firewall # the firewall
@ -19,7 +18,7 @@
# #
# If left empty or supplied as "-", # If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. # 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of # OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are: # options. The currently-supported options are:
# #
# routeback - Set up a rule to ACCEPT traffic from # routeback - Set up a rule to ACCEPT traffic from
@ -27,15 +26,15 @@
# #
# source - Allow traffic from these hosts to ANY # source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest' # destination. Without this option or the 'dest'
# option, only traffic from this host to other # option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If # listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent. # 'source' is specified then 'routeback' is redundent.
# #
# dest - Allow traffic to these hosts from ANY # dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source' # source. Without this option or the 'source'
# option, only traffic from this host to other # option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If # listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent. # 'dest' is specified then 'routeback' is redundent.
# #
# critical - Allow traffic between the firewall and # critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and # these hosts throughout '[re]start', 'stop' and
@ -53,8 +52,9 @@
# eth3 - source # eth3 - source
# #
# See http://shorewall.net/Documentation.htm#Routestopped and # See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional # http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information. # information.
############################################################################## #
#INTERFACE HOST(S) OPTIONS ###############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

171
Shorewall/rules
View File

@ -5,9 +5,9 @@
# #
# Rules in this file govern connection establishment. Requests and # Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any # responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the # particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one # order in which they appear in this file and the first match is the one
# that determines the disposition of the request. # that determines the disposition of the request.
# #
# In most places where an IP address or subnet is allowed, you # In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@ -15,40 +15,40 @@
# given. Notice that no white space is permitted between "!" and the # given. Notice that no white space is permitted between "!" and the
# address/subnet. # address/subnet.
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet, # WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to # you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead. # that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------# #------------------------------------------------------------------------------
# Columns are: # Columns are:
# #
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>. # LOG, QUEUE or an <action>.
# #
# ACCEPT -- allow the connection request # ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the # ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent # connection from any subsequent
# DNAT[-] or REDIRECT[-] rules # DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any # NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-] # subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule # rules but doesn't generate a rule
# to accept the traffic. # to accept the traffic.
# DROP -- ignore the request # DROP -- ignore the request
# REJECT -- disallow the request and return an # REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet. # icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only. # DNAT- -- Advanced users only.
# Like DNAT but only generates the # Like DNAT but only generates the
# DNAT iptables rule and not # DNAT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the # SAME -- Similar to DNAT except that the
# port may not be remapped and when # port may not be remapped and when
# multiple server addresses are # multiple server addresses are
# listed, all requests from a given # listed, all requests from a given
# remote system go to the same # remote system go to the same
# server. # server.
# SAME- -- Advanced users only. # SAME- -- Advanced users only.
# Like SAME but only generates the # Like SAME but only generates the
# NAT iptables rule and not # NAT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
@ -69,12 +69,12 @@
# connection request will be passed # connection request will be passed
# to the rules defined for that # to the rules defined for that
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space # QUEUE -- Queue the packet to a user-space
# application such as ftwall # application such as ftwall
# (http://p2pwall.sf.net). # (http://p2pwall.sf.net).
# <action> -- The name of an action defined in # <action> -- The name of an action defined in
# /etc/shorewall/actions or in # /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std. # /usr/share/shorewall/actions.std.
# #
# The ACTION may optionally be followed # The ACTION may optionally be followed
@ -90,7 +90,7 @@
# in the action are logged at the log level. # in the action are logged at the log level.
# #
# - If the log level is not followed by "!" then only # - If the log level is not followed by "!" then only
# those rules in the action that do not specify # those rules in the action that do not specify
# logging are logged at the specified level. # logging are logged at the specified level.
# #
# - The special log level 'none!' suppresses logging # - The special log level 'none!' suppresses logging
@ -104,24 +104,24 @@
# Actions specifying logging may be followed by a # Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters) # log tag (a string of alphanumeric characters)
# are appended to the string generated by the # are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf). # LOGPREFIX (in /etc/shorewall/shorewall.conf).
# #
# Example: ACCEPT:info:ftp would include 'ftp ' # Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the # at the end of the log prefix generated by the
# LOGPREFIX setting. # LOGPREFIX setting.
# #
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT or # firewall itself, "all" or "none" If the ACTION is DNAT
# REDIRECT, sub-zones of the specified zone may be # or REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with # excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names. # "!' and a comma-separated list of sub-zone names.
# #
# When "none" is used either in the SOURCE or DEST column, # When "none" is used either in the SOURCE or DEST
# the rule is ignored. # column, the rule is ignored.
# #
# When "all" is used either in the SOURCE or DEST column # When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add # intra-zone traffic is not affected. You must add
# separate rules to handle that traffic. # separate rules to handle that traffic.
# #
# Except when "all" is specified, clients may be further # Except when "all" is specified, clients may be further
@ -134,11 +134,12 @@
# Hosts may be specified as an IP address range using the # Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that # syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support. # your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support then # If you kernel and iptables have ipset match support
# you may give the name of an ipset prefaced by "+". The # then you may give the name of an ipset prefaced by "+".
# ipset name may be optionally followed by a number from # The ipset name may be optionally followed by a number
# 1 to 6 enclosed in square brackets ([]) to indicate the # from 1 to 6 enclosed in square brackets ([]) to
# number of levels of source bindings to be matched. # indicate the number of levels of source bindings to be
# matched.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
# #
@ -148,8 +149,8 @@
# loc:192.168.1.1,192.168.1.2 # loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and # Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone. # 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with # loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78. # MAC address 00:A0:C9:15:39:78.
# #
# net:192.0.2.11-192.0.2.17 # net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in # Hosts 192.0.2.11-192.0.2.17 in
@ -167,11 +168,11 @@
# /etc/shorewall/zones, $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all" or "none". # itself, "all" or "none".
# #
# When "none" is used either in the SOURCE or DEST column, # When "none" is used either in the SOURCE or DEST
# the rule is ignored. # column, the rule is ignored.
# #
# When "all" is used either in the SOURCE or DEST column # When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add # intra-zone traffic is not affected. You must add
# separate rules to handle that traffic. # separate rules to handle that traffic.
# #
# Except when "all" is specified, the server may be # Except when "all" is specified, the server may be
@ -194,13 +195,13 @@
# the connections will be assigned to addresses in the # the connections will be assigned to addresses in the
# range in a round-robin fashion. # range in a round-robin fashion.
# #
# If you kernel and iptables have ipset match support then # If you kernel and iptables have ipset match support
# you may give the name of an ipset prefaced by "+". The # then you may give the name of an ipset prefaced by "+".
# ipset name may be optionally followed by a number from # The ipset name may be optionally followed by a number
# 1 to 6 enclosed in square brackets ([]) to indicate the # from 1 to 6 enclosed in square brackets ([]) to
# number of levels of destination bindings to be matched. # indicate the number of levels of destination bindings
# Only one of the SOURCE and DEST columns may specify an # to be matched. Only one of the SOURCE and DEST columns
# ipset name. # may specify an ipset name.
# #
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
@ -220,7 +221,7 @@
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all". # "all".
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
@ -246,8 +247,8 @@
# ranges. # ranges.
# #
# If you don't want to restrict client ports but need to # If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then place # specify an ORIGINAL DEST in the next column, then
# "-" in this column. # place "-" in this column.
# #
# If your kernel contains multi-port match support, then # If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in # only a single Netfilter rule will be generated if in
@ -257,43 +258,43 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then # ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# if included and different from the IP # then if included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
# specified in the DEST column. # specified in the DEST column.
# #
# A comma-separated list of addresses may also be used. # A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target # This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for # where you want to redirect traffic destined for
# particular set of hosts. # particular set of hosts.
# #
# Finally, if the list of addresses begins with "!" then # Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original # the rule will be followed only if the original
# destination address in the connection request does not # destination address in the connection request does not
# match any of the addresses listed. # match any of the addresses listed.
# #
# For other actions, this column may be included and may # For other actions, this column may be included and may
# contain one or more addresses (host or network) # contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed. # separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated # When this column is supplied, rules are generated
# that require that the original destination address matches # that require that the original destination address
# one of the listed addresses. This feature is most useful when # matches one of the listed addresses. This feature is
# you want to generate a filter rule that corresponds to a # most useful when you want to generate a filter rule
# DNAT- or REDIRECT- rule. In this usage, the list of # that corresponds to a DNAT- or REDIRECT- rule. In this
# addresses should not begin with "!". # usage, the list of addresses should not begin with "!".
# #
# See http://shorewall.net/PortKnocking.html for an # See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a # example of using an entry in this column with a
# user-defined action rule. # user-defined action rule.
# #
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this colume: # this colume:
# #
# <rate>/<interval>[:<burst>] # <rate>/<interval>[:<burst>]
# #
# where <rate> is the number of connections per # where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the # <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given, # largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no # a value of 5 is assumed. There may be no
@ -306,7 +307,7 @@
# #
# The column may contain: # The column may contain:
# #
# [!][<user name or number>][:<group name or number>][+<program name>] # [!][<user name or number>][:<group name or number>][+<program name>]
# #
# When this column is non-empty, the rule applies only # When this column is non-empty, the rule applies only
# if the program generating the output is running under # if the program generating the output is running under
@ -318,54 +319,54 @@
# joe #program must be run by joe # joe #program must be run by joe
# :kids #program must be run by a member of # :kids #program must be run by a member of
# #the 'kids' group # #the 'kids' group
# !:kids #program must not be run by a member # !:kids #program must not be run by a member
# #of the 'kids' group # #of the 'kids' group
# +upnpd #program named 'upnpd' # +upnpd #program named 'upnpd'
# #
# Example: Accept SMTP requests from the DMZ to the internet # Example: Accept SMTP requests from the DMZ to the internet
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp # ACCEPT dmz net tcp smtp
# #
# Example: Forward all ssh and http connection requests from the internet # Example: Forward all ssh and http connection requests from the
# to local system 192.168.1.3 # internet to local system 192.168.1.3
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http # DNAT net loc:192.168.1.3 tcp ssh,http
# #
# Example: Forward all http connection requests from the internet # Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and # to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10 # a maximum burst of 10
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT # # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 # DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
# #
# Example: Redirect all locally-originating www connection requests to # Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall # port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2 # system) except when the destination address is 192.168.2.2
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2 # REDIRECT loc 3128 tcp www - !192.168.2.2
# #
# Example: All http requests from the internet to address # Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3 # 130.252.100.69 are to be forwarded to 192.168.1.3
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
# #
# Example: You want to accept SSH connections to your firewall only # Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70 # from internet IP addresses 130.252.100.69 and 130.252.100.70
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \ # ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22 # tcp 22
#################################################################################################### #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

44
Shorewall/shorewall
View File

@ -101,11 +101,11 @@
# a list of network/host addresses. # a list of network/host addresses.
# #
# shorewall safe-start Starts the firewall and promtp for a c # shorewall safe-start Starts the firewall and promtp for a c
# confirmation to accept or reject the new # confirmation to accept or reject the new
# configuration # configuration
# #
# shorewall safe-restart Restarts the firewall and prompt for a # shorewall safe-restart Restarts the firewall and prompt for a
# confirmation to accept or reject the new # confirmation to accept or reject the new
# configuration # configuration
# #
# Fatal Error # Fatal Error
@ -175,7 +175,7 @@ validate_restorefile() # $* = label
echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2 echo " ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
exit 2 exit 2
;; ;;
esac esac
} }
# #
@ -418,12 +418,12 @@ save_config() {
echo __EOF__ >> /var/lib/shorewall/restore-$$ echo __EOF__ >> /var/lib/shorewall/restore-$$
[ -f /var/lib/shorewall/restore-tail ] && \ [ -f /var/lib/shorewall/restore-tail ] && \
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$ cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH" echo " Currently-running Configuration Saved to $RESTOREPATH"
rm -f ${RESTOREPATH}-ipsets rm -f ${RESTOREPATH}-ipsets
case ${SAVE_IPSETS:-No} in case ${SAVE_IPSETS:-No} in
[Yy][Ee][Ss]) [Yy][Ee][Ss])
RESTOREPATH=${RESTOREPATH}-ipsets RESTOREPATH=${RESTOREPATH}-ipsets
@ -446,7 +446,7 @@ save_config() {
echo "ipset -R << __EOF__" >> $f echo "ipset -R << __EOF__" >> $f
ipset -S >> $f ipset -S >> $f
echo "__EOF__" >> $f echo "__EOF__" >> $f
mv -f $f $RESTOREPATH mv -f $f $RESTOREPATH
chmod +x $RESTOREPATH chmod +x $RESTOREPATH
echo " Current Ipset Contents Saved to $RESTOREPATH" echo " Current Ipset Contents Saved to $RESTOREPATH"
;; ;;
@ -472,7 +472,7 @@ save_config() {
else else
echo "Shorewall isn't started" echo "Shorewall isn't started"
fi fi
[ "$nolock" ] || mutex_off [ "$nolock" ] || mutex_off
} }
# #
@ -483,7 +483,7 @@ help()
[ -x $HELP ] && { export version; exec $HELP $*; } [ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP" echo "Help subsystem is not installed at $HELP"
} }
# #
# Give Usage Information # Give Usage Information
# #
@ -518,7 +518,7 @@ usage() # $1 = exit status
echo " version" echo " version"
echo " safe-start" echo " safe-start"
echo " safe-restart" echo " safe-restart"
echo echo
exit $1 exit $1
} }
@ -534,12 +534,12 @@ show_reset() {
# #
# Display's the passed file name followed by "=" and the file's contents. # Display's the passed file name followed by "=" and the file's contents.
# #
show_proc() # $1 = name of a file show_proc() # $1 = name of a file
{ {
[ -f $1 ] && echo " $1 = $(cat $1)" [ -f $1 ] && echo " $1 = $(cat $1)"
} }
read_yesno_with_timeout() { read_yesno_with_timeout() {
read -t 60 yn 2> /dev/null read -t 60 yn 2> /dev/null
if [ $? -eq 2 ] if [ $? -eq 2 ]
then then
@ -593,7 +593,7 @@ while [ $done -eq 0 ]; do
option=${option#-} option=${option#-}
[ -z "$option" ] && usage 1 [ -z "$option" ] && usage 1
while [ -n "$option" ]; do while [ -n "$option" ]; do
case $option in case $option in
c) c)
@ -755,7 +755,7 @@ case "$1" in
fi fi
if [ -n "$FAST" ]; then if [ -n "$FAST" ]; then
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
@ -893,7 +893,7 @@ case "$1" in
;; ;;
*) *)
shift shift
echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" echo "Shorewall-$version $([ $# -gt 1 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
@ -931,7 +931,7 @@ case "$1" in
fi fi
echo "State:$state" echo "State:$state"
echo echo
exit $status exit $status
;; ;;
dump) dump)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
@ -990,7 +990,7 @@ case "$1" in
ip rule ls ip rule ls
ip rule ls | while read rule; do ip rule ls | while read rule; do
echo ${rule##* } echo ${rule##* }
done | sort -u | while read table; do done | sort -u | while read table; do
echo echo
echo "Table $table:" echo "Table $table:"
echo echo
@ -1226,7 +1226,7 @@ case "$1" in
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
if [ -x $RESTOREPATH ]; then if [ -x $RESTOREPATH ]; then
if [ -x ${RESTOREPATH}-ipsets ] ; then if [ -x ${RESTOREPATH}-ipsets ] ; then
echo Restoring Ipsets... echo Restoring Ipsets...
iptables -F iptables -F
@ -1243,7 +1243,7 @@ case "$1" in
exit 2 exit 2
fi fi
;; ;;
call) call)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
# #
# Undocumented way to call functions in /usr/share/shorewall/functions directly # Undocumented way to call functions in /usr/share/shorewall/functions directly
@ -1257,7 +1257,7 @@ case "$1" in
help $@ help $@
;; ;;
safe-restart|safe-start) safe-restart|safe-start)
# test is the shell supports timed read # test is the shell supports timed read
read -t 0 junk 2> /dev/null read -t 0 junk 2> /dev/null
if [ $? -eq 2 -a ! -x /bin/bash ] if [ $? -eq 2 -a ! -x /bin/bash ]
then then
@ -1314,10 +1314,10 @@ case "$1" in
then then
$0 nolock $debugging restore "safe-start-restart" $0 nolock $debugging restore "safe-start-restart"
rm /var/lib/shorewall/safe-start-restart rm /var/lib/shorewall/safe-start-restart
else else
$0 nolock $debugging clear $0 nolock $debugging clear
fi fi
mutex_off mutex_off
echo "New configuration has been rejected and the old one restored" echo "New configuration has been rejected and the old one restored"
exit 2 exit 2

176
Shorewall/shorewall.conf
View File

@ -1,4 +1,4 @@
############################################################################## ###############################################################################
# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to # /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
# match your setup # match your setup
# #
@ -7,17 +7,19 @@
# This file should be placed in /etc/shorewall # This file should be placed in /etc/shorewall
# #
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
############################################################################## ###############################################################################
# S T A R T U P E N A B L E D # S T A R T U P E N A B L E D
############################################################################## ###############################################################################
#
# Once you have configured Shorewall, you may change the setting of # Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes' # this variable to 'Yes'
#
STARTUP_ENABLED=No STARTUP_ENABLED=No
############################################################################## ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################## ###############################################################################
# #
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
@ -26,7 +28,7 @@ STARTUP_ENABLED=No
# These levels are defined by syslog and are used to determine the destination # These levels are defined by syslog and are used to determine the destination
# of the messages through entries in /etc/syslog.conf (5). The syslog # of the messages through entries in /etc/syslog.conf (5). The syslog
# documentation refers to these as "priorities"; Netfilter calls them "levels" # documentation refers to these as "priorities"; Netfilter calls them "levels"
# and Shorewall also uses that term. # and Shorewall also uses that term.
# #
# Valid levels are: # Valid levels are:
# #
@ -53,7 +55,7 @@ STARTUP_ENABLED=No
# installed by default). Ulogd is also available from # installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all # http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file # Shorewall message to their own log file
################################################################################ ###############################################################################
# #
# LOG FILE LOCATION # LOG FILE LOCATION
# #
@ -62,10 +64,11 @@ STARTUP_ENABLED=No
# /var/log/messages is assumed. # /var/log/messages is assumed.
# #
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for # look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see # these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
# #
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
@ -77,8 +80,8 @@ LOGFILE=/var/log/messages
# template is expected to accept either two or three arguments; the first is # template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that # the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet # chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your # being logged. You must use the %d formatting type for the rule number; if
# template does not contain %d then the rule number will not be included. # your template does not contain %d then the rule number will not be included.
# #
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
# #
@ -86,21 +89,22 @@ LOGFILE=/var/log/messages
# #
# If not specified or specified as empty (LOGFORMAT="") then the value # If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed. # "Shorewall:%s:%s:" is assumed.
# #
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up # CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log', # to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the # 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be # LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages. # sufficiently unique for /sbin/shorewall to identify Shorewall messages.
#
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
# #
# LOG FORMAT Continued # LOG FORMAT Continued
# #
# Using the default LOGFORMAT, chain names may not exceed 11 characters or # Using the default LOGFORMAT, chain names may not exceed 11 characters or
# truncation of the log prefix may occur. Longer chain names may be used with # truncation of the log prefix may occur. Longer chain names may be used with
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# specified then the tag is included in the log prefix in place of the chain # specified then the tag is included in the log prefix in place of the chain
# name. # name.
# #
@ -141,8 +145,8 @@ LOGBURST=
# LOG ALL NEW # LOG ALL NEW
# #
# This option should only be used when you are trying to analyze a problem. # This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the # It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to # first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g., # the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug). # LOGALLNEW=debug).
# #
@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL=
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
# #
# Example: LOGNEWNOTSYN=debug # Example: LOGNEWNOTSYN=debug
#
LOGNEWNOTSYN=info LOGNEWNOTSYN=info
@ -219,8 +224,7 @@ RFC1918_LOG_LEVEL=info
# Specifies the logging level for smurf packets dropped by the # Specifies the logging level for smurf packets dropped by the
#'nosmurfs' interface option in /etc/shorewall/interfaces and in #'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL="" # /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged. # ) then dropped smurfs are not logged.
# #
# See the comment at the top of this section for a description of log levels # See the comment at the top of this section for a description of log levels
# #
@ -231,20 +235,20 @@ SMURF_LOG_LEVEL=info
# MARTIAN LOGGING # MARTIAN LOGGING
# #
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets # Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
# that have impossible source IP addresses. This logging may be enabled # that have impossible source IP addresses. This logging may be enabled
# on individual interfaces by using the 'logmartians' option in # on individual interfaces by using the 'logmartians' option in
# /etc/shorewall/interfaces. # /etc/shorewall/interfaces.
# #
LOG_MARTIANS=No LOG_MARTIANS=No
################################################################################ ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################ ###############################################################################
# #
# IPTABLES # IPTABLES
# #
# Full path to iptables executable Shorewall uses to build the firewall. If # Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then # not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used. # the iptables executable located via the PATH setting below is used.
# #
@ -253,7 +257,7 @@ IPTABLES=
# #
# PATH - Change this if you want to change the order in which Shorewall # PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files. # searches directories for executable files.
# #
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# #
# The firewall script is normally interpreted by /bin/sh. If you wish to change # The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here. # the shell used to interpret that script, specify the shell here.
#
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
# If your netfilter kernel modules are in a directory other than # If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that # /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules. # directory in this variable. Example: MODULESDIR=/etc/modules.
#
MODULESDIR= MODULESDIR=
@ -296,6 +302,7 @@ MODULESDIR=
# #
# If not specified or specified as null ("CONFIG_PATH=""), # If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed. # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
@ -314,23 +321,26 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
# directory /var/lib/shorewall. If this option is not set or if it is # directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is # set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed. # assumed.
#
RESTOREFILE= RESTOREFILE=
# #
# OLD ZONE FILE FORMAT # OLD ZONE FILE FORMAT
# #
# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file. # Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
# Beginning with 2.5.0, those files were combined. For users who haven't # Beginning with 2.5.0, those files were combined. For users who haven't
# converted, we offer this variable that sets the name of the file for ipsec # converted, we offer this variable that sets the name of the file for ipsec
# information. This option must take the value "zones" or "ipsec". If the option # information. This option must take the value "zones" or "ipsec". If the
# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed. # option is not set or is set to the empty value (IPSECFILE="") then "ipsec"
# is assumed.
#
IPSECFILE=zones IPSECFILE=zones
################################################################################ ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
################################################################################ ###############################################################################
# NAME OF THE FIREWALL ZONE # NAME OF THE FIREWALL ZONE
# #
@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes
# AUTOMATICALLY ADD SNAT IP ADDRESSES # AUTOMATICALLY ADD SNAT IP ADDRESSES
# #
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say # for each SNAT external address that you give in /etc/shorewall/masq. If you
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless # say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
# you are sure that you need it -- most people don't!!! # unless you are sure that you need it -- most people don't!!!
# #
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
@ -383,11 +393,11 @@ ADD_SNAT_ALIASES=No
# will first delete the address then re-add it. This is to ensure that the # will first delete the address then re-add it. This is to ensure that the
# address is added with the specified label. Unfortunately, this can cause # address is added with the specified label. Unfortunately, this can cause
# problems if it results in the deletion of the last IP address on an # problems if it results in the deletion of the last IP address on an
# interface because then all routes through the interface are automatically # interface because then all routes through the interface are automatically
# removed. # removed.
# #
# You can cause Shorewall to retain existing addresses by setting # You can cause Shorewall to retain existing addresses by setting
# RETAIN_ALIASES=Yes. # RETAIN_ALIASES=Yes.
# #
RETAIN_ALIASES=No RETAIN_ALIASES=No
@ -395,8 +405,9 @@ RETAIN_ALIASES=No
# #
# ENABLE TRAFFIC SHAPING # ENABLE TRAFFIC SHAPING
# #
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall.
# you say "No" or "no" then traffic shaping is not enabled. # If you say "No" or "no" then traffic shaping is not enabled.
#
TC_ENABLED=No TC_ENABLED=No
@ -413,6 +424,7 @@ TC_ENABLED=No
# classifier based on packet marking defined in /etc/shorewall/tcrules. # classifier based on packet marking defined in /etc/shorewall/tcrules.
# #
# If omitted, CLEAR_TC=Yes is assumed. # If omitted, CLEAR_TC=Yes is assumed.
#
CLEAR_TC=Yes CLEAR_TC=Yes
@ -425,14 +437,15 @@ CLEAR_TC=Yes
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
# #
# Marking packets in the FORWARD chain has the advantage that inbound # Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination # packets destined for Masqueraded/SNATed local hosts have had their
# address rewritten so they can be marked based on their destination. When # destination address rewritten so they can be marked based on their
# packets are marked in the PREROUTING chain, packets destined for # destination. When packets are marked in the PREROUTING chain, packets
# Masqueraded/SNATed local hosts still have a destination address corresponding # destined for Masqueraded/SNATed local hosts still have a destination address
# to the firewall's external interface. # corresponding to the firewall's external interface.
# #
# Note: Older kernels do not support marking packets in the FORWARD chain and # Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems. # setting this variable to Yes may cause startup problems.
#
MARK_IN_FORWARD_CHAIN=No MARK_IN_FORWARD_CHAIN=No
@ -456,7 +469,7 @@ MARK_IN_FORWARD_CHAIN=No
# problem are that everything works fine from your Linux # problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large # firewall/router, but machines behind it can never exchange large
# packets: # packets:
# 1) Web browsers connect, then hang with no data received. # 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang. # 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking. # 3) ssh works fine, but scp hangs after initial handshaking.
# ] # ]
@ -481,12 +494,14 @@ CLAMPMSS=No
# interfaces started while Shorewall is started (anti-spoofing measure). # interfaces started while Shorewall is started (anti-spoofing measure).
# #
# If this variable is not set or is set to the empty value, "No" is assumed. # If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering # Regardless of the setting of ROUTE_FILTER, you can still enable route
# on individual interfaces using the 'routefilter' option in the # filtering on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file. # /etc/shorewall/interfaces file.
#
ROUTE_FILTER=No ROUTE_FILTER=No
#
# DNAT IP ADDRESS DETECTION # DNAT IP ADDRESS DETECTION
# #
# Normally when Shorewall encounters the following rule: # Normally when Shorewall encounters the following rule:
@ -515,6 +530,7 @@ ROUTE_FILTER=No
# one of the interfaces associated with the source zone. Note that this # one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall # requires all interfaces to the source zone to be up when the firewall
# is [re]started. # is [re]started.
#
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No
# #
# An appropriate value for this parameter would be twice the length of time # An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command. # that it takes your firewall system to process a "shorewall restart" command.
#
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
@ -541,8 +558,8 @@ MUTEX_TIMEOUT=60
# CLIENT SERVER # CLIENT SERVER
# #
# SYN--------------------> # SYN-------------------->
# <------------------SYN,ACK # <------------------SYN,ACK
# ACK--------------------> # ACK-------------------->
# #
# The first packet in that exchange (packet with the SYN flag on and the ACK # The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet. # and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
@ -552,7 +569,7 @@ MUTEX_TIMEOUT=60
# The NEWNOTSYN option determines the handling of non-SYN packets (those with # The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already # SYN off or with ACK or RST on) that are not associated with an already
# established connection. # established connection.
# #
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
# part of an already established connection will be dropped by the # part of an already established connection will be dropped by the
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are # firewall. The setting of LOGNEWNOTSYN above determines if these packets are
@ -565,7 +582,7 @@ MUTEX_TIMEOUT=60
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes. # also need to select NEWNOTSYN=Yes.
# #
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a # using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
# network or host basis using the same option in /etc/shorewall/hosts. # network or host basis using the same option in /etc/shorewall/hosts.
# #
@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60
# connection from the conntrack table but the end-points haven't # connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen # completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value. # NEWNOTSYN=Yes as the default value.
#
NEWNOTSYN=Yes NEWNOTSYN=Yes
@ -584,7 +602,7 @@ NEWNOTSYN=Yes
# Normally, when a "shorewall stop" command is issued or an error occurs during # Normally, when a "shorewall stop" command is issued or an error occurs during
# the execution of another shorewall command, Shorewall puts the firewall into # the execution of another shorewall command, Shorewall puts the firewall into
# a state where only traffic to/from the hosts listed in # a state where only traffic to/from the hosts listed in
# /etc/shorewall/routestopped is accepted. # /etc/shorewall/routestopped is accepted.
# #
# When performing remote administration on a Shorewall firewall, it is # When performing remote administration on a Shorewall firewall, it is
# therefore recommended that the IP address of the computer being used for # therefore recommended that the IP address of the computer being used for
@ -592,11 +610,11 @@ NEWNOTSYN=Yes
# #
# Some administrators have a hard time remembering to do this with the result # Some administrators have a hard time remembering to do this with the result
# that they get to drive across town in the middle of the night to restart # that they get to drive across town in the middle of the night to restart
# a remote firewall (or worse, they have to get someone out of bed to drive # a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall). # across town to restart a very remote firewall).
# #
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting, # For those administrators, we offer ADMINISABSENTMINDED=Yes. With this
# when the firewall enters the 'stopped' state: # setting, when the firewall enters the 'stopped' state:
# #
# All traffic that is part of or related to established connections is still # All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic # allowed and all OUTPUT traffic is allowed. This is in addition to traffic
@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes
# #
# Shorewall offers two types of blacklisting: # Shorewall offers two types of blacklisting:
# #
# - static blacklisting through the /etc/shorewall/blacklist file together # - static blacklisting through the /etc/shorewall/blacklist file
# with the 'blacklist' interface option. # together with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands. # - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
# #
# The following variable determines whether the blacklist is checked for each # The following variable determines whether the blacklist is checked for each
@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes
# time and that new connections are disabled during that time. By setting # time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections # DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist. # before loading the blacklist.
#
DELAYBLACKLISTLOAD=No DELAYBLACKLISTLOAD=No
@ -654,7 +673,7 @@ DELAYBLACKLISTLOAD=No
# All of the file names listed should have the same suffix (extension). Set # All of the file names listed should have the same suffix (extension). Set
# MODULE_SUFFIX to that suffix. # MODULE_SUFFIX to that suffix.
# #
# Examples: # Examples:
# #
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo" # If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o" # If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
@ -668,7 +687,7 @@ MODULE_SUFFIX=
# Distributions (notably SuSE) are beginning to ship with IPV6 # Distributions (notably SuSE) are beginning to ship with IPV6
# enabled. If you are not using IPV6, you are at risk of being # enabled. If you are not using IPV6, you are at risk of being
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause # exploited by users who do. Setting DISABLE_IPV6=Yes will cause
# Shorewall to disable IPV6 traffic to/from and through your # Shorewall to disable IPV6 traffic to/from and through your
# firewall system. This requires that you have ip6tables installed. # firewall system. This requires that you have ip6tables installed.
DISABLE_IPV6=Yes DISABLE_IPV6=Yes
@ -677,7 +696,7 @@ DISABLE_IPV6=Yes
# BRIDGING # BRIDGING
# #
# If you wish to control traffic through a bridge (see http://bridge.sf.net), # If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option # then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available at the above URL for 2.4 kernels and # enabled; that option is available at the above URL for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not # is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed. # specified or specified as empty (BRIDGING="") then "No" is assumed.
@ -694,12 +713,13 @@ BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No
# #
# USE PKTTYPE MATCH # USE PKTTYPE MATCH
# #
# Some users have reported problems with the PKTTYPE match extension not being # Some users have reported problems with the PKTTYPE match extension not being
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall # able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given # will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
#
PKTTYPE=Yes PKTTYPE=Yes
@ -713,7 +733,7 @@ PKTTYPE=Yes
# SUBNETS TARGET # SUBNETS TARGET
# 192.168.1.0/24 RETURN # 192.168.1.0/24 RETURN
# #
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you # then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have: # also have:
# #
# SUBNETS TARGET # SUBNETS TARGET
@ -727,7 +747,8 @@ PKTTYPE=Yes
# RFC1918_STRICT=No is assumed. # RFC1918_STRICT=No is assumed.
# #
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support # WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match. # 'conntrack state' match.
#
RFC1918_STRICT=No RFC1918_STRICT=No
@ -747,10 +768,11 @@ RFC1918_STRICT=No
# the entries. After $MACLIST_TTL from the first accepted connection request, # the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against # the next connection request from that IP address will be checked against
# the entire list. # the entire list.
# #
# If MACLIST_TTL is not specified or is specified as empty (e.g, # If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not # MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached. # be cached.
#
MACLIST_TTL= MACLIST_TTL=
@ -762,9 +784,10 @@ MACLIST_TTL=
# Restore the last saved ipset contents during "shorewall [re]start" # Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save" # Save the current ipset contents during "shorewall save"
# #
# Regardless of the setting of SAVE_IPSETS, if ipset contents were # Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during # saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore". # a subsequent "shorewall restore".
#
SAVE_IPSETS=No SAVE_IPSETS=No
@ -776,12 +799,13 @@ SAVE_IPSETS=No
# compatibility, Shorewall can map the old names into invocations of the new # compatibility, Shorewall can map the old names into invocations of the new
# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to # macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed # the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
#
MAPOLDACTIONS=No MAPOLDACTIONS=No
################################################################################ ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ###############################################################################
# #
# BLACKLIST DISPOSITION # BLACKLIST DISPOSITION
# #
@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP
# that is not listed for that interface in /etc/shorewall/maclist. Valid # that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as # values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed # empty (MACLIST_DISPOSITION="") then REJECT is assumed
#
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT
# 'tcpflags' option specified in /etc/shorewall/interfaces or in # 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty # /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed. # (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
#
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP

2
Shorewall/shorewall.spec
View File

@ -152,7 +152,7 @@ fi
%changelog %changelog
* Tue Jul 26 2005 Tom Eastep tom@shorewall.net * Tue Jul 26 2005 Tom Eastep tom@shorewall.net
- Fix omissions/errors - Fix omissions/errors
* Mon Jul 25 2005 Tom Eastep tom@shorewall.net * Mon Jul 25 2005 Tom Eastep tom@shorewall.net
- Updated to 2.5.0-1 - Updated to 2.5.0-1
- Add macros and convert most actions to macros - Add macros and convert most actions to macros

15
Shorewall/start
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/start
# #
# Add commands below that you want to be executed after shorewall has # Shorewall version 2.4 - Start File
# been started or restarted.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

30
Shorewall/started
View File

@ -1,17 +1,23 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/started
# #
# Add commands below that you want to be executed after shorewall has # Shorewall version 2.6 - Started File
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
# #
# This script should not change the firewall configuration directly but may # /etc/shorewall/started
# do so indirectly by running /sbin/shorewall with the 'nolock' option.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # Add commands below that you want to be executed after shorewall has
# information. Note though that the "ensure_and_save_command" function # been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. Note though that the "ensure_and_save_command" function
# should not be used in this script because Shorewall is already running # should not be used in this script because Shorewall is already running
# when this function is called. # when this function is called.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

15
Shorewall/stop
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stop
# #
# Add commands below that you want to be executed at the beginning of a # Shorewall version 2.6 - Stop File
# "shorewall stop" command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

15
Shorewall/stopped
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stopped
# #
# Add commands below that you want to be executed at the completion of a # Shorewall version 2.4 - Stopped File
# "shorewall stop" command.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

87
Shorewall/tcrules
View File

@ -1,18 +1,18 @@
# #
# Shorewall version 2.6 - Traffic Control Rules File # Shorewall version 2.6 - Tcrules File
# #
# /etc/shorewall/tcrules # /etc/shorewall/tcrules
# #
# Entries in this file cause packets to be marked as a means of # Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing. # classifying them for traffic control or policy routing.
# #
# I M P O R T A N T ! ! ! ! # I M P O R T A N T ! ! ! !
# #
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET # FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf # TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
# #
# Unlike rules in the /etc/shorewall/rules file, evaluation # Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the # of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the # final mark for each packet will be the one assigned by the
# LAST tcrule that matches. # LAST tcrule that matches.
# #
@ -24,33 +24,35 @@
# #
# #
# MARK/ a) A mark value which is an integer in the range 1-255 # MARK/ a) A mark value which is an integer in the range 1-255
# CLASSIFY # CLASSIFY
# May optionally be followed by ":P" or ":F" # May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in # where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking # the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither # should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is # ":P" nor ":F" follow the mark value then the chain
# determined by the setting of MARK_IN_FORWARD_CHAIN in # is determined by the setting of
# MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf.
# #
# If your kernel and iptables include CONNMARK support # If your kernel and iptables include CONNMARK support
# then you can also mark the connection rather than # then you can also mark the connection rather than
# the packet. # the packet.
# #
# The mark value may be optionally followed by "/" # The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of # and a mask value (used to determine those bits of
# the connection mark to actually be set). The # the connection mark to actually be set). The
# mark and optional mask are then followed by one of: # mark and optional mask are then followed by one of:
# #
# C - Mark the connection in the chain determined # C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN # by the setting of MARK_IN_FORWARD_CHAIN
# #
# CF: Mark the connection in the FORWARD chain # CF: Mark the connection in the FORWARD chain
# #
# CP: Mark the connection in the PREROUTING chain. # CP: Mark the connection in the PREROUTING
# chain.
# #
# b) A classification of the form <major>:<minor> where # b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to # <major> and <minor> are integers. Corresponds to
# the 'class' specification in these traffic shaping # the 'class' specification in these traffic shaping
# modules: # modules:
# #
@ -65,19 +67,24 @@
# #
# c) RESTORE[/mask] -- restore the packet's mark from the # c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any. # connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support. # Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F # As in a) above, may be followed by ":P" or ":F
# #
# c) SAVE[/mask] -- save the packet's mark to the # c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any. # connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support. # Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F # As in a) above, may be followed by ":P" or ":F
# #
# d) CONTINUE -- don't process any more marking rules in # d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or # the table.
# ":F".
# #
# SOURCE Source of the packet. A comma-separated list of # As in a) above, may be followed by ":P" or ":F".
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses # interface names, IP addresses, MAC addresses
# and/or subnets. If your kernel and iptables include # and/or subnets. If your kernel and iptables include
# iprange match support, IP address ranges are also # iprange match support, IP address ranges are also
@ -93,15 +100,15 @@
# Example: ~00-A0-C9-15-39-78 # Example: ~00-A0-C9-15-39-78
# #
# DEST Destination of the packet. Comma separated list of # DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets. If your kernel and # IP addresses and/or subnets. If your kernel and
# iptables include iprange match support, IP address # iptables include iprange match support, IP address
# ranges are also allowed. # ranges are also allowed.
# #
# If the MARK column specificies a classification of # If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also # the form <major>:<minor> then this column may also
# contain an interface name. # contain an interface name.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match # a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables. # support in your kernel and iptables.
# #
@ -111,8 +118,8 @@
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p, this column is interpreted # If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit" # as an ipp2p option without the leading "--" (example
# for bit-torrent). If no PORT is given, "ipp2p" is # "bit" for bit-torrent). If no PORT is given, "ipp2p" is
# assumed. # assumed.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
@ -134,27 +141,29 @@
# #
# It may contain : # It may contain :
# #
# [<user name or number>]:[<group name or number>][+<program name>] # [<user name or number>]:[<group name or number>][+<program name>]
# #
# The colon is optionnal when specifying only a user # The colon is optionnal when specifying only a user
# or a program name. # or a program name.
# Examples : john: , john , :users , john:users , +mozilla-bin # Examples : john: , john , :users , john:users ,
# +mozilla-bin
# #
# TEST Defines a test on the existing packet or connection mark. # TEST Defines a test on the existing packet or connection
# The rule will match only if the test returns true. Tests # mark. The rule will match only if the test returns
# have the format [!]<value>[/<mask>][:C] # true. Tests have the format [!]<value>[/<mask>][:C]
# #
# Where: # Where:
# #
# ! Inverts the test (not equal) # ! Inverts the test (not equal)
# <value> Value of the packet or connection mark. # <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before # <mask> A mask to be applied to the mark before
# testing # testing
# :C Designates a connection mark. If omitted, # :C Designates a connection mark. If
# the packet mark's value is tested. # omitted, the packet mark's value is
# tested.
# #
# See http://shorewall.net/traffic_shaping.htm for additional information. # See http://shorewall.net/traffic_shaping.htm for additional information.
############################################################################## ###############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/tos
View File

@ -1,5 +1,7 @@
# #
# Shorewall 2.6 -- /etc/shorewall/tos # Shorewall version 2.6 - Tos File
#
# /etc/shorewall/tos
# #
# This file defines rules for setting Type Of Service (TOS) # This file defines rules for setting Type Of Service (TOS)
# #
@ -10,7 +12,7 @@
# #
# If not "all" or $FW, may optionally be followed by # If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet # ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface. # specification or the name of an interface.
# #
# Example: loc:192.168.2.3 # Example: loc:192.168.2.3
# #
@ -41,6 +43,7 @@
# Minimize-Cost (2) # Minimize-Cost (2)
# Normal-Service (0) # Normal-Service (0)
# #
############################################################################## ###############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS #SOURCE DEST PROTOCOL SOURCE DEST TOS
# PORTS PORTS
#LAST LINE -- Add your entries above -- DO NOT REMOVE #LAST LINE -- Add your entries above -- DO NOT REMOVE

33
Shorewall/tunnels
View File

@ -1,5 +1,7 @@
# #
# Shorewall 2.4 - /etc/shorewall/tunnels # Shorewall version 2.6 - Tunnels File
#
# /etc/shorewall/tunnels
# #
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
# #
@ -9,13 +11,13 @@
# #
# The columns are: # The columns are:
# #
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip" # TYPE -- must start in column 1 and be "ipsec", "ipsecnat",
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or # "ipip", "gre", "6to4", "pptpclient", "pptpserver",
# "generic" # "openvpn" or "generic"
# #
# If the type is "ipsec" or "ipsecnat", it may be followed # If the type is "ipsec" or "ipsecnat", it may be
# by ":noah" to indicate that the Authentication Header # followed by ":noah" to indicate that the Authentication
# protocol (51) is not used by the tunnel. # Header protocol (51) is not used by the tunnel.
# #
# If type is "openvpn", it may optionally be followed # If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no # by ":" and the port number used by the tunnel. if no
@ -34,7 +36,7 @@
# #
# GATEWAY -- The IP address of the remote tunnel gateway. If the # GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior) # remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. May be # then specify the gateway as 0.0.0.0/0. May be
# specified as a network address and if your kernel and # specified as a network address and if your kernel and
# iptables include iprange match support then IP address # iptables include iprange match support then IP address
# ranges are also allowed. # ranges are also allowed.
@ -102,16 +104,17 @@
# #
# Example 8: # Example 8:
# #
# You have a tunnel that is not one of the supported types. # You have a tunnel that is not one of the supported
# Your tunnel uses UDP port 4444. The other end of the # types. Your tunnel uses UDP port 4444. The other end
# tunnel is 4.3.99.124. # of the tunnel is 4.3.99.124.
# #
# generic:udp:4444 net 4.3.99.124 # generic:udp:4444 net 4.3.99.124
# #
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
# #
# TYPE ZONE GATEWAY GATEWAY # See http://shorewall.net/Documentation.htm#Tunnels for additional
# information.
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE # ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

34
Shorewall/zones
View File

@ -1,20 +1,24 @@
# #
# Shorewall 2.6 /etc/shorewall/zones # Shorewall version 2.6 - Zones File
# #
# This file determines your network zones. Columns are: # /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
# #
# ZONE Short name of the zone (5 Characters or less in length). # ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be # The names "all" and "none" are reserved and may not be
# used as zone names. # used as zone names.
# #
# IPSEC Yes -- Communication with all zone hosts is encrypted # IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY Your kernel and iptables must include policy # ONLY Your kernel and iptables must include policy
# match support. # match support.
# No -- Communication with some zone hosts may be encrypted. # No -- Communication with some zone hosts may be encrypted.
# Encrypted hosts are designated using the 'ipsec' # Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts. # option in /etc/shorewall/hosts.
# #
# OPTIONS, A comma-separated list of options as follows: # OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS, # IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified # OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number> # using setkey(8) using the 'unique:<number>
@ -25,7 +29,7 @@
# #
# proto=ah|esp|ipcomp # proto=ah|esp|ipcomp
# #
# mss=<number> (sets the MSS field in TCP packets) # mss=<number> (sets the MSS field in TCP packets)
# #
# mode=transport|tunnel # mode=transport|tunnel
# #
@ -35,36 +39,38 @@
# tunnel-dst=<address>[/<mask>] (only # tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel) # available with mode=tunnel)
# #
# strict Means that packets must match all rules. # strict Means that packets must match all rules.
# #
# next Separates rules; can only be used with # next Separates rules; can only be used with
# strict.. # strict..
# #
# Example: # Example:
# mode=transport,reqid=44 # mode=transport,reqid=44
# #
# The options in the OPTIONS column are applied to both incoming # The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming # and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are # traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic. # applied to outgoing traffic.
# #
# If you wish to leave a column empty but need to make an entry # If you wish to leave a column empty but need to make an entry
# in a following column, use "-". # in a following column, use "-".
# #
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
# #
# See http://www.shorewall.net/Documentation.htm#Nested # See http://www.shorewall.net/Documentation.htm#Nested
#-------------------------------------------------------------------------------- #------------------------------------------------------------------------------
# Example zones: # Example zones:
# #
# You have a three interface firewall with internet, local and DMZ interfaces. # You have a three interface firewall with internet, local and DMZ
# interfaces.
# #
# #ZONE IPSEC OPTIONS IN OUT # #ZONE IPSEC OPTIONS IN OUT
# net # net
# loc # loc
# dmz # dmz
# #
###############################################################################
#ZONE IPSEC OPTIONS IN OUT #ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # ONLY OPTIONS OPTIONS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE